Zum Hauptinhalt springen

EU AI Act for SMEs (2025): what you must do now

I advise companies that use or build AI. Below is a simple plan for SMEs to prepare for the EU AI Act without wasting time or money.

Why this matters

The EU AI Act is now in force and its duties start to apply in phases. If you prepare early, you avoid last-minute costs and keep your projects on track.

What applies when (plain timeline)

  • 2 Feb 2025: bans on prohibited practices start.
  • 2 Aug 2025: rules for general-purpose AI (GPAI) models and EU-level governance start.
  • 2 Aug 2026: most remaining duties apply (including transparency under Article 50 and Annex III high-risk systems).
  • 2 Aug 2027: extra time for high-risk AI embedded in regulated products.

Step 1 — Map your AI use (30 minutes)

  • Where do you use AI? list tools and vendors (chatbots, scoring, document analysis, vision, etc.).
  • Who provides it? vendor, open-source model, or in-house.
  • What is the impact? does it affect people’s rights (hiring, credit, access to services) or safety?

Step 2 — Classify the risk

  • Not high-risk: most internal productivity use (drafting, summaries) tends to be lower risk, but keep basic transparency and records.
  • High-risk (Annex III): e.g., certain employment, credit-worthiness, education or essential services use. If in scope, you will need a quality management system, risk management, data governance, technical documentation, human oversight, post-market monitoring and, in many cases, a conformity assessment.
  • GPAI models: if you provide a general-purpose model, special provider rules apply; if you only use someone else’s model, focus on vendor assurances and your deployer duties.

Step 3 — Transparency and content

  • AI interactions: people should know when they interact with an AI system (unless obvious).
  • AI-generated or altered content (“deepfakes”): plan to mark synthetic media so it can be detected by machines and recognised by people. Build the workflow now; obligations phase in with the broader transparency rules.
  • Documentation: keep simple records of what you used, why, data sources and human review.

Step 4 — Vendors and contracts (quick wins)

  • Ask for: model card/technical sheet, training-data info, known limitations, safety tests, and EU AI Act compliance roadmap.
  • Put it in the contract: duty to inform about material changes, security incidents, and non-compliance; right to audit/assurance reports; cooperation for transparency labels and user notices.
  • Security & privacy: align with your GDPR and information-security controls (access, retention, logs).

Step 5 — Governance for SMEs (lightweight)

  • One owner: name a practical AI contact in the company (can be the DPO or compliance lead).
  • One policy page: who can use which tools, where to store outputs, when to involve a human reviewer.
  • Training: brief managers on acceptable use, bias risks and escalation paths.
  • Sandbox & guidance: consider regulatory sandboxes and official guidance aimed at SMEs.

Fines (what SMEs should know)

Severe breaches (e.g., prohibited practices) can trigger high fines. The Act provides proportional treatment for SMEs and start-ups, but do not rely on that—fix issues early.

Common pitfalls I see

  • “We only use off-the-shelf tools, so we are outside scope.” Deployers still have duties (transparency, monitoring, records).
  • Missing the timeline. Work back from August 2026; sort prohibited uses and transparency now.
  • No vendor evidence. Contracts without documentation duties make compliance and audits hard.
  • Security gap. AI outputs end up in uncontrolled drives or chats—fix with simple rules.

My 6-point starter kit for SMEs

  1. Inventory of AI tools and use cases; mark possible high-risk ones.
  2. Choose one transparency workflow for AI-generated content (media, docs, images).
  3. Add an AI clause to vendor contracts (assurances + notifications).
  4. One-page internal policy; short training for managers.
  5. For high-risk cases: start the documentation pack and human-oversight plan.
  6. Set a review date every quarter to update the inventory and fixes.

FAQs

We are not building models. Do we still have duties?

Yes. As a deployer, you still handle transparency, records and safe use. For high-risk use cases, more duties can apply.

When do we need to label AI-generated content?

Plan the labelling workflow now. Transparency duties form part of the 2026 phase-in; some GPAI and governance rules start in 2025.

Are fines different for SMEs?

Fines can be large, but the Act provides proportional treatment for SMEs and start-ups. Good preparation reduces risk and cost.

Call to action

Schedule a personal consultation. I will map your use cases, draft light-weight controls, align vendor contracts, and set a clear path to compliance.

Further reading (official)

Disclaimer: This article provides general information and does not replace individual legal advice.

Popular Articles

CSRD in simple terms (2025): who must report, when, and a starter plan

I advise companies on EU reporting. Below is a clear view of the CSRD: who is in scope, when reporting starts, and what to do first. The short answer Who is in scope (plain list) Timeline (what applies when) Note on changes in 2025: the EU is running a simplification process (“omnibus”). Some proposals would […]

EU AI Act for SMEs (2025): what you must do now

I advise companies that use or build AI. Below is a simple plan for SMEs to prepare for the EU AI Act without wasting time or money. Why this matters The EU AI Act is now in force and its duties start to apply in phases. If you prepare early, you avoid last-minute costs and […]

Incoterms® 2020 explained for SMEs: EXW, FOB, CIF, DDP (simple and practical)

I advise companies on cross-border sales and logistics. Below I explain how Incoterms® 2020 shift risk and costs, which terms make sense for SMEs, and how to avoid the common traps. Why this matters Incoterms share two jobs: who pays for which leg of transport and when risk moves from seller to buyer. If you […]

CISG vs German law: which law for your B2B sales contract?

I advise companies on cross-border contracts. Below I explain, in plain language, when the UN Sales Convention (CISG) makes sense and when German domestic sales law is the better fit. The short answer What the CISG is (in one minute) The CISG is an international treaty for B2B sales of goods. Many countries have joined. […]

German nationality reform (June 2024): dual citizenship and faster naturalisation

I advise private individuals and companies on nationality and migration. Here is a clear guide to what changed on 27 June 2024, who qualifies, and how to prepare a clean application without delays. Why this matters The 2024 reform made two big moves: Germany now allows dual citizenship in principle, and the regular timeline for […]

Opportunity Card (Chancenkarte) Germany 2025: the points system in plain language

I advise companies and skilled professionals on German migration and employment law. Here is a clear guide to the Opportunity Card—what it is, how the points work, and how to move fast without mistakes. Why this matters now The Opportunity Card is Germany’s new route for coming to look for qualified work. It is practical […]

EU Blue Card Germany 2025: salary thresholds, requirements, and steps

I advise companies and skilled professionals on German immigration and employment law. Below I explain the EU Blue Card in plain language. No jargon. Only what you need to act with confidence. Why this matters in 2025 The rules are clear but exact. If you get them right at the start, your onboarding is smooth […]