GovCompass
NL
AI governance
AnalysisAccountability

EU AI Act for SMEs: practical guide for small organizations

By GovCompass.ai· Last verified June 2026· Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

For SMEs, EU AI Act compliance is manageable but not optional: the Art. 5 prohibitions and Art. 4 literacy apply regardless of size, and SME deployers of high-risk AI carry the full Art. 26 obligations in proportionate form. Micro-enterprises gain administrative simplifications, not exemptions.

Updated: June 2026

Introduction: proportionality is built in

The EU AI Act explicitly acknowledges that a compliance burden designed for large enterprises would be disproportionate for small organizations. Art. 9.5, Art. 17.3, and various other provisions create proportionalityproportionalityMatching the weight of governance to the risk of the use case — heavy gates for high stakes, light touch for low stakes — which keeps controls credible and followed.Open full entry → requirements: obligations must be implemented in a manner proportionate to the size of the organization and the nature of the AI systems used.

This does not mean SMEs are exempt from the EU AI Act. It means the obligations must be implemented differently, simpler documentation, fewer formal structures, more proportionate governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry →. This guide explains what proportionate compliance looks like for Dutch SMEs.

Micro-enterprise exceptions

Micro-enterprises (fewer than 10 employees and annual turnover or balance sheet under €2 million) benefit from specific simplifications:

  • Simplified technical documentationtechnical documentationRecords a provider must compile and keep for a high-risk AI system to demonstrate conformity, covering its design, data, testing, risk management and monitoring.Open full entry →: For AI systems they develop (providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → role), micro-enterprises may use simplified documentation formats
  • Reduced conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → requirements: Where self-assessment is permitted, simplified procedures apply
  • Lighter governance requirements: Art. 17.3 explicitly allows micro-enterprises to implement the quality management system in a simplified manner

Note: The simplified pathway applies primarily to micro-enterprises in the provider role (building AI systems). Micro-enterprise deployers (using AI systems) benefit from the general proportionality principleprincipleOne of the seven responsible-AI values a governed system should live up to (fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, human oversight). A principle is abstract: it states an outcome, not a lever you can pull. It becomes governable by naming the harm that would breach it, assessing the risk that harm carries, and placing controls against that risk. When GovCompass holds a principle this way it calls it a pillar. See pillar, harm, risk.Open full entry → but do not have specific deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →-role simplifications beyond proportionate implementation.

SME simplified pathway (Art. 9.5)

For all SMEs (fewer than 250 employees and under €50 million annual turnover), Art. 9.5 provides that the riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → management system required under Art. 9 may be implemented through proportionate, less formal documentation. In practice:

  • A single AI governance document may suffice rather than a full quality management system manual
  • Risk assessments may be integrated into existing operational procedures rather than standalone documents
  • Human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → arrangements may be documented in existing job descriptions and process maps

What SME deployers must still do

Proportionality reduces formality, it does not eliminate obligations. SME deployers of high-risk AI systems must still:

  • Comply with Art. 5 (no exceptions for SMEs)
  • Ensure Art. 4 AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → (proportionate to scale)
  • Verify provider compliance documentation
  • Implement human oversight for high-risk AI
  • Retain AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → logs (6-month minimum)
  • Notify individuals subject to high-risk AI
  • Report serious incidents

Practical SME compliance starting points

  1. One-page AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry →: List every AI tool in use, even SaaS tools with AI features
  2. Three-question classification check: Is it an AI system? Is any use prohibited? Is any use high-risk?
  3. Supplier email: Write to every high-risk AI vendor requesting their compliance documentation
  4. One-pager AI policy: Simple document covering: who is responsible for AI governanceAI governanceGovernance extended for AI: the same organizational steering at the highest level, widened to cover what makes AI different (it works in probabilities rather than fixed rules, learns from data, and can act at a speed and scale no human reviewer can match). It inherits the existing governance structure and brings AI inside the disciplines the organization already runs, rather than creating a parallel system in a silo. It operates on two levels, design and execution. See governance, governance design, execution level, responsible AI.Open full entry →, what the approval process is for new AI tools, and what the escalation procedure is for AI incidents
  5. Staff briefing: A 30-minute team briefing on EU AI Act basics satisfies the Art. 4 literacy obligation for most SME employees

Compliance checklist

  1. Is your organization classified as an SME or micro-enterprise under EU definitions?
  2. Have you applied the proportionality principle to your compliance implementation?
  3. Do you have a basic AI inventory (even a simple spreadsheet)?
  4. Have you conducted a high-level classification review for Art. 5 and high-risk?
  5. Have you assigned AI governance responsibility to a named person?
  6. Has your team received basic AI literacy training?
Legal referencesArt. 26Art. 4Art. 5
Share Share on LinkedIn

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.