Not Just for Big Tech: SMBs Must Heed EU AI Law, Too

Small and medium-sized businesses (SMBs) developing or using artificial intelligence (AI) systems must comply with the European Union’s AI Act, even if they are not based in or have a presence in the bloc.

Experts say that due to the Act’s scope, many U.S.-based SMBs could be affected and should take steps now to evaluate their exposure. This includes using AI to generate content that is accessed by EU citizens.

A key deadline is Aug. 2, which marks the start of the enforcement of general-purpose AI governance rules. The first deadline, Feb. 2, pertained to “high-risk” AI systems and the final deadline, Aug. 2, 2026, is when the rest of the rules become enforceable.

The AI Act, formally adopted in 2024, is the world’s first comprehensive AI regulation. It introduces a risk-based framework for AI systems placed on the EU market or whose outputs are used in the EU. Failure to comply brings fines of up to 35 million euros ($40 million) or 7% of annual revenue, whichever is higher, according to the EU.

“The EU AI Act will require compliance by U.S. companies if they do business in the EU — otherwise they risk massive fines,” Robert Harrison, a Europe-based patent lawyer at Sonnenberg Harrison, told PYMNTS. “SMBs cannot simply ignore regulations because the U.S. federal government has different ideas on AI regulation.”

Unlike laws that exempt small businesses, the AI Act bases its scope on the nature of the technology, not company size. “It is a risk-based framework that applies to any company that places, makes available, or uses an AI system in the EU or whose outputs are used in the EU,” Scott Bickley, advisory fellow at Info-Tech Research Group, told PYMNTS.

That means “if you offer an AI product to the EU market, or even if the output of your AI is used in the EU, you’re on the hook,” Wyatt Mayham founder of Northwest AI Consulting told PYMNTS.

For example, a U.S.-based marketing firm using artificial intelligence to generate ad copy for a client’s campaign in Germany has to comply, Mayham said.

A simple way to think about it is this: “If you’re building AI that could affect people’s jobs, health or finances, you’ll have to follow tighter rules. But if you’re making tools like chatbots or smart assistants, it’s mostly about being transparent — letting people know they’re talking to AI,” Shay Boloor, chief market strategist at Futurum Equities, told PYMNTS.

See also: European Commission Says It Won’t Delay Implementation of AI Act

Mayham said the exact compliance requirements will depend on where SMBs fall in the AI Act’s four AI risk levels:

• Unacceptable risk: AI systems that do social scoring or untargeted facial recognition.
• High-risk systems: These include AI used in hiring, education, credit scoring or infrastructure. It must comply with the Act’s rules for risk management, data governance transparency and registration.
• Limited risk systems: SMBs using an AI chatbot like ChatGPT or Perplexity to create content or generate deepfakes must disclose AI use and content must be labeled as AI-generated.
• Minimal risk systems: These include using AI in spam filters or video games. They do not face binding rules but users are encouraged to follow voluntary codes of practice.

Andrew Gamino-Cheong, CTO and co-founder of Trustible, a company that helps enterprises comply with regulations, said SMBs that don’t believe they are building a “high risk” tool should double-check.

“Any SMB building a tool off OpenAI [models] or Claude can still end up being considered a ‘provider’ of a high-risk system and get subjected to its requirements,” Gamino-Cheong told PYMNTS.

Bickley said the EU does provide some relief for smaller businesses:

• Access to free regulatory sandboxes where SMBs can test AI under supervision without risking full liability.
• Simplified technical documentation templates for high-risk systems.
• Reduced conformity assessment fees for smaller companies.
• Dedicated helplines and training from national supervisory authorities.

Still, “the core requirements are not waived and apply equally to all applicable organizations,” Bickley said.

To get started, Mayham and Bickley recommend the following steps:

• Audit and classify: SMBs can’t comply if they don’t know what they have. Create an inventory of every artificial intelligence system being used or built and classify its risk level under the Act. There are even free online checkers from groups like the European Digital SME Alliance.
• Address high-risk systems first: Start building the compliance framework now and document data sources, establish a risk management process, and ensure meaningful human oversight. High-risk obligations start to take effect in 2026.
• Perform a compliance gap analysis, design a compliance process, implement a quality management system suitable for SMBs (for example, ISO 42001 or NIST AI RMF) and ensure transparency by disclosing the use of AI in chatbots, deepfakes and gen AI outputs.
• Perform vendor due diligence, including requiring them to provide proof that they comply with the AI Act. Monitor standards and codes of practice in an ongoing manner in case of EU changes.

Boloor urged SMBs not to view compliance as a burden, but as an opportunity for growth.

“I don’t see the EU AI Act as a death blow for SMBs — it’s more of a filter. You’re not off the hook, but you’re not being crushed either,” Boloor said. “The earlier you learn to play by the rules, the faster you can grow. Big companies want compliant, trusted partners — and if you get ahead of this, that can be you.”

Read more:

OpenAI CEO Sam Altman: EU Regulations Could Limit Access to AI

Homeland Security Head Criticizes EU’s ‘Adversarial’ AI Approach

OpenAI, Australia and EU Each Push Own AI Regulations

For all PYMNTS AI coverage, subscribe to the daily AI Newsletter.

The post Not Just for Big Tech: SMBs Must Heed EU AI Law, Too appeared first on PYMNTS.com.