EU AI Act for European SMEs: Obligations, Penalties, and the Compliance Path

The EU AI Act creates a tiered obligation structure. The first tier, which is already enforceable, is Article 4: every employer whose staff use AI systems within the Act's scope must ensure those staff have sufficient AI competency for their role. This is not a training certificate; it is a documented assessment of who uses AI, for what decisions, and whether they understand the tool's limitations and failure modes. If your company uses any AI-assisted tool in HR, finance, customer service, or legal review without having documented staff competency, you are already out of compliance. The second tier, effective 2 August 2026, covers providers and deployers of high-risk AI systems. Annex III of the EU AI Act defines the categories that matter for most SMEs: AI used in employment decisions (CV screening, performance ranking, promotion decisions), access to essential services (credit scoring, insurance underwriting, loan pricing), and critical infrastructure management. The distinction between 'provider' and 'deployer' is critical here. Most SMEs are deployers -- they use a vendor's AI product rather than developing AI themselves. Deployer obligations under Articles 26-29 include maintaining technical documentation, implementing human oversight procedures, logging incidents, and notifying authorities of serious incidents. Your vendor's CE mark or conformity declaration does not automatically cover your deployer obligations. Penalties for prohibited AI practices under Article 5 -- including social scoring and subliminal manipulation -- reach 35 million euros or 7% of global annual turnover. Non-compliance with high-risk system rules under Articles 26-29 carries penalties up to 15 million euros or 3% of global annual turnover. The practical compliance path for a 10-250 person SME: first, inventory all AI tools and classify against Annex III; second, complete an Article 4 AI literacy assessment for all staff who use in-scope AI systems; third, commission a structured AI Operations Audit to identify which tools require formal governance documentation. Mittelstand-Digital, the German government's SME digital programme, offers free readiness workshops as a starting point.

The distinction matters a great deal. A provider under the EU AI Act is an organisation that develops an AI system and places it on the market -- for example, an HR software company that builds a CV-ranking algorithm and sells it to employers. A deployer is an organisation that uses a provider's AI system in the course of its own business activities. Most SMEs with 10-250 employees are deployers, not providers. The significance is that providers carry the heaviest obligations: pre-market conformity assessment, technical documentation, registration in the EU AI Act database, and CE marking. Deployers carry a separate but still substantial set of obligations under Articles 26-29: they must follow the provider's instructions for use, implement the required human oversight measures, log incidents, inform the provider if they identify a serious risk, and maintain records of use. A deployer cannot discharge these obligations simply by signing the vendor's terms of service or relying on a vendor-provided conformity declaration. The deployer is responsible for ensuring human oversight is actually implemented in their own workflows. The practical implication for SMEs using vendor AI tools in HR, finance, or customer-facing processes: review your vendor contracts for EU AI Act compliance clauses, check whether the vendor has produced a conformity declaration for the Annex III category your use case falls under, and document your own human oversight procedure for each AI-assisted decision. An AI Operations Audit is the fastest way to produce this documentation in structured form. For SMEs that also supply larger enterprise customers, the deployer compliance posture increasingly affects procurement eligibility -- enterprise procurement teams are beginning to require vendor AI governance evidence as a condition of supplier onboarding.

ISO/IEC 42001:2023 is the first international standard for AI Management Systems, published by the International Organization for Standardization in December 2023. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system within an organisation -- covering AI governance, risk management, impact assessment, and responsible AI practices. It is not legally required by the EU AI Act, but it is the most widely recognised governance scaffold for demonstrating compliance with both the EU AI Act's deployer obligations and broader AI governance expectations from enterprise customers. For SMEs, the practical value of ISO/IEC 42001:2023 is that it is significantly lighter than a full NIST AI RMF 1.0 implementation while covering the same core governance domains: risk classification, human oversight, incident management, and transparency. It also maps cleanly onto ISO 9001 (quality management) and ISO 27001 (information security management) -- certifications that many European Mittelstand companies already hold. The AI Act's deployer obligations under Articles 26-29 do not require ISO/IEC 42001 certification explicitly. What they require is documented human oversight procedures, incident logging, and conformity documentation. ISO/IEC 42001 provides the structural framework for producing and maintaining this documentation in an auditable form. Companies that implement ISO/IEC 42001 before August 2026 will be in a materially stronger position than those relying on ad hoc documentation approaches -- both with national enforcement bodies and with enterprise customers requiring supply-chain AI governance evidence. A structured AI Operations Audit is the recommended precursor to ISO/IEC 42001 implementation: the audit identifies which AI systems require governance documentation, which processes need human-in-the-loop design, and where ISO/IEC 42001 controls add the most compliance value for the lowest implementation cost.