EU AI Act Compliance Checklist for SMBs: What You Actually Need to Do Before August 2026
The EU AI Act becomes fully enforceable on August 2, 2026. For companies that don't comply, fines reach up to 7% of global annual revenue — or up to €35 million, whichever is higher.
If you're running a small or mid-sized business in Europe that uses AI tools — and in 2026, that's nearly everyone — this guide is for you.
We've cut through the 400+ pages of legal text and distilled it into a practical, step-by-step checklist. No legal jargon. No enterprise-only advice. Just what SMBs actually need to do.
Key Enforcement Dates
Feb 2, 2025
Prohibited AI practices banned
Aug 2, 2025
GPAI model obligations
Aug 2, 2026
High-risk + most obligations
Aug 2, 2027
Some product safety AI systems
Who This Applies To
If your company does any of the following, the EU AI Act applies to you:
- Uses AI chatbots for customer support (ChatGPT, Intercom, etc.)
- Uses AI for hiring, recruitment screening, or HR decisions
- Deploys AI recommendation engines (e-commerce, content)
- Uses AI-powered analytics or business intelligence tools
- Uses GitHub Copilot, AI code assistants, or AI writing tools
- Uses AI for credit scoring, insurance assessment, or financial decisions
- Deploys AI in healthcare, education, or critical infrastructure
The reality:If you're a European company with more than 10 employees, you almost certainly use at least one AI system that falls under this regulation. The Act applies regardless of whether you built the AI, deploy it, or distribute it.
The 6-Step Compliance Checklist
Inventory All AI Systems
Create a complete list of every AI system your company uses, develops, or distributes. You can't comply with a regulation if you don't know what falls under it. Over 50% of organizationsdon't have an AI inventory.
For each AI system, document:
- System name and provider (e.g., “ChatGPT via OpenAI for customer support”)
- What it does (purpose and use case)
- What data it processes (personal, biometric, financial, health?)
- Who is affected (employees, customers, the public, children?)
- Your role: Provider (you built it), Deployer (you use it), or Distributor (you resell it)?
- Scale of use: How many people are affected? How frequently?
Don't forget commonly overlooked AI systems:
- AI features embedded in SaaS tools (HubSpot AI, Salesforce Einstein, Notion AI)
- AI-powered spam filters and email categorization
- AI recruitment/screening tools
- AI analytics and BI dashboards
- AI content generation tools (Midjourney, DALL-E, Jasper)
Konformis tip: Our AI Inventory Wizard walks you through this step-by-step with a pre-loaded library of 30+ common AI systems. Most companies complete their full inventory in under an hour. Start your inventory →
Classify Each System's Risk Level
Determine whether each AI system is Prohibited, High-Risk, Limited Risk, or Minimal Risk under the Act.
Social scoring, mass surveillance, subliminal manipulation, emotion recognition in workplaces/schools, predictive policing
Recruitment & HR, credit scoring, education, critical infrastructure, law enforcement, healthcare, migration
Chatbots, AI-generated content, deepfakes, emotion recognition (non-prohibited contexts)
No specific obligations. Voluntary codes of conduct encouraged.
Key insight: Most SMBs will find their AI systems fall into Limited or Minimal Risk. But if you use AI for hiring, credit decisions, or healthcare, you're likely High-Risk — and that triggers serious documentation requirements.
Free tool: Not sure where your AI systems fall? Use our free Risk Classifier — no signup required. Get your classification in 2 minutes with full legal citations.
Understand Your Role-Specific Obligations
The EU AI Act assigns different obligations depending on your role.
Provider (you developed or had the AI system developed)
- Full technical documentation (Annex IV)
- Conformity assessment
- Risk management system
- Post-market monitoring
- Registration in EU database
Deployer (you use the AI system in your operations)
Most SMBs- Use the system according to provider’s instructions
- Monitor the system’s operation
- Conduct a Fundamental Rights Impact Assessment (high-risk)
- Inform employees and affected persons
- Keep logs and records
Distributor (you make the AI system available on the EU market)
- Verify the provider has completed conformity assessment
- Ensure proper labeling and documentation
- Don’t modify the system in ways that affect compliance
Generate Required Documentation
For High-Risk systems, the Act requires specific documents:
| Document | Legal Basis | What It Covers |
|---|---|---|
| General System Description | Annex IV, Section 1 | What the system does, how it works, intended purpose |
| Risk Management Plan | Article 9 | Identified risks, mitigation measures, residual risk assessment |
| Data Governance Documentation | Article 10 | Training data, quality measures, bias assessment |
| Technical Design Specifications | Annex IV, Section 2 | Architecture, algorithms, key design choices |
| Performance & Accuracy Metrics | Article 15 | Benchmarks, accuracy rates, known limitations |
| Human Oversight Plan | Article 14 | How humans monitor and can intervene in the system |
| Post-Market Monitoring Plan | Article 72 | Ongoing monitoring strategy after deployment |
| Declaration of Conformity | Article 47 | Formal statement that you meet all requirements |
For Limited Risk systems:
- Transparency notices (inform users they’re interacting with AI)
- Content labeling (mark AI-generated content)
- Record of transparency measures taken
Important: The EU AI Act allows self-assessmentfor most high-risk AI systems. You don't need an external auditor — you need the right documentation. Third-party assessment is only required for a narrow set of systems, primarily biometric identification for law enforcement.
This is where most SMBs get stuck.Reading Articles 9–15 and Annex IV of the AI Act and turning them into actual documents is a full-time job. That's exactly what Konformis automates. Our Document Generator creates pre-filled, section-by-section compliance documents based on your inventory data. See how it works →
Implement Transparency Measures
Even if your AI systems are “just” Limited Risk, Article 50 requires you to:
Inform users they’re interacting with AI
If you use chatbots, automated email responses, or AI customer support, users must be clearly told. Add a notice like: "You are interacting with an AI-powered assistant."
Label AI-generated content
If you publish AI-generated text, images, or videos, they must be labeled as artificially generated. This includes marketing content, social media posts, and product descriptions.
Disclose deepfakes
Any AI-generated or manipulated image, video, or audio that depicts real people or events must carry a disclosure.
Emotion recognition disclosure
If you use any system that detects emotions (e.g., customer sentiment analysis), affected persons must be informed.
Practical tip: Add transparency notices to your website footer, chatbot interfaces, email signatures, and content publishing workflows. It's low effort but legally required.
Set Up Ongoing Compliance
Compliance isn't a one-time project. The EU AI Act specifically requires:
- Periodic risk reviews (Article 9) — Your risk management must be a "continuous iterative process" updated throughout the AI system’s lifecycle
- Post-market monitoring (Article 72) — Actively monitor your high-risk AI systems after deployment
- Incident reporting — Report serious incidents to authorities
- Documentation updates — Keep all documents current when systems change
What this means in practice:
- Schedule quarterly reviews of your AI inventory (new tools get adopted constantly)
- Review and update risk management documentation at least annually
- Track changes to AI systems and update classifications when purposes change
- Monitor regulatory updates (delegated acts, harmonized standards, AI Office guidance)
This is why compliance is a subscription, not a one-time purchase. Your compliance dashboard should show you what's up to date, what needs review, and what's overdue — automatically. See the Konformis Dashboard →
Common Mistakes SMBs Make
“We don’t use AI”
You almost certainly do. Check your SaaS tools for embedded AI features.
“We’re too small to matter”
The Act applies based on the AI system’s risk, not your company’s size. A 10-person startup using AI for recruitment screening has the same obligations as a Fortune 500.
“Our AI provider handles compliance”
Providers have their obligations. Deployers have separate, additional obligations. You can’t outsource your compliance.
“We’ll wait and see if they enforce it”
GDPR enforcement started within months, with fines reaching hundreds of millions. The AI Act establishes a dedicated AI Office with enforcement powers.
“We just need to fill out a checklist”
For high-risk systems, you need substantive documentation, not checkboxes. The Declaration of Conformity alone requires you to demonstrate compliance across multiple articles.
What Does It Cost to Comply?
| Approach | Cost | Time | Quality |
|---|---|---|---|
| Enterprise GRC platform | €30,000–500,000/yr | Weeks of setup | High, enterprise-focused |
| Law firm / consultant | €10,000–50,000+ | Months | Depends on expertise |
| DIY (read the Act) | Free | 100+ hours | Risky |
| Konformis | €89–249/mo | Hours | Templates with legal citations |
Next Steps
Start with your AI inventory.
You can’t classify what you haven’t cataloged. Even a spreadsheet is better than nothing.
Classify your highest-stakes AI systems first.
If you use AI for hiring, credit, healthcare, or critical infrastructure — that’s where the real risk (and fines) are.
Don’t panic, but don’t wait.
August 2, 2026 is less than 5 months away. Companies that start now will be ready. Companies that wait until July will be scrambling.
Check your AI risk level in 2 minutes
Free, no signup required. Find out whether your AI systems are high-risk with full legal citations.
Classify NowResources
Konformis helps European SMBs comply with the EU AI Act — without a consultant or a six-figure budget. All data stored on dedicated servers in Germany.