EU AI Act Compliance: Basics and Obligations
EU AI Act compliance: the complete guide for SMEs
The EU AI Act is the world’s first comprehensive law regulating artificial intelligence. In force since August 2024, it takes effect step by step. For small and medium-sized enterprises the question is: what does this mean concretely for us?
This guide gives you a complete overview of EU AI Act compliance, from the basics to practical implementation.
What is the EU AI Act?
The EU AI Act (Regulation EU 2024/1689) is a European regulation that sets binding rules for the development, distribution and use of AI systems. Unlike a directive, the regulation applies directly in all EU member states, including Germany.
The goal: AI should be used safely, transparently and in line with European fundamental rights. The EU AI Act follows a risk-based approach: the higher the risk of an AI system, the stricter the requirements.
Who is affected by the EU AI Act?
The short answer: almost every company that uses AI.
The EU AI Act distinguishes different roles with different obligations.
Providers are companies that develop or substantially modify AI systems and place them on the market under their own name. They carry the most comprehensive obligations: conformity assessment, CE marking, technical documentation, a quality management system.
Deployers are companies that use AI systems under their own responsibility. Most SMEs fall into this category, because they use ready-made tools like ChatGPT, Microsoft Copilot or industry-specific AI solutions. Deployers also have obligations: risk assessment, employee training, ongoing monitoring.
Important: the role is determined per AI system, not per company. You can be a provider for a system you developed yourself and a deployer for purchased solutions at the same time.
The four risk classes of the EU AI Act
The EU AI Act classifies AI systems into four risk classes. This classification determines which requirements you have to meet.
UNACCEPTABLE RISK refers to prohibited AI practices. These include social scoring, manipulative systems, real-time biometric surveillance in public spaces and emotion recognition in the workplace. These systems are banned in the EU.
HIGH-RISK covers AI systems in sensitive areas under Annex III of the EU AI Act. The eight categories are: biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, administration of justice. Comprehensive requirements apply to HIGH-RISK systems.
LIMITED RISK concerns AI systems with transparency obligations. Chatbots must be labelled as AI. Users must know they are interacting with an AI.
MINIMAL RISK covers all other AI systems without specific requirements. Spam filters, recommendation systems, simple automations.
Risk classification at the process level
Many companies ask: is ChatGPT HIGH-RISK or not?
The answer: it depends on what you use it for. The EU AI Act does not classify tools, it classifies applications. Article 6 makes the risk class depend on the “intended purpose”.
That is why I work with the process layer in my framework: asset + area of application = AI process, which leads to a risk class. How that works, I explain in my article on the EU AI Act compliance framework.
The key deadlines
The EU AI Act takes effect in stages.
Since February 2025, the bans on AI systems with unacceptable risk and the obligation for AI literacy under Article 4 apply.
From August 2025, the requirements for general purpose AI models apply.
From August 2026, the full requirements for HIGH-RISK systems apply. That is the decisive deadline for most companies.
The Digital Omnibus proposal could push the HIGH-RISK deadline to December 2027, but that has not been decided yet. You will find the details on the deadline uncertainty in my article EU AI Act deadline: August 2026 or December 2027?
The first step: know what you have
Before you can implement compliance measures, you have to know which AI systems you actually use. The biggest risk here: shadow AI, AI tools that employees use without your knowledge. More on that in my article on shadow AI in the company.
The systematic recording of all AI systems in an AI asset register is the basis of any EU AI Act compliance. Why this has to be a continuous process, I explain in my article AI asset register: why recording once is not enough.
The requirements for HIGH-RISK systems
If you use HIGH-RISK AI systems, comprehensive requirements apply. As a deployer you must, under Article 26 of the EU AI Act, in particular ensure the following: appropriate use in line with the instructions for use, human oversight, relevant input data, continuous monitoring under Article 26(6), employee training under Article 26(5), documentation and retention of the logs, reporting of serious incidents.
From EU AI Act compliance to governance
EU AI Act compliance matters, but it is only the first step. Compliance means: you meet the legal minimum requirements. Governance means: you steer AI strategically and responsibly.
Whoever uses EU AI Act compliance as a catalyst can develop comprehensive AI governance from it. More on that in my article AI compliance matters, but it is only the first step.
Penalties for non-compliance
The EU AI Act provides for substantial penalties. Violations of prohibited AI practices: up to 35 million euros or 7 percent of global annual turnover. Violations of other requirements: up to 15 million euros or 3 percent of turnover. For SMEs the lower thresholds apply in each case, but even those can threaten the company’s existence.
My approach: the 5-phase framework
EU AI Act compliance can feel overwhelming. That is why I developed a structured framework that guides SMEs to compliance step by step.
The framework, named NADOVO, is based on five phases: DISCOVER (record), DEFINE (classify), ASSESS (evaluate), IMPLEMENT (put into practice), MONITOR (monitor). This cycle forms a continuous lifecycle, because compliance is not a project, but a process.
You will find the details on the framework in my article My AI compliance framework.
Conclusion
The EU AI Act changes how companies are allowed to use AI. For SMEs this means new obligations, but also opportunities. Whoever proceeds in a structured way now not only avoids penalties, but also builds trust with customers and partners.
The key points: know your AI systems. Classify at the process level. Start now. Think in processes.
With the right framework, EU AI Act compliance is achievable for SMEs too.
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...