SecurSentry
Topic hub

The EU AI Act for small business, in plain English

The EU AI Act is the first major law governing how AI is built and used, and it can reach a UK business too. The good news: most small firms that use everyday AI tools have very little to do. This guide explains who it applies to, the four risk tiers, the phased timeline, and the sensible minimum.

Updated June 2026 4 guides in this hub ≈ 27 min to read it all

The short version

Does the EU AI Act apply to your business?

The EU AI Act is a European regulation that governs how AI systems are built, deployed and used — the first law of its kind at this scale. It’s built on a simple idea: not every AI tool carries the same risk, so the obligations are tiered to match. For the full walk-through of where your business fits, read our small business guide to the EU AI Act.

The first thing owners ask is whether it reaches a UK business at all. It can. The Act has extraterritorial reach: it applies to organisations outside the EU if they place an AI system on the EU market, or if the system’s output is used in the EU. So a UK firm selling into the EU, or whose AI affects people there, may fall in scope. If you only serve UK customers and use ordinary off-the-shelf tools, the direct obligations on you are usually limited.

There’s no general size exemption either. Being a small business doesn’t take you out of scope; what decides your duties is how you use AI. It also helps to know which hat you’re wearing. The heaviest rules fall on providers — the companies that build AI systems. Most small firms are deployers, businesses that simply use AI tools in their work, and the duties on deployers are far lighter and more practical.

The four risk tiers, in plain English

The Act sorts every AI system into one of four tiers, and your obligations follow the tier. The single insight that makes it click: the tier follows the use case, not the tool. The same assistant is minimal risk when it drafts your emails and high risk if you point it at deciding which candidates make the shortlist. Our risk tiers guide works through each level with examples.

The shape of the picture is reassuring: a small number of consequential uses near the top, almost everything else sitting comfortably at the bottom. If your AI use is mostly the everyday kind, you’re mostly in minimal-risk territory, which is exactly where most small businesses find themselves.

When does it actually apply? (The timeline)

The Act doesn’t land all at once. It switches on in layers, each with its own date, and the riskier the use, the later and heavier the obligations. For most small businesses, the early steps are the only ones that touch you at all. The dates worth knowing:

1 August 2024 — the Act enters into force; the clock starts but nothing is required yet. 2 February 2025 — the bans on prohibited uses apply, and the duty to support basic AI literacy among staff begins. 2 August 2025 — the rules for providers of general-purpose AI models (the large foundation models behind many tools) start to apply. 2 August 2026 — the bulk of high-risk obligations were originally due. 2 August 2027 — the original date for high-risk AI built into products already regulated under other EU safety laws.

One honest caveat on the high-risk dates. In May 2026 the EU agreed a simplification package that would push those deadlines back by more than a year, but that change isn’t legally binding until it’s formally published, so the original dates technically still stand for now. If you genuinely operate high-risk AI, plan against the official position rather than a headline. Our EU AI Act timeline tracks exactly what’s in force and what’s mid-change.

So what should a small business actually do?

For most small firms the to-do list is short and sensible. Start by listing the AI tools your team uses, including the ones that crept in informally. That register is the foundation of everything else, and once you note the use case beside each tool, your tier usually becomes obvious. Most of the list lands at the bottom, with a handful worth a closer look.

Then write a short acceptable-use policy: which tools are approved, what data must never be pasted into them, who signs off a new tool, and what staff need to understand before they use AI. A page or two in plain English does the job, and it’s also a sensible, proportionate way to meet the AI literacy duty. Our AI acceptable use policy template gives you a starting structure to write from, and our piece on the legal responsibility for the AI tools you use covers the data-protection side that sits alongside it.

That really is most of it. Avoid the banned uses, build basic AI literacy now, and only worry about the high-risk dates if your work genuinely takes you there. The wall of dates looks intimidating, but for the typical small business it comes down to a couple of light habits you can sort this week.

Everything on the EU AI Act

Every guide, in one place

Start wherever your question is. Each guide is a short, plain-English read, and they build on each other as you go.

The EU AI Act is one door into the same work

The groundwork you put in here isn’t a dead end. A tool register, a clear policy, basic staff awareness — that same work carries across the other things customers ask of you, and into the questionnaires that follow. Do it once, use it everywhere. We’re building SecurSentry around exactly that.

Frequently asked questions

Does the EU AI Act apply to UK businesses after Brexit?

It can. The Act has extraterritorial reach: it applies to organisations outside the EU if they place an AI system on the EU market, or if the output of their AI is used in the EU. A UK firm selling into the EU, or whose AI affects people there, may fall in scope. If you operate purely domestically with no EU touchpoints and use ordinary off-the-shelf tools, the direct obligations on you are usually limited.

Is there a small-business exemption from the EU AI Act?

No. There’s no general exemption based on company size. What decides your obligations is how you use AI rather than your headcount. The reassurance for most small firms is that everyday AI use — drafting, summarising, customer chatbots — sits in the lighter risk tiers, where the duties are minimal, so being in scope often means very little to do in practice.

What are the four EU AI Act risk tiers?

Unacceptable risk covers a small set of practices banned outright. High risk covers AI used in consequential settings such as recruitment, creditworthiness or critical infrastructure, and carries the heaviest obligations. Limited risk covers tools like chatbots and AI-generated content, which mainly carry a transparency duty — people must be told they are dealing with AI. Minimal risk covers everything else, with no mandatory obligations. Most everyday business tools fall into the bottom two tiers.

When does the EU AI Act actually apply?

It applies in stages. The law entered into force on 1 August 2024, the bans on prohibited uses and the AI literacy duty applied from 2 February 2025, and the rules for general-purpose AI models from 2 August 2025. Most high-risk obligations were originally due on 2 August 2026, with product-embedded high-risk AI on 2 August 2027. In May 2026 the EU agreed to defer the high-risk dates, but that change isn’t legally binding until it’s formally published, so the original dates technically still stand for now.

What should a small business do about the EU AI Act right now?

Three light steps cover most of it. List the AI tools your team uses and note what each is used for. Write a short acceptable-use policy setting out approved tools, the data that must never be entered, and who approves new tools. And make sure staff have a basic understanding of what AI does and where it can go wrong, which meets the AI literacy duty. Only worry about the high-risk obligations if you genuinely operate AI in areas like hiring or credit.

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.