EU AI Act for SMEs: a practical governance plan

The EU AI Act can sound like a problem for model labs, banks, medical device companies, and public authorities. That is partly true. The heaviest obligations land on providers of high-risk systems and providers of general-purpose AI models.

But SMEs still need a working governance model. If your company uses AI in hiring, customer service, document processing, sales, support, marketing, software development, or internal decision support, the question is not "are we a regulated AI company?" The question is "which AI systems do we use, what risk do they create, and who is responsible for using them safely?"

This article is a practical governance plan for SMEs. It is not legal advice. It is the operating system you should have before legal review becomes expensive.

Treat AI Act readiness as an operational inventory problem first. If you cannot list your AI systems, vendors, users, data categories, decision impact, and human oversight rules, you are not ready to classify risk or prove responsible use.

The timeline that matters

As of 17 May 2026, the EU AI Act is applying in phases. The official European Commission timeline says the Act entered into force on 1 August 2024. Prohibited practices and AI literacy obligations started applying from 2 February 2025. Governance rules and general-purpose AI model obligations became applicable on 2 August 2025. Transparency rules apply from 2 August 2026.

The high-risk timeline has been moving because of the Digital Omnibus simplification package. The Commission's current AI Act page says that, following the 7 May 2026 political agreement, rules for systems used in certain high-risk areas such as biometrics, critical infrastructure, education, employment, migration, asylum, and border control apply from 2 December 2027, while high-risk systems embedded into regulated products apply from 2 August 2028.

Use those dates as planning inputs, not as a substitute for legal confirmation. The practical point for SMEs is simpler: start now, because inventory, ownership, documentation, and human oversight take time to build.

Provider, deployer, or buyer?

Most SMEs are not training frontier models. They are usually one of three things:

| Role | What it means | SME example | Practical duty | | --- | --- | --- | --- | | Buyer | You buy a tool with AI features | CRM assistant, meeting summarizer, coding assistant | Vendor due diligence and internal use rules | | Deployer | You put an AI system into use in your business | Support triage, lead scoring, HR screening workflow | Oversight, monitoring, disclosure, records | | Provider | You place an AI system on the market under your name | AI chatbot product, scoring API, industry tool | Product compliance, technical documentation, risk management |

You can be more than one. A company that buys a model API, wraps it in an industry-specific product, and sells it to customers is likely more than a buyer. A company that uses a SaaS chatbot internally is usually a deployer or user, depending on the use case.

Do not guess this in a meeting. Put every AI system in an inventory and classify the role.

Build the AI inventory

Start with a spreadsheet. Every AI system gets one row:

| Field | Why it matters | | --- | --- | | System name | People need a shared label | | Vendor or owner | Someone must answer questions | | Business purpose | Risk depends on intended use | | Users | Internal staff, customers, applicants, public | | Data categories | Public, internal, personal, confidential, restricted | | Output use | Draft, recommendation, automated decision, customer-facing answer | | Human oversight | Who checks it and when | | Disclosure | Whether people are told they are interacting with AI | | Logs | What evidence exists after use | | Risk rating | Low, limited, possible high-risk, prohibited/not allowed |

This inventory is more valuable than a policy document nobody reads. It shows where AI actually exists in the company.

Classify practical risk

Do not start by asking "is this high-risk under Annex III?" Start with operational impact:

Low-risk assistance. Drafting emails, summarizing internal meetings, brainstorming, editing text. Human uses output as a draft. Normal privacy rules apply.

Limited-risk interaction. Chatbots, voice agents, AI-generated media, public text or support responses. Disclosure and user clarity matter.

Decision-support workflows. Lead scoring, support routing, invoice handling, quality review, fraud flags. Human oversight, monitoring, and appeal paths matter.

Potential high-risk areas. Employment, education, credit, essential services, healthcare, law enforcement, migration, critical infrastructure, biometric categorization. Legal review required before deployment.

Not allowed without explicit legal/security approval. Emotion inference in sensitive contexts, manipulative systems, social scoring, workplace surveillance patterns, or systems that could materially affect rights without proper safeguards.

This is not a final legal classification. It is the triage that tells you where expert review is needed.

Minimum SME governance controls

For each non-trivial AI system, require six controls:

1. Owner. One named person or team accountable for the system.
2. Use boundary. What the system may and may not be used for.
3. Data rule. What data can enter the system.
4. Human oversight. Which outputs need review before action.
5. Monitoring. How errors, complaints, drift, and vendor changes are noticed.
6. Record. What evidence is kept: vendor docs, prompts, settings, approvals, logs, test results.

These controls are boring. That is why they work. AI incidents usually start with nobody owning the workflow, nobody knowing what data went in, and nobody being able to reconstruct why an output was used.

Vendor due diligence

For vendor tools, ask for evidence rather than promises:

• Is customer data used for training by default?
• Where is data processed and stored?
• What retention controls exist?
• Are enterprise settings available for training opt-out, logging, SSO, and access control?
• Does the vendor provide AI Act, GDPR, security, and subprocessors documentation?
• Can the AI feature be disabled or scoped?
• Does the vendor disclose model providers and major architecture changes?
• What happens if the vendor changes model, prompt, or retrieval behavior?

If a vendor cannot answer these questions for a tool that will process customer, employee, or confidential data, keep the use case low-risk or choose another tool.

Disclosure and human oversight

For customer-facing AI, disclosure should be simple and visible. If a customer is talking to an AI chatbot or voice agent, say so. If AI-generated text is sent by a person after review, internal policy should decide whether disclosure is needed for that channel.

Human oversight must be specific. "A human is in the loop" is not enough. Define:

• What output the human sees.
• What source evidence they can inspect.
• Whether they can override or reject.
• How much time they have.
• Whether approval is logged.
• What happens when the human disagrees with the system.

Oversight without authority is theatre. If the human cannot stop the action, they are not meaningful oversight.

A 30-day SME rollout

Week 1: Inventory. List every AI tool and workflow. Include unsanctioned tools people actually use.

Week 2: Risk triage. Classify low, limited, decision-support, possible high-risk, or not allowed. Escalate possible high-risk.

Week 3: Controls. Add owner, data rule, oversight rule, disclosure rule, logging rule, and vendor evidence for each active system.

Week 4: Policy and training. Publish a short internal AI use policy and run a 45-minute team session. Focus on practical examples, not legal theory.

This is enough to move from ad hoc AI use to governed AI use.

Do not do this yet

Do not buy a compliance platform before you have an inventory. It will automate confusion.

Do not let every department write its own AI policy. Centralize the baseline, then allow department-specific rules.

Do not treat vendor terms as governance. A vendor contract does not tell your sales team what they may paste into a model.

Do not wait for perfect regulatory certainty. Timelines and guidance can move, but inventory, ownership, data rules, oversight, and logging will still be needed.

The takeaway

AI Act readiness for SMEs is not a panic project. It is a governance habit.

Start with the inventory. Classify risk by use case. Keep humans responsible for meaningful decisions. Require vendor evidence. Document the controls. Escalate employment, credit, health, education, essential services, biometric, and rights-impacting uses before launch.

If you do that, you will be ahead of most companies. More importantly, your AI systems will be easier to understand, safer to operate, and more credible with customers.