GovCompass
Knowledge base
Analysis

EU AI Act for SMEs: Practical Guide for Small Organisations

Updated: June 2026 — full revision to Validai quality standard

Introduction: Proportionality Is Built In

The EU AI Act explicitly acknowledges that a compliance burden designed for large enterprises would be disproportionate for small organisations. Art. 9.5, Art. 17.3, and various other provisions create proportionality requirements: obligations must be implemented in a manner proportionate to the size of the organisation and the nature of the AI systems used.

This does not mean SMEs are exempt from the EU AI Act. It means the obligations must be implemented differently — simpler documentation, fewer formal structures, more proportionate governance. This guide explains what proportionate compliance looks like for Dutch SMEs.

Micro-Enterprise Exceptions

Micro-enterprises (fewer than 10 employees and annual turnover or balance sheet under €2 million) benefit from specific simplifications:

  • Simplified technical documentation: For AI systems they develop (provider role), micro-enterprises may use simplified documentation formats
  • Reduced conformity assessment requirements: Where self-assessment is permitted, simplified procedures apply
  • Lighter governance requirements: Art. 17.3 explicitly allows micro-enterprises to implement the quality management system in a simplified manner

Note: The simplified pathway applies primarily to micro-enterprises in the provider role (building AI systems). Micro-enterprise deployers (using AI systems) benefit from the general proportionality principle but do not have specific deployer-role simplifications beyond proportionate implementation.

SME Simplified Pathway (Art. 9.5)

For all SMEs (fewer than 250 employees and under €50 million annual turnover), Art. 9.5 provides that the risk management system required under Art. 9 may be implemented through proportionate, less formal documentation. In practice:

  • A single AI governance document may suffice rather than a full quality management system manual
  • Risk assessments may be integrated into existing operational procedures rather than standalone documents
  • Human oversight arrangements may be documented in existing job descriptions and process maps

What SME Deployers Must Still Do

Proportionality reduces formality — it does not eliminate obligations. SME deployers of high-risk AI systems must still:

  • Comply with Art. 5 (no exceptions for SMEs)
  • Ensure Art. 4 AI literacy (proportionate to scale)
  • Verify provider compliance documentation
  • Implement human oversight for high-risk AI
  • Retain AI system logs (6-month minimum)
  • Notify individuals subject to high-risk AI
  • Report serious incidents

Practical SME Compliance Starting Points

  1. One-page AI inventory: List every AI tool in use — even SaaS tools with AI features
  2. Three-question classification check: Is it an AI system? Is any use prohibited? Is any use high-risk?
  3. Supplier email: Write to every high-risk AI vendor requesting their compliance documentation
  4. One-pager AI policy: Simple document covering: who is responsible for AI governance, what the approval process is for new AI tools, and what the escalation procedure is for AI incidents
  5. Staff briefing: A 30-minute team briefing on EU AI Act basics satisfies the Art. 4 literacy obligation for most SME employees

Compliance Checklist

  1. Is your organisation classified as an SME or micro-enterprise under EU definitions?
  2. Have you applied the proportionality principle to your compliance implementation?
  3. Do you have a basic AI inventory (even a simple spreadsheet)?
  4. Have you conducted a high-level classification review for Art. 5 and high-risk?
  5. Have you assigned AI governance responsibility to a named person?
  6. Has your team received basic AI literacy training?