Back to blog
July 10, 2026 6 min read AI Act

How to Comply with the EU AI Act in 5 Steps (2026 Guide)

By the Themio Expert Editorial Team
Executive Summary
  • Any company that uses an AI tool professionally (not just companies that build AI) is a "deployer" under the EU AI Act (Regulation (EU) 2024/1689) and already has active legal obligations.
  • Compliance is achievable in five concrete steps: inventory, classify, train, document, monitor.
  • Two obligations are already enforceable today: Article 4 (AI literacy) and Article 5 (prohibited practices), both in force since February 2, 2025.
  • Most SMEs can complete steps 1–4 in under a week using a structured tool, without hiring outside counsel.
  • This guide walks through each step with the specific evidence a regulator or investor would expect to see.

If your company uses any AI tool: a chatbot, a recruitment screening tool, an analytics dashboard, or an AI writing assistant, you are already subject to the EU AI Act. The question is not whether to comply, but how to do it efficiently. This guide breaks the process into five steps that a small team can complete without a dedicated legal department.

According to the France Num 2025 Barometer , 26% of European VSEs and SMEs already use at least one AI tool in their operations. Most have not yet documented their obligations under Article 4, which has been legally binding since February 2, 2025.

Step 1: Inventory every AI tool your company uses

Compliance starts with visibility. You cannot classify or document a risk you have not identified.

What to inventory:

  • AI features embedded in software you already use (CRM scoring, ATS/recruitment screening, fraud detection, chatbots, content generation, predictive analytics)
  • Standalone AI tools your team has adopted informally (ChatGPT, Copilot, Midjourney, etc.)
  • AI components inside your own product, if you build software

Who to ask: don't rely on IT alone; survey department heads (HR, sales, marketing, ops). Shadow AI adoption is common; a 2025 sector estimate suggests a large share of workplace AI use happens outside any formal procurement process.

Output of this step: a simple spreadsheet listing tool name, department, purpose, and whether it processes personal data. This becomes the foundation for every later step.

Step 2: Classify each tool's risk level under the AI Act

The AI Act sorts AI systems into risk tiers, and your obligations scale with the tier.

Risk tier Examples Obligation level
Unacceptable (banned) Social scoring, subliminal manipulation, real-time biometric mass surveillance in public spaces Prohibited outright since February 2, 2025
High-risk Recruitment/HR scoring, credit assessment, biometric identification, critical infrastructure management, access to essential services Full obligations (risk management, technical documentation, human oversight). Timeline updated by the finalized Digital Omnibus (June 2026): Annex III systems by December 2, 2027; Annex I systems by August 2, 2028
Limited risk Chatbots, deepfake generators Transparency obligations: users must be told they are interacting with AI
Minimal risk Spam filters, inventory forecasting No specific AI Act obligations beyond general provisions

Most SME tool inventories turn out to be dominated by limited- and minimal-risk tools, with occasional high-risk exposure concentrated in HR/recruitment and credit-adjacent functions (precisely where classification errors are costliest).

Step 3: Document Article 4 AI literacy training

Article 4 requires every deployer to ensure staff operating AI systems have "sufficient AI literacy" (understanding of what the system does, its limitations, and associated risks). This obligation carries no size exemption and has applied to every company since February 2, 2025.

What adequate documentation looks like:

  • A short internal training session (even 30–60 minutes) covering the specific AI tools your team uses
  • Attendance records and training date
  • A one-page summary per tool: what it does, what it should not be relied on for, and who to contact with concerns

Regulators are not expecting a formal certification program from a 15-person company; they are expecting evidence that the obligation was taken seriously and applied proportionately to your size.

Step 4: Build your compliance file

This is the artifact you would show a regulator, an investor during due diligence, or an enterprise customer's procurement team. It should include:

  1. The AI tool inventory (Step 1)
  2. Risk classification for each tool (Step 2)
  3. Article 4 training records (Step 3)
  4. A gap analysis: which obligations are not yet met, and a remediation timeline
  5. For any high-risk tool: technical documentation and a human oversight plan

Building this manually with legal counsel typically costs €5,000–€30,000 for an initial engagement. A structured compliance platform can produce the same documentation (with citations to the specific regulation article behind each recommendation) in under two minutes per tool, at a fraction of the cost.

Step 5: Monitor regulatory change on an ongoing basis

The AI Act is not static. Implementing regulations, technical standards from CENELEC and ETSI, and enforcement guidance from the European AI Office are published continuously, and the "Digital Omnibus" proposal has finalized deadlines for high-risk obligations as of mid-2026.

A compliance posture that was accurate in January can be incomplete by the time of your next board meeting. The minimum viable process is a quarterly re-check of your inventory and classification against current guidance, ideally automated through a tool that flags regulatory changes relevant to the specific tools in your inventory, rather than requiring you to track every publication yourself.

Who this applies to: a quick scope check

Company profile Applies?
EU-incorporated SME using any AI tool Yes: full deployer obligations
Micro-enterprise (under 10 employees) Yes: no blanket size exemption
Non-EU company whose AI outputs reach EU users Yes: extraterritorial reach under Article 2(1)(c)–(d)
Company in an EU accession country (Western Balkans, Ukraine, Moldova) Not yet under domestic law, but EU investors and buyers increasingly require alignment evidence

Key point: The AI Act contains no blanket SME or micro-enterprise exemption. The European AI Office has published guidance on proportionality , but the obligation itself is not waived for small companies.

Frequently asked questions

How long does AI Act compliance actually take for a typical SME?
With a structured process and a compliance tool, steps 1-4 (inventory, classification, training documentation, and compliance file) typically take a small team 3-5 business days. Without a tool, expect several weeks of manual work coordinating across departments and, if outside counsel is involved, several weeks of turnaround on top of that.
Do we need a lawyer to comply with the AI Act?
Not for the majority of SMEs at the current stage of enforcement. Legal counsel becomes important specifically when a tool is classified as high-risk and that classification is contested, or when facing a formal regulatory inquiry. For inventory, Article 4 training documentation, and standard gap analysis, a structured compliance platform is sufficient and considerably faster.
What happens if we simply do nothing?
Article 4 and Article 5 obligations are already enforceable. National market surveillance authorities can impose fines of up to €15 million or 3% of global annual turnover for deployer obligation violations, and up to €35 million or 7% for prohibited-practice violations. Enforcement is expected to intensify from 2026 as national authorities complete formal designation.
We already did a GDPR compliance project. Does that cover the AI Act?
Partially, but not fully. GDPR and the AI Act overlap significantly: most AI systems process personal data, so GDPR obligations run in parallel. However, the AI Act adds AI-specific requirements (risk classification, Article 4 literacy, technical documentation for high-risk systems) that a GDPR-only program does not address. Treat the two as linked, not interchangeable.
Our company is in Serbia / Bosnia / North Macedonia. Do we need to comply now?
Not directly under domestic law today. However, if your AI-enabled product or service reaches EU users, the AI Act's extraterritorial provisions may already apply, and EU investors or enterprise buyers frequently require alignment evidence in due diligence regardless of your country of incorporation. Since the AI Act will be incorporated into national law during EU accession, starting the five-step process now avoids a compressed retrofit later.

Themio.ai automates all five steps (AI tool inventory, risk classification, Article 4 training documentation, gap analysis, and ongoing regulatory monitoring) for European SMEs and companies in EU accession countries. Analysis completed in under two minutes per tool, with 100% EU data hosting and citations to the exact regulation article behind every recommendation.