The EU AI Act for Small Companies: What You Actually Need to Do

The EU AI Act can reach small and non-EU companies whose AI outputs touch the EU. Here is a plain-English map of who it covers, the four risk tiers, and how a governance program helps you get ready.

Why a small company outside the EU should still care

The EU AI Act is the first broad, horizontal law governing artificial intelligence, and its most surprising feature for a small business is reach. Like the GDPR before it, the Act can apply beyond Europe's borders. You do not have to be based in Europe, sell to Europe, or even have a European customer on paper to fall within scope.

Under its scope provisions, the Act covers providers that place AI systems on the EU market or put them into service there, deployers established in the EU, and — critically — providers and deployers located anywhere in the world when the output produced by the AI system is used in the EU. If your software embeds a model that scores, ranks, generates, or recommends something, and a person or business in the EU relies on that output, you can be in scope even if your servers and your team never leave the United States.

That is why this matters for founders, IT and security leads, MSPs, and regulated small businesses far from Brussels. The practical question is rarely "are we a European company?" It is "does any AI output we produce end up being used in the EU?" If the honest answer is yes, or even maybe, it is worth understanding the tiers below. This is general information, not legal advice — your specific obligations depend on facts a qualified advisor should review against the official text of the Act.

The four risk tiers, in plain English

The Act sorts AI systems by how much risk they pose, and the obligations scale with the tier. There are four.

Unacceptable risk (prohibited). A short list of practices is banned outright. These include certain forms of social scoring, manipulative or deceptive techniques that cause significant harm, untargeted scraping of facial images to build recognition databases, and some uses of biometric categorization and real-time remote biometric identification in public spaces. Most small businesses never touch these — but if you do, the answer is simply not to deploy them.

High risk. This is the tier that carries the heaviest compliance load. It covers AI used in sensitive contexts named in the Act's annexes — for example, systems used in hiring and worker management, access to education, credit and essential services, certain safety components of regulated products, and critical infrastructure. A small HR-tech vendor whose tool screens resumes, or a fintech whose model decides creditworthiness, can land here.

Limited risk (transparency). Some systems are allowed but must be transparent. If people interact with a chatbot, they should know they are dealing with a machine; AI-generated or manipulated content such as deepfakes generally needs to be disclosed or labeled. Many small companies using generative AI in customer-facing ways sit in this tier.

Minimal risk. Everything else — spam filters, AI in a video game, inventory forecasting. The vast majority of everyday AI falls here, with no specific obligations under the Act beyond good practice.

Key obligations by tier

What you actually have to do depends on where your systems land.

For prohibited uses, the obligation is to not deploy them. Full stop.

For high-risk systems, the obligations are substantial and ongoing: a risk management system, data governance and quality controls for training and input data, detailed technical documentation, logging, transparency to deployers, human oversight, and appropriate accuracy, robustness, and cybersecurity. High-risk providers generally must pass a conformity assessment and register the system before it goes to market. A template or toolkit can help you organize this documentation, but it cannot make you compliant on its own — compliance comes from operating the program and, where required, passing that assessment.

For limited-risk systems, the core obligation is transparency: tell people when they are interacting with AI, and label AI-generated or manipulated content where the Act requires it.

For minimal-risk systems, there are no mandatory obligations, though voluntary codes of conduct are encouraged.

One duty cuts across the tiers and catches many small deployers off guard: AI literacy. Providers and deployers are expected to take measures to ensure staff who deal with AI on their behalf have a sufficient level of understanding. Even a company that only uses third-party tools like a chatbot or a coding assistant has people to train and a policy to write.

The timeline is staggered — and still shifting

The Act does not switch on all at once. It entered into force on August 1, 2024, and its obligations apply in stages, with the early dates already behind us.

The settled milestones so far: the prohibitions on unacceptable-risk practices and the AI-literacy duty applied from February 2, 2025, and obligations for general-purpose AI (GPAI) model providers, along with governance and penalty provisions, applied from August 2, 2025. Those dates are now history.

The later milestones are where it gets fluid. The original Regulation set general application — including the transparency rules and the bulk of the high-risk obligations — for 2026, with a further set of high-risk obligations for AI embedded in already-regulated products following in 2027. But a proposed simplification package, known informally as the Digital Omnibus, was provisionally agreed in 2026 and, if formally adopted, would push several of the high-risk deadlines later (into 2027 and 2028). When this article was written, formal adoption was still pending.

Here is the important caveat: these future dates are moving. Because the timeline phases in and is actively being amended, do not plan around a single date you read in an article — including this one. Confirm the current specifics for your exact use case against the official EU AI Act text in the EU Official Journal and your national authority's guidance, and treat any future deadline you see as provisional until you check the primary source.

How an AI governance program (and ISO 42001) helps

You cannot buy your way to compliance, but you can make the work dramatically easier with a repeatable governance program — and most of the steps are the same regardless of which tier your systems land in.

Start with an inventory. List every AI system you build, embed, or use, including third-party tools your team adopted without telling anyone. Then classify each one against the four tiers and your own risk register. That single exercise tells you where your obligations actually are and usually shrinks the scary version of the problem down to a manageable list.

From there, a governance program gives you the artifacts the law expects: acceptable-use and human-oversight policies, data-governance rules, transparency and disclosure practices, an incident and logging process, and AI-literacy training records. This is exactly the kind of documentation our AI Governance Policy Pack and ISO 42001 AI Management System Toolkit are built to jump-start.

ISO/IEC 42001 deserves a specific mention. It is the international standard for an AI management system — a structured way to govern AI across its lifecycle, analogous to what ISO 27001 does for information security. Running an ISO 42001-style program does not by itself satisfy the EU AI Act, and it does not make you "certified" (certification comes only from an accredited body after auditing a live management system). But it gives you the governance backbone the Act assumes you have, makes a future conformity assessment far less painful, and answers the AI-use questions that increasingly show up in customer security questionnaires. For a busy small team, that backbone is the difference between scrambling and being ready.

Frequently asked questions

Does the EU AI Act apply to a US-only company with no EU customers?

It can. The Act can apply beyond the EU's borders: beyond providers and deployers in the EU, it reaches providers and deployers located anywhere when the output of their AI system is used in the EU. If any AI output you produce ends up being relied on by someone in the EU, you may be in scope even with no EU office or contract. Because this turns on specific facts, confirm your situation with a qualified advisor and against the official text of the Act.

We only use third-party AI tools like ChatGPT or Copilot — are we exempt?

No. The Act applies to deployers and users of AI, not just developers. Even if you never train a model, you are expected to use it responsibly: meet the AI-literacy duty for staff, provide transparency where required, and apply human oversight. You will also likely need acceptable-use and disclosure policies, which most enterprise security questionnaires now ask about.

What are the four risk tiers?

Unacceptable risk (prohibited practices that are banned outright), high risk (sensitive uses such as hiring, credit, or safety components, which carry heavy obligations and often a conformity assessment), limited risk (allowed but with transparency duties, like disclosing a chatbot or labeling deepfakes), and minimal risk (most everyday AI, with no specific obligations). The duties scale up with the tier.

When exactly do the obligations start?

They phase in over several years. The prohibitions and AI-literacy duties applied from February 2, 2025, and general-purpose AI obligations from August 2, 2025 — those dates are settled. The bulk of the high-risk and transparency obligations, plus rules for AI embedded in regulated products, come later and have been subject to proposed amendments (the informal "Digital Omnibus") that, if adopted, would push some deadlines into 2027 and 2028. Treat any future date as provisional and verify the current specifics against the official EU AI Act text in the EU Official Journal for your use case.

If we buy a toolkit or get ISO 42001, are we compliant with the EU AI Act?

No. A toolkit gives you a head start on the policies and documentation the Act expects, and ISO 42001 provides a governance backbone, but neither makes you compliant or certified. EU AI Act compliance comes from operating the required controls — and, for high-risk systems, passing a conformity assessment. ISO certification comes only from an accredited body after auditing a working AI management system.

Related guides: AI Governance (EU AI Act & NIST AI RMF) · ISO 42001

Toolkits that help

← All articles