The SME EU AI Act compliance playbook

The honest scoping question

Most SMEs land here: 2-6 AI systems, almost all limited-risk, occasionally one high-risk system (recruitment AI or credit scoring), zero prohibited practices. The compliance work for this shape is genuinely manageable.

Total realistic budget for an SME to be August-2026-ready:

• Tools — €0 to €890/year (Klarvo Free, or Klarvo Comply annual).
• Internal time — 1-2 days of one named person's time over the next 8 weeks, plus 30 minutes a quarter ongoing.
• External legal — 0-2 hours of a generalist solicitor, only for genuine edge cases.

That is the floor; spending more buys peace of mind, not regulatory cover.

Quarter 1 — Inventory and triage (1 week, calendar time)

1. Name the owner. One person — typically the COO, ops lead, or in a smaller team, the founder. This is not a committee.
2. Inventory every AI system. Spreadsheet or Klarvo's Discover step. Ask each team lead: "is there an AI tool customers see, or that processes customer / employee data?"
3. Classify each one. Klarvo's free tier does the first system end-to-end. The owner classifies the rest in subsequent sessions; 5-10 minutes per system.
4. Triage the results. Group: prohibited (escalate immediately), high-risk (planning), limited-risk (Article 50 work), minimal-risk (Article 4 literacy only).

Output: a one-page summary the owner can hand to the founder / board.

Quarter 1 — Article 50 work (1-2 weeks, calendar time)

For every limited-risk system, the owner runs through this loop:

1. Draft the disclosure (Klarvo generates one; edit for voice).
2. Coordinate with the team that owns the surface (web team for chatbots, content team for AI-generated content) to add the disclosure.
3. Capture proof — screenshot, dated.
4. Bank in the evidence vault, linked to the obligation.

For a typical SME this is 1-2 weeks of part-time work, distributed across teams.

Quarter 2 — High-risk planning (if you have any)

If your inventory has any Annex III high-risk systems (most commonly: AI recruitment, AI credit scoring, AI used in essential services), the work is meaningful but bounded:

1. Confirm the deployer obligation set with KlarvoEngine.
2. Name the human-oversight owner per system.
3. Get the vendor's instructions for use, log retention details, conformity assessment summary. Email the vendor; if they can't supply, escalate (a vendor that can't provide these is a vendor with their own AI Act problem).
4. For public bodies or credit/insurance AI deployers: scope the FRIA. Plan 2-4 weeks for a thorough one.

Quarter 2 — Article 4 AI literacy (1 afternoon)

Article 4 requires every business using AI to ensure staff who interact with AI systems have a sufficient understanding. The bar is low and the implementation can be light:

1. 30-minute team session — what AI tools the company uses, the basic limits (hallucination, bias, training-data drift), the company's expectations around AI use.
2. One-page written summary distributed and acknowledged.
3. Logged as a literacy event in Klarvo's training register.

Ongoing — the quarterly review

30 minutes a quarter, run by the owner:

1. Has any AI system been added to the inventory since last quarter?
2. Are existing Article 50 disclosures still live? (Quick screenshot refresh.)
3. Any vendor AI changes? (New AI features added to a tool you use.)
4. Any internal change-of-use that re-opens classification?

What you can safely defer

• Reading the regulation. 458 pages of legalese. The Klarvo explainer hub and these guides cover what you need.
• Enterprise AI-governance platforms. Priced for procurement committees. Klarvo is built for your shape of company.
• External consulting retainers. Use a specialist legal advisor for genuinely novel edge cases — not for chatbot disclosures.
• ISO 42001 certification. Optional, useful for enterprise customers, not required by the Act. Add post-launch if a customer asks.