The EU AI Act Is Coming — What Does It Actually Mean for a Small Business?
You've probably heard the EU AI Act mentioned in the same breath as big tech and enterprise compliance budgets. But if your business uses AI tools — even just ChatGPT or an AI-powered hiring platform — you may already have real obligations you're not aware of.
The short version
- Most UK SMEs have some exposure. If you sell to EU customers, use AI tools that process EU residents' data, or rely on EU-built AI systems, the EU AI Act is likely to affect you in some way.
- The risk tier is what matters. The Act uses a four-level risk model — most everyday AI tools fall into the minimal or limited risk categories, meaning lighter obligations, but obligations none the less.
- Article 4 requires AI literacy. Any business that deploys AI tools in its work must ensure staff have a basic understanding of what AI is, how it works, and where it can go wrong — not a postgraduate course, just informed awareness.
- Start with a tool register and a policy. Knowing exactly which AI tools your team uses, and for what purpose, is the foundation of compliance — and something you can start building today.
You have almost certainly been using AI tools for a while now. A writing assistant, an AI-powered inbox, a website chatbot, maybe a hiring platform with automated screening built in. The EU AI Act small business question that keeps coming up is simple: does any of that mean I now have compliance obligations? For most UK SMEs the answer is yes, but the picture is narrower and more manageable than the headlines suggest. Let’s cut through it.
What is the EU AI Act?
The EU AI Act is a European regulation that governs how artificial intelligence systems are built, deployed and used. It’s the first law of its kind at this scale.
It entered into force in August 2024 and rolls out in phases through to 2027. Think of it less as a single deadline and more as a wave: some requirements are already active, others are still coming. The central idea is proportionality. Not every AI tool carries the same risk, so the obligations are tiered.
Does the EU AI Act apply to UK businesses?
Often, yes. If you sell to EU customers, use AI tools that process EU residents’ data, or rely on EU-built AI systems that pass obligations downstream, exposure is likely.
Brexit removed the UK from the EU’s legal framework, but it did not insulate UK businesses from the Act’s reach when they touch EU markets or data. You are likely in scope if:
- You have EU-based customers or clients
- Your AI tools process personal data belonging to EU residents
- You use AI systems built by EU providers whose terms pass obligations to downstream users
If none of those apply, and you operate domestically with no EU data touchpoints, exposure is likely minimal. But if you use cloud-based AI tools from the major providers, assume it’s relevant to you.
How does the risk-based model work?
The EU AI Act sorts AI systems into four risk tiers — unacceptable, high, limited and minimal — and your obligations depend on which tier your tools fall into.
Unacceptable risk (banned outright)
AI systems the EU has prohibited entirely: government social scoring, real-time biometric surveillance in public spaces, and the like. Almost certainly not relevant to your business, so move on.
High risk (significant obligations)
High-risk AI systems operate where errors carry serious consequences. Think of AI used to screen job applicants, assess creditworthiness, decide access to education, or manage critical infrastructure.
If you use an AI recruitment tool that ranks candidates, or a lending platform that uses AI to assess risk, you may be in this category. That holds even if you’re only the end-user and not the developer. Check your tools and their terms.
Limited risk (transparency obligations)
If you use AI chatbots or AI-generated content in customer-facing settings, you have a transparency obligation: people must be told when they are interacting with AI.
This is one of the most practical requirements for SMEs. If your website has an AI chatbot, it must identify itself as such, and AI-generated customer communications may carry a disclosure obligation. Not onerous, but real.
Minimal risk (voluntary good practice)
Most general-purpose AI tools sit here: writing assistants, summarisation, translation, image generation for non-sensitive uses. No mandatory obligations, but responsible use is encouraged.
Which tier are you in?
Your tier depends on how you use a tool, not just what it is. The same AI tool is minimal risk for internal drafting but potentially high risk if it decides on job applicants. Use case is everything.
What does the EU AI Act mean for a small business right now?
For most small businesses, the practical starting point is simple: know which AI tools you use, what they are used for, and whether any fall into a higher-risk category.
A practical checklist:
- Build an AI tool register. List every AI tool your team uses, including the ones that crept in informally, and note what each does, who uses it, and what data goes in. This is the foundation of everything else.
- Write an AI acceptable use policy. A short document setting out which tools are approved, what data can be entered, and what decisions AI can and cannot make on your behalf. Short is fine; clear is essential.
- Check for high-risk use cases. Review your register against the high-risk categories. If any tools touch hiring, credit or regulated decisions, read the provider’s terms and consider specialist advice.
- Ensure basic AI literacy across your team. More on this next.
What is the Article 4 AI literacy obligation?
Article 4 requires businesses that deploy AI to ensure staff have a sufficient level of AI literacy: a working grasp of what AI does and where it can fail.
This is not about a postgraduate programme. Staff who use AI day to day should understand:
- That AI systems can produce errors and should not be trusted uncritically
- What data is and is not appropriate to share with an AI tool
- How to flag an AI output that seems wrong or inappropriate
A brief, documented training session is enough to make a meaningful start. It’s just good sense anyway.
What should you watch as the Act rolls out?
The EU AI Act rolls out in stages, with different provisions becoming enforceable at different points between now and 2027.
The prohibition on unacceptable-risk AI applied from early 2025. High-risk obligations are phasing in through 2025 and 2026, and general-purpose AI models have their own timeline. So this is not something to file away for three years. A light habit of checking your AI providers’ updates and watching for regulatory changes keeps you ahead of it.
“The businesses that struggle with AI regulation are the ones who wait until obligations are fully enforced. The ones who start now, even with something as simple as a tool register, find it far less disruptive.”
The EU AI Act is complex, and obligations vary with which AI tools you use and how. If you are unsure about your position, get specialist advice. This article is an orientation, not a legal assessment.
SecurSentry is launching soon to help you build your AI tool register, draft your AI acceptable use policy and document your AI literacy training, so the evidence is ready when you need to demonstrate compliance. Join the waitlist to be first in line.