Simplified pathway for micro-enterprises under the EU AI Act

Updated: June 2026

Introduction: who qualifies as a micro-enterprise?

The EU AI Act adopts the EU's standard definition of micro-enterprise: fewer than 10 employees and an annual turnover or balance sheet total not exceeding €2 million. This definition is applied at the level of the individual legal entity, not at group level, so a subsidiary of a large corporation that itself meets the thresholds may qualify.

Micro-enterprise status matters because the EU AI Act's most significant simplifications are specifically designed for organisations of this size. Understanding which simplifications apply, and which obligations remain, is essential for proportionate compliance.

Simplifications available to micro-enterprises

Technical documentation (provider role)

For micro-enterprises acting as providers of AI systems (building or significantly modifying AI), Art. 11.3 permits simplified technical documentation. Instead of the full documentation set required by Annex IV, micro-enterprises may use a streamlined format that covers the essential elements while reducing documentation burden by approximately 60–70%.

Quality management system

Art. 17.3 explicitly states that for micro-enterprises, the quality management system required under Art. 17.1 "may be implemented in a proportionate way." In practice, a single AI governance document covering the relevant elements can substitute for a full ISO 9001-style quality management system.

Conformity assessment

Where self-assessment is permitted (most Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → high-risk AI systems), micro-enterprises can conduct a simplified self-assessment. The assessment must be substantive, it must genuinely evaluate conformity, but the formal documentation requirements are reduced.

What micro-enterprise deployers must still do

The simplifications above primarily benefit micro-enterprises in the providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → role. Micro-enterprise deployers still face the full Art. 26 obligation set for high-risk AI systems, with one important qualifier: proportionate implementation.

Proportionate implementation means:

• Human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → documentation can be a simple log in a spreadsheet rather than a formal system
• AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → training can be a team discussion rather than a formal training programme
• Risk assessments can be brief written analyses rather than formal matrices
• Governance can be a single named person rather than a committee

The non-negotiables

Regardless of enterprise size, these obligations apply in full:

• Art. 5 prohibitions, no exceptions
• Art. 4 AI literacy, proportionate but not waivable
• Human oversight for high-risk AI, proportionate implementation is permitted but the obligation exists
• Incident reporting, simplified process permitted but the obligation to report serious incidents cannot be waived
• Individual transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → (Art. 26.7), the right of individuals to know they are subject to high-risk AI applies regardless of enterprise size

Practical steps for micro-enterprise compliance

1. 30-minute AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry →: List every AI tool. Be thorough, include SaaS tools with AI features.
2. One-page classification analysis: Check each tool against Art. 5 and Art. 6. For most micro-enterprises, this reveals that most tools are minimal risk and one or two may be high-risk.
3. Supplier email to high-risk AI vendors: Request compliance documentation. File the response.
4. Team briefing: 30–60 minutes covering what AI is, what the EU AI Act requires, and what to do if there's an incident. Document attendance.
5. One-page AI policy: Who is responsible, what is the approval process for new AI tools, what is the incident escalation procedure.

FAQ

Q: We are a startup of 6 people. Do we really need to comply with the EU AI Act?
A: If you use AI systems (including SaaS tools with AI features) that affect individuals, and particularly if any are high-risk, yes. But the compliance burden at your scale is manageable: a half-day exercise can achieve proportionate compliance for most micro-enterprises that are deployers (rather than providers) of AI.

Q: We are building an AI product. Does the simplified pathway apply to us?
A: Yes, the provider-role simplifications (technical documentation, QMS) apply if you qualify as a micro-enterprise. However, if your AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → will be used in high-risk contexts by your customers, the conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → and declaration of conformity obligations still apply, in simplified form.