GovCompass
Knowledge base
Guide

Simplified Pathway for Micro-Enterprises Under the EU AI Act

Updated: June 2026 — full revision to Validai quality standard

Introduction: Who Qualifies as a Micro-Enterprise?

The EU AI Act adopts the EU's standard definition of micro-enterprise: fewer than 10 employees and an annual turnover or balance sheet total not exceeding €2 million. This definition is applied at the level of the individual legal entity, not at group level — so a subsidiary of a large corporation that itself meets the thresholds may qualify.

Micro-enterprise status matters because the EU AI Act's most significant simplifications are specifically designed for organisations of this size. Understanding which simplifications apply — and which obligations remain — is essential for proportionate compliance.

Simplifications Available to Micro-Enterprises

Technical Documentation (Provider Role)

For micro-enterprises acting as providers of AI systems (building or significantly modifying AI), Art. 11.3 permits simplified technical documentation. Instead of the full documentation set required by Annex IV, micro-enterprises may use a streamlined format that covers the essential elements while reducing documentation burden by approximately 60–70%.

Quality Management System

Art. 17.3 explicitly states that for micro-enterprises, the quality management system required under Art. 17.1 "may be implemented in a proportionate way." In practice, a single AI governance document covering the relevant elements can substitute for a full ISO 9001-style quality management system.

Conformity Assessment

Where self-assessment is permitted (most Annex III high-risk AI systems), micro-enterprises can conduct a simplified self-assessment. The assessment must be substantive — it must genuinely evaluate conformity — but the formal documentation requirements are reduced.

What Micro-Enterprise Deployers Must Still Do

The simplifications above primarily benefit micro-enterprises in the provider role. Micro-enterprise deployers still face the full Art. 26 obligation set for high-risk AI systems, with one important qualifier: proportionate implementation.

Proportionate implementation means:

  • Human oversight documentation can be a simple log in a spreadsheet rather than a formal system
  • AI literacy training can be a team discussion rather than a formal training programme
  • Risk assessments can be brief written analyses rather than formal matrices
  • Governance can be a single named person rather than a committee

The Non-Negotiables

Regardless of enterprise size, these obligations apply in full:

  • Art. 5 prohibitions — no exceptions
  • Art. 4 AI literacy — proportionate but not waivable
  • Human oversight for high-risk AI — proportionate implementation is permitted but the obligation exists
  • Incident reporting — simplified process permitted but the obligation to report serious incidents cannot be waived
  • Individual transparency (Art. 26.7) — the right of individuals to know they are subject to high-risk AI applies regardless of enterprise size

Practical Steps for Micro-Enterprise Compliance

  1. 30-minute AI inventory: List every AI tool. Be thorough — include SaaS tools with AI features.
  2. One-page classification analysis: Check each tool against Art. 5 and Art. 6. For most micro-enterprises, this reveals that most tools are minimal risk and one or two may be high-risk.
  3. Supplier email to high-risk AI vendors: Request compliance documentation. File the response.
  4. Team briefing: 30–60 minutes covering what AI is, what the EU AI Act requires, and what to do if there's an incident. Document attendance.
  5. One-page AI policy: Who is responsible, what is the approval process for new AI tools, what is the incident escalation procedure.

FAQ

Q: We are a startup of 6 people. Do we really need to comply with the EU AI Act?
A: If you use AI systems (including SaaS tools with AI features) that affect individuals, and particularly if any are high-risk — yes. But the compliance burden at your scale is manageable: a half-day exercise can achieve proportionate compliance for most micro-enterprises that are deployers (rather than providers) of AI.

Q: We are building an AI product. Does the simplified pathway apply to us?
A: Yes, the provider-role simplifications (technical documentation, QMS) apply if you qualify as a micro-enterprise. However, if your AI system will be used in high-risk contexts by your customers, the conformity assessment and declaration of conformity obligations still apply — in simplified form.