- Any company that uses an AI tool professionally (not just companies that build AI) is a "deployer" under the EU AI Act (Regulation (EU) 2024/1689) and already has active legal obligations.
- Compliance is achievable in five concrete steps: inventory, classify, train, document, monitor.
- Two obligations are already enforceable today: Article 4 (AI literacy) and Article 5 (prohibited practices), both in force since February 2, 2025.
- Most SMEs can complete steps 1–4 in under a week using a structured tool, without hiring outside counsel.
- This guide walks through each step with the specific evidence a regulator or investor would expect to see.
If your company uses any AI tool: a chatbot, a recruitment screening tool, an analytics dashboard, or an AI writing assistant, you are already subject to the EU AI Act. The question is not whether to comply, but how to do it efficiently. This guide breaks the process into five steps that a small team can complete without a dedicated legal department.
According to the France Num 2025 Barometer , 26% of European VSEs and SMEs already use at least one AI tool in their operations. Most have not yet documented their obligations under Article 4, which has been legally binding since February 2, 2025.
Step 1: Inventory every AI tool your company uses
Compliance starts with visibility. You cannot classify or document a risk you have not identified.
What to inventory:
- AI features embedded in software you already use (CRM scoring, ATS/recruitment screening, fraud detection, chatbots, content generation, predictive analytics)
- Standalone AI tools your team has adopted informally (ChatGPT, Copilot, Midjourney, etc.)
- AI components inside your own product, if you build software
Who to ask: don't rely on IT alone; survey department heads (HR, sales, marketing, ops). Shadow AI adoption is common; a 2025 sector estimate suggests a large share of workplace AI use happens outside any formal procurement process.
Output of this step: a simple spreadsheet listing tool name, department, purpose, and whether it processes personal data. This becomes the foundation for every later step.
Step 2: Classify each tool's risk level under the AI Act
The AI Act sorts AI systems into risk tiers, and your obligations scale with the tier.
| Risk tier | Examples | Obligation level |
|---|---|---|
| Unacceptable (banned) | Social scoring, subliminal manipulation, real-time biometric mass surveillance in public spaces | Prohibited outright since February 2, 2025 |
| High-risk | Recruitment/HR scoring, credit assessment, biometric identification, critical infrastructure management, access to essential services | Full obligations (risk management, technical documentation, human oversight). Timeline updated by the finalized Digital Omnibus (June 2026): Annex III systems by December 2, 2027; Annex I systems by August 2, 2028 |
| Limited risk | Chatbots, deepfake generators | Transparency obligations: users must be told they are interacting with AI |
| Minimal risk | Spam filters, inventory forecasting | No specific AI Act obligations beyond general provisions |
Most SME tool inventories turn out to be dominated by limited- and minimal-risk tools, with occasional high-risk exposure concentrated in HR/recruitment and credit-adjacent functions (precisely where classification errors are costliest).
Step 3: Document Article 4 AI literacy training
Article 4 requires every deployer to ensure staff operating AI systems have "sufficient AI literacy" (understanding of what the system does, its limitations, and associated risks). This obligation carries no size exemption and has applied to every company since February 2, 2025.
What adequate documentation looks like:
- A short internal training session (even 30–60 minutes) covering the specific AI tools your team uses
- Attendance records and training date
- A one-page summary per tool: what it does, what it should not be relied on for, and who to contact with concerns
Regulators are not expecting a formal certification program from a 15-person company; they are expecting evidence that the obligation was taken seriously and applied proportionately to your size.
Step 4: Build your compliance file
This is the artifact you would show a regulator, an investor during due diligence, or an enterprise customer's procurement team. It should include:
- The AI tool inventory (Step 1)
- Risk classification for each tool (Step 2)
- Article 4 training records (Step 3)
- A gap analysis: which obligations are not yet met, and a remediation timeline
- For any high-risk tool: technical documentation and a human oversight plan
Building this manually with legal counsel typically costs €5,000–€30,000 for an initial engagement. A structured compliance platform can produce the same documentation (with citations to the specific regulation article behind each recommendation) in under two minutes per tool, at a fraction of the cost.
Step 5: Monitor regulatory change on an ongoing basis
The AI Act is not static. Implementing regulations, technical standards from CENELEC and ETSI, and enforcement guidance from the European AI Office are published continuously, and the "Digital Omnibus" proposal has finalized deadlines for high-risk obligations as of mid-2026.
A compliance posture that was accurate in January can be incomplete by the time of your next board meeting. The minimum viable process is a quarterly re-check of your inventory and classification against current guidance, ideally automated through a tool that flags regulatory changes relevant to the specific tools in your inventory, rather than requiring you to track every publication yourself.
Who this applies to: a quick scope check
| Company profile | Applies? |
|---|---|
| EU-incorporated SME using any AI tool | Yes: full deployer obligations |
| Micro-enterprise (under 10 employees) | Yes: no blanket size exemption |
| Non-EU company whose AI outputs reach EU users | Yes: extraterritorial reach under Article 2(1)(c)–(d) |
| Company in an EU accession country (Western Balkans, Ukraine, Moldova) | Not yet under domestic law, but EU investors and buyers increasingly require alignment evidence |
Key point: The AI Act contains no blanket SME or micro-enterprise exemption. The European AI Office has published guidance on proportionality , but the obligation itself is not waived for small companies.
Frequently asked questions
Themio.ai automates all five steps (AI tool inventory, risk classification, Article 4 training documentation, gap analysis, and ongoing regulatory monitoring) for European SMEs and companies in EU accession countries. Analysis completed in under two minutes per tool, with 100% EU data hosting and citations to the exact regulation article behind every recommendation.