SecurSentry
← All notes
EU AI Act

The EU AI Act Is Coming — What Does It Actually Mean for a Small Business?

You've probably heard the EU AI Act mentioned in the same breath as big tech and enterprise compliance budgets. But if your business uses AI tools — even just ChatGPT or an AI-powered hiring platform — you may already have real obligations you're not aware of.

The short version

You have almost certainly been using AI tools for a while now. A writing assistant, an AI-powered inbox, a website chatbot, maybe a hiring platform with automated screening built in. The EU AI Act small business question that keeps coming up is simple: does any of that mean I now have compliance obligations? For most UK SMEs the answer is yes, but the picture is narrower and more manageable than the headlines suggest. Let’s cut through it.

What is the EU AI Act?

The EU AI Act is a European regulation that governs how artificial intelligence systems are built, deployed and used. It’s the first law of its kind at this scale.

It entered into force in August 2024 and rolls out in phases through to 2027. Think of it less as a single deadline and more as a wave: some requirements are already active, others are still coming. The central idea is proportionality. Not every AI tool carries the same risk, so the obligations are tiered.

Does the EU AI Act apply to UK businesses?

Often, yes. If you sell to EU customers, use AI tools that process EU residents’ data, or rely on EU-built AI systems that pass obligations downstream, exposure is likely.

Brexit removed the UK from the EU’s legal framework, but it did not insulate UK businesses from the Act’s reach when they touch EU markets or data. You are likely in scope if:

If none of those apply, and you operate domestically with no EU data touchpoints, exposure is likely minimal. But if you use cloud-based AI tools from the major providers, assume it’s relevant to you.

How does the risk-based model work?

The EU AI Act sorts AI systems into four risk tiers — unacceptable, high, limited and minimal — and your obligations depend on which tier your tools fall into.

Unacceptable risk (banned outright)

AI systems the EU has prohibited entirely: government social scoring, real-time biometric surveillance in public spaces, and the like. Almost certainly not relevant to your business, so move on.

High risk (significant obligations)

High-risk AI systems operate where errors carry serious consequences. Think of AI used to screen job applicants, assess creditworthiness, decide access to education, or manage critical infrastructure.

If you use an AI recruitment tool that ranks candidates, or a lending platform that uses AI to assess risk, you may be in this category. That holds even if you’re only the end-user and not the developer. Check your tools and their terms.

Limited risk (transparency obligations)

If you use AI chatbots or AI-generated content in customer-facing settings, you have a transparency obligation: people must be told when they are interacting with AI.

This is one of the most practical requirements for SMEs. If your website has an AI chatbot, it must identify itself as such, and AI-generated customer communications may carry a disclosure obligation. Not onerous, but real.

Minimal risk (voluntary good practice)

Most general-purpose AI tools sit here: writing assistants, summarisation, translation, image generation for non-sensitive uses. No mandatory obligations, but responsible use is encouraged.

Which tier are you in?

Your tier depends on how you use a tool, not just what it is. The same AI tool is minimal risk for internal drafting but potentially high risk if it decides on job applicants. Use case is everything.

What does the EU AI Act mean for a small business right now?

For most small businesses, the practical starting point is simple: know which AI tools you use, what they are used for, and whether any fall into a higher-risk category.

A practical checklist:

  1. Build an AI tool register. List every AI tool your team uses, including the ones that crept in informally, and note what each does, who uses it, and what data goes in. This is the foundation of everything else.
  2. Write an AI acceptable use policy. A short document setting out which tools are approved, what data can be entered, and what decisions AI can and cannot make on your behalf. Short is fine; clear is essential.
  3. Check for high-risk use cases. Review your register against the high-risk categories. If any tools touch hiring, credit or regulated decisions, read the provider’s terms and consider specialist advice.
  4. Ensure basic AI literacy across your team. More on this next.

What is the Article 4 AI literacy obligation?

Article 4 requires businesses that deploy AI to ensure staff have a sufficient level of AI literacy: a working grasp of what AI does and where it can fail.

This is not about a postgraduate programme. Staff who use AI day to day should understand:

A brief, documented training session is enough to make a meaningful start. It’s just good sense anyway.

What should you watch as the Act rolls out?

The EU AI Act rolls out in stages, with different provisions becoming enforceable at different points between now and 2027.

The prohibition on unacceptable-risk AI applied from early 2025. High-risk obligations are phasing in through 2025 and 2026, and general-purpose AI models have their own timeline. So this is not something to file away for three years. A light habit of checking your AI providers’ updates and watching for regulatory changes keeps you ahead of it.

“The businesses that struggle with AI regulation are the ones who wait until obligations are fully enforced. The ones who start now, even with something as simple as a tool register, find it far less disruptive.”


The EU AI Act is complex, and obligations vary with which AI tools you use and how. If you are unsure about your position, get specialist advice. This article is an orientation, not a legal assessment.

SecurSentry is launching soon to help you build your AI tool register, draft your AI acceptable use policy and document your AI literacy training, so the evidence is ready when you need to demonstrate compliance. Join the waitlist to be first in line.

Frequently asked questions

Does the EU AI Act apply to UK businesses after Brexit?

Yes, in many cases it does. If your business sells products or services to EU customers, uses AI systems that process EU residents' data, or deploys AI tools developed by EU companies that pass obligations down to users, the Act can apply to you. Brexit removed the UK from the EU's legal framework, but it did not insulate UK businesses from the Act's reach when they interact with EU markets or data.

What does the EU AI Act require small businesses to do right now?

The most immediately practical obligations for SMEs are: knowing which AI tools your business uses and for what purpose, having a written AI acceptable use policy, and ensuring staff have basic AI literacy under Article 4. If any of your AI tools touch high-risk categories such as hiring decisions or credit scoring, you will have additional obligations to assess. Some provisions are already in effect; others roll out through 2025 and 2026.

What is a high-risk AI system under the EU AI Act?

A high-risk AI system is one that operates in a regulated context where the consequences of errors are significant — for example, AI used to screen job applicants, assess creditworthiness, or manage critical infrastructure. If your business uses an AI tool in one of these contexts, even as an end-user, you may have specific compliance duties. Most general-purpose tools like writing assistants or customer chatbots do not fall into this category.

What is an AI acceptable use policy and why does my business need one?

An AI acceptable use policy is a document that sets out how your team is and isn't permitted to use AI tools at work — covering things like what data can be inputted, which tools are approved, and what sign-off is required for AI-assisted decisions. The EU AI Act expects deployers of AI to govern its use responsibly, and a written policy is one of the clearest ways to demonstrate that. It also protects your business if something goes wrong.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.