First, what it isn't: the AI Act does not ban you from using AI
A lot of SMEs have heard that "an AI law is coming" and decided to touch nothing until things settle. That is the most expensive mistake they can make. The EU Artificial Intelligence Act, the AI Act, does not ban you from using AI in your company. What it does is classify uses by risk level and ask you for more or fewer things depending on that level.
And the reality is that almost everything an SME does with AI today (a support chatbot, a model that estimates demand, a copilot that summarizes reports for you) falls into the low or limited risk band, where the obligations are perfectly reasonable. Freezing out of fear means giving up an advantage over a threat that, in your case, probably doesn't exist.
The dates that matter, and why August 2026 is the big one
Here is the real calendar. Since 2 August 2025, the rules for general-purpose AI models already apply, the large models behind many of the tools you use without knowing it. On 2 August 2026, the bulk of the regulation comes into force: the high-risk systems in Annex III and the transparency obligations. And the highest-risk uses (biometrics, critical infrastructure, employment, borders) have been pushed back to December 2027.
For an SME, the date that marks the calendar is August 2026. That is, you have months, not years. Just enough time to arrive prepared if you start now, and just enough to arrive in a rush if you leave it until after the summer.
Which risk level is what you do in?
The regulation sorts uses into four buckets. The unacceptable risk one is banned outright (social scoring, manipulation), and it almost certainly doesn't affect you. The high risk one is where the serious obligations live: this is where AI that makes or shapes decisions about people belongs. The limited risk one basically asks for transparency. And the minimal risk one, where most things sit, asks for almost nothing.
The practical question that places you on the map is just one: does your AI make or influence decisions about people? If you filter CVs, decide credit limits, or evaluate employees with the help of a model, you are in high-risk territory and it's worth getting advice. If not, you are most likely in transparency or minimal, and the work is far lighter.
What you do have to do even if you are low risk
Even if you land in the comfortable band, there are three things worth having. The first is transparency: if a customer talks to a chatbot, they have the right to know it's a machine; if you publish AI-generated content, it has to be identifiable as such. The second is what's called AI literacy: your team needs basic training on the tools it uses, not a master's degree, but enough to know what they do and where they fail. The third is keeping some record of what you use and what for. None of this is heavy bureaucracy; it's common sense put in writing.
There is relief designed for SMEs, and it's worth using
The EU has built in a specific simplified framework for small companies: simpler guidance, standardized documentation templates, reduced fines, and access to supervised testing environments, the so-called regulatory sandboxes. In fact they widened the "SME" umbrella to companies of up to 750 employees and 150 million euros in revenue, and each country has to have at least one operational sandbox by August 2026.
The translation is simple: the legislator has tried to make sure this doesn't crush you. But the relief doesn't come on its own, you have to know about it and ask for it. The SME that knows it exists plays with an advantage over the one that assumes the law is equally harsh on everyone.
The real work isn't legal, it's about data
And here comes my part, the one almost nobody tells you. Almost everything the AI Act is going to ask of you (knowing which data your AI uses, where it comes from, whether it's biased, being able to explain a decision, keeping a record) is, at heart, data governance. If you are clear on which data feeds each system, with what quality and with what definition, complying is basically documenting it.
The problem shows up when your data is scattered across fifteen spreadsheets and nobody knows where each number comes from. In that case the problem isn't the law: it's that you don't have control over your own information, and the law has only put it right under your nose.
The AI Act doesn't force you to understand your data. It forces you to prove you understand it. And that can only be faked until someone asks.
Where to start, specifically
The first step is a simple inventory of where you use AI today, including what comes in through the back door: a salesperson using ChatGPT on their own, a tool in your stack that has just launched a copilot. For each use, you ask yourself whether it touches decisions about people. You turn on transparency notices wherever there's contact with customers. You give your team basic training. And only if something falls into high risk, then yes, you get advice from a specialized legal expert.
Most SMEs never reach the last step. But they all benefit from doing the first ones, because tidying up what you have is useful with or without a law.
The bottom line
Don't stop using AI out of fear of a law that, read calmly, rewards exactly those who have their data house in order. The SME that reaches August 2026 knowing which AI it uses and with what data doesn't just comply: it decides better than its competition. The rest are going to discover, in a hurry, that they never fully knew what they had in their hands.