GovCompass
Knowledge base
AnalysisAccountability

EU AI Act for SMEs: practical guide for small organisations

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

For SMEs, EU AI Act compliance is manageable but not optional: the Art. 5 prohibitions and Art. 4 literacy apply regardless of size, and SME deployers of high-risk AI carry the full Art. 26 obligations in proportionate form. Micro-enterprises gain administrative simplifications, not exemptions.

Updated: June 2026

Introduction: proportionality is built in

The EU AI Act explicitly acknowledges that a compliance burden designed for large enterprises would be disproportionate for small organisations. Art. 9.5, Art. 17.3, and various other provisions create proportionalityproportionalityMatching the weight of governance to the risk of the use case — heavy gates for high stakes, light touch for low stakes — which keeps controls credible and followed.Open full entry → requirements: obligations must be implemented in a manner proportionate to the size of the organisation and the nature of the AI systems used.

This does not mean SMEs are exempt from the EU AI Act. It means the obligations must be implemented differently, simpler documentation, fewer formal structures, more proportionate governance. This guide explains what proportionate compliance looks like for Dutch SMEs.

Micro-enterprise exceptions

Micro-enterprises (fewer than 10 employees and annual turnover or balance sheet under €2 million) benefit from specific simplifications:

  • Simplified technical documentation: For AI systems they develop (providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → role), micro-enterprises may use simplified documentation formats
  • Reduced conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → requirements: Where self-assessment is permitted, simplified procedures apply
  • Lighter governance requirements: Art. 17.3 explicitly allows micro-enterprises to implement the quality management system in a simplified manner

Note: The simplified pathway applies primarily to micro-enterprises in the provider role (building AI systems). Micro-enterprise deployers (using AI systems) benefit from the general proportionality principle but do not have specific deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →-role simplifications beyond proportionate implementation.

SME simplified pathway (Art. 9.5)

For all SMEs (fewer than 250 employees and under €50 million annual turnover), Art. 9.5 provides that the risk management system required under Art. 9 may be implemented through proportionate, less formal documentation. In practice:

  • A single AI governance document may suffice rather than a full quality management system manual
  • Risk assessments may be integrated into existing operational procedures rather than standalone documents
  • Human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → arrangements may be documented in existing job descriptions and process maps

What SME deployers must still do

Proportionality reduces formality, it does not eliminate obligations. SME deployers of high-risk AI systems must still:

  • Comply with Art. 5 (no exceptions for SMEs)
  • Ensure Art. 4 AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → (proportionate to scale)
  • Verify provider compliance documentation
  • Implement human oversight for high-risk AI
  • Retain AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → logs (6-month minimum)
  • Notify individuals subject to high-risk AI
  • Report serious incidents

Practical SME compliance starting points

  1. One-page AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry →: List every AI tool in use, even SaaS tools with AI features
  2. Three-question classification check: Is it an AI system? Is any use prohibited? Is any use high-risk?
  3. Supplier email: Write to every high-risk AI vendor requesting their compliance documentation
  4. One-pager AI policy: Simple document covering: who is responsible for AI governance, what the approval process is for new AI tools, and what the escalation procedure is for AI incidents
  5. Staff briefing: A 30-minute team briefing on EU AI Act basics satisfies the Art. 4 literacy obligation for most SME employees

Compliance checklist

  1. Is your organisation classified as an SME or micro-enterprise under EU definitions?
  2. Have you applied the proportionality principle to your compliance implementation?
  3. Do you have a basic AI inventory (even a simple spreadsheet)?
  4. Have you conducted a high-level classification review for Art. 5 and high-risk?
  5. Have you assigned AI governance responsibility to a named person?
  6. Has your team received basic AI literacy training?
Legal referencesArt. 26Art. 5Art. 4

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.