Skip to content
Klarvo
Start free

EU AI Act · SMEs

The EU AI Act for SMEs — what's different, what isn't

The EU AI Act applies regardless of company size — and that's the first thing most SME owners don't know. The good news: the SME-protective design choices are real, and the practical compliance work is far smaller than the 458-page regulation suggests.

The three things SMEs need to know

1. The Act has no size threshold

Article 2 (scope) doesn't carve out small businesses. If you put an AI system on the market or into use in the EU — or it affects people in the EU — you're in scope. A 10-person SaaS with an AI chatbot has the same Article 50 obligation as a Fortune 500.

2. SMEs get a cheaper penalty ceiling

The Article 99 fine bands are stated as "the higher of €X million or Y% of global turnover." Article 99(6) flips the rule for SMEs: the cap is the lower of the two. For a small business, the practical ceiling is the euro figure, not a percentage of turnover.

Breach type SME cap Large-enterprise cap
Prohibited (Article 5) Up to €35M Higher of €35M / 7% turnover
Other (incl. Article 50) Up to €15M Higher of €15M / 3% turnover

3. Sandbox priority + simpler guidance

Member States must give SMEs priority access to AI regulatory sandboxes — controlled environments where you can test high-risk AI under supervision before deployment. The European AI Office and Member State authorities are also obliged to provide SME-tailored guidance and free training materials.

Where most SMEs actually land

Across hundreds of classifications, the SME pattern is consistent:

  • ~70% of systems are limited-risk — Article 50 transparency only. A short disclosure on a chatbot or AI-generated content marking.
  • ~20% are minimal-risk — no AI-Act-specific obligations. Article 4 staff literacy applies, GDPR still applies.
  • ~8% are high-risk (Annex III) — usually a recruitment AI, a credit-scoring AI, or an AI used in essential services. Deployer obligations apply; provider obligations sit with the vendor.
  • ~2% trigger Article 5 — rare, usually emotion recognition in the workplace or biometric categorisation by protected characteristic.

The actionable bit. If 70% of your systems just need a one-line disclosure, the real work isn't reading the regulation — it's listing the systems and writing the disclosures. Klarvo's free tier does the first system in 10 minutes and drafts the disclosure for you.

What to do this quarter

  1. Inventory — list every AI system or vendor tool with AI features.
  2. Classify — run each through KlarvoEngine, or do it manually using the free tools and the explainer pages on this site.
  3. For limited-risk — implement the Article 50 disclosure. Screenshot the live version. Done.
  4. For high-risk — name a human-oversight owner per system. Capture the vendor's instructions for use. Decide if you need a FRIA (Article 27 — public bodies and credit/insurance scoring deployers only).
  5. For Article 4 — document basic AI literacy across your team. Even a 30-minute team session with a written summary counts.

What you can safely deprioritise

  • Reading the full text of the regulation. 458 pages of legalese, almost none of which matters in your day-to-day. The Klarvo explainer pages summarise the parts you need.
  • Big-vendor "AI governance platforms." Most are enterprise-priced and assume an internal compliance team. The wedge for SMEs is buyable, self-serve software.
  • Five-figure consultant retainers. Consultants are useful for genuinely novel edge cases, not for a chatbot disclosure.

The honest SME view of the Act

The Act is a serious piece of legislation, and the compliance industry is going to make a lot of money pretending it's bigger and scarier than it is. For most SMEs it is fundamentally manageable — a Saturday afternoon of inventory, a week of disclosure rollouts, and a permanent system of record so the next time someone asks "show me your AI compliance" the answer is "here it is" rather than "give me a month."

That is the job Klarvo is built for.

Start with the 2-minute scope check →

Klarvo organises and explains EU AI Act compliance. It is not legal advice. For specific legal situations, consult a qualified professional.

Frequently asked

Does the Act actually apply to a 10-person company? +

Yes. The Act has no size threshold. The penalty cap is reduced for SMEs (Article 99(6) — the lower of the two amounts, not the higher), and Member States have to provide preferential regulatory-sandbox access, but the obligations themselves are the same as for large enterprises.

What counts as an SME under the Act? +

The Act uses the standard EU SME definition (Recommendation 2003/361): fewer than 250 staff and either turnover ≤ €50M or balance-sheet total ≤ €43M. Microenterprises (fewer than 10 staff, turnover ≤ €2M) get further consideration in some provisions.

What's the SME-specific support? +

Three main things: reduced penalty caps (the lower-of-two rule), preferential access to AI regulatory sandboxes, and Member State obligations to provide SME-friendly compliance guidance and free training materials. The European AI Office is also tasked with simplifying compliance for SMEs.

What should I do this quarter if I'm an SME owner? +

Run the 2-minute scope check. Add your AI systems to a free Klarvo account. Get the Article 50 disclosures live. That's the minimum-viable preparedness for August 2026 and it's achievable in an afternoon, not a quarter.

Do the SME compliance work this weekend.

Free tier — one AI system, full classification, the disclosure drafted, the proof stored. No credit card.

Start free See pricing

Free tier · Full KlarvoEngine classification · No credit card