- The EU AI Act's Article 4 (mandatory AI literacy) has been in force since February 2, 2025. Any SME using AI tools professionally is already a "deployer" subject to obligations (not just companies building AI).
- The market now offers four distinct categories of AI Act compliance tools with significantly different scopes, pricing, and suitability for EU SMEs.
- Most enterprise governance platforms were not built for the EU regulatory context or for SMEs; selecting the wrong category creates false security and real gaps.
- The key criteria for EU SMEs: data hosted in the EU, multi-regulation coverage (AI Act + GDPR + NIS2 in one workflow), and pricing proportionate to company size.
- This guide explains what each category of tool can and cannot do, and how to match the right approach to your company's actual profile.
If your team uses any AI tool in its work, the EU AI Act already applies to you.
That is not a future deadline or a hypothetical; it is the current legal position under Regulation (EU) 2024/1689. Since February 2, 2025, Article 4 of the AI Act has required every organisation that deploys AI systems in a professional context to ensure its staff have adequate AI literacy: knowledge of what the system does, what it cannot do, how to interpret its outputs, and what risks it poses.
A deployer, under the AI Act's definitions, is any company that uses an AI system in a professional context. If your team uses an AI-powered recruitment tool, a content generation assistant, a customer service chatbot, a predictive analytics module, or a smart ERP system, you are a deployer. According to the France Num 2025 Barometer , 26% of European VSEs and SMEs now use at least one AI tool in their business. The majority are unaware this places them under binding regulatory obligations today.
The question for most SMEs is therefore not whether to comply, but how, and which tools can make compliance achievable without a dedicated legal team.
What the EU AI Act requires from SME deployers right now
Before evaluating any compliance tool, it helps to understand precisely which obligations are already active.
In force now (2025):
- Article 4: AI literacy (in force since February 2, 2025): All deployers must ensure staff using AI systems have sufficient knowledge of the system's capabilities, limitations, and appropriate use. No exemption by company size.
- Article 5: Prohibited AI practices (in force since February 2, 2025): Certain AI applications are banned outright: systems that manipulate users subliminally, exploit vulnerabilities, or enable mass social scoring. Update (June 2026): this list now also includes an outright EU-wide ban on "nudifier" apps and AI-generated child sexual abuse material (systems that create non-consensual intimate or sexually explicit imagery, video, or audio of an identifiable person, or CSAM) added under the Digital Omnibus package approved by the European Parliament (June 16, 2026) and the Council (June 29, 2026). Providers and deployers have until December 2, 2026 to bring existing systems into compliance. These bans apply to every company regardless of size or sector.
- Chapter V: General Purpose AI models (in force since August 2, 2025): Rules for companies that build applications on top of foundation models (GPT, Claude, Gemini, Mistral, etc.), including transparency, copyright, and systemic risk obligations for model providers.
Coming into force (2027–2028):
High-risk AI system full obligations (Articles 9–15, 26): Mandatory risk management systems, technical documentation, data governance, human oversight, and post-market monitoring for companies deploying AI in high-risk categories (recruitment and HR management, creditworthiness assessment, biometric identification, critical infrastructure management, education and vocational training, access to essential services). Update (June 2026): the original August 2, 2026 deadline no longer applies. Under the finalized "Digital Omnibus on AI" package, approved by the European Parliament on June 16, 2026 and given final sign-off by the Council on June 29, 2026, obligations now follow a two-tier timeline: stand-alone high-risk AI systems (Annex III) must comply by December 2, 2027, while high-risk AI systems embedded as safety components in regulated products (Annex I) have until August 2, 2028.
For a typical EU SME not deploying AI in formally classified high-risk categories, the 2025 priority is concrete: inventory AI tools in use, document Article 4 training, assess whether any tool falls into a high-risk category, and build a compliance file. That four-step workflow is precisely what a compliance tool should automate.
Who is subject to the AI Act: geographic scope
| Company profile | AI Act applies? | Notes |
|---|---|---|
| EU-incorporated SME using any AI tool | ✅ Yes | Deployer obligations under Articles 4–5 and Chapter III |
| EEA company (Norway, Iceland, Liechtenstein) | ✅ Yes | AI Act incorporated into EEA legal framework via EEA Joint Committee |
| Non-EU company whose AI outputs are used in the EU | ✅ Yes | Extraterritorial reach: Article 2(1)(c)–(d) |
| EU accession country company (Western Balkans, Ukraine, Moldova) | ⚠️ Partial | Not directly subject unless outputs reach EU market; alignment required under accession chapters; EU investors and buyers increasingly require compliance evidence regardless |
| SME in EU using no AI tools whatsoever | ⚠️ Minimal | Prohibited practices ban still applies; no other active obligations |
| Micro-enterprise (under 10 employees) | ✅ Yes | No general exemption; proportionality applies to some high-risk obligations only |
Key point: The AI Act contains no blanket SME or micro-enterprise exemption. The European AI Office has published guidance on proportionality , but the obligation itself is not waived for small companies.
The four categories of AI Act compliance tools
The market for AI Act compliance tooling is still forming. Products fall into four distinct categories with meaningfully different risk profiles for EU SMEs.
Category 1 — Enterprise AI governance platforms
These tools were built for large organisations running complex, multi-jurisdictional AI programs with dedicated governance, risk, and compliance teams. They offer extensive frameworks — AI risk registers, model inventories, audit trails, but they were typically designed before the EU AI Act was final, carry enterprise-level pricing (€15,000–€80,000+ annually), require significant implementation effort from technical staff, and often store data outside the EU.
Best for:
Large enterprises (500+ employees) with dedicated compliance teams and complex AI portfolios.
Not suitable for:
SMEs needing fast, practical compliance coverage without implementation overhead.
Category 2 — GDPR-first privacy compliance tools
A mature category of tools built primarily for GDPR compliance: processing records (ROPA), consent management, data subject request workflows, breach notification tracking. Several are adding AI Act modules as the regulation matures, but GDPR compliance infrastructure and AI Act compliance infrastructure address fundamentally different questions.
Best for:
SMEs whose immediate priority is GDPR, particularly consent, data mapping, and DSR management.
Limitation:
GDPR coverage alone is insufficient for AI Act compliance. An SME subject to both regulations needs both frameworks covered, ideally in one place. Most GDPR-first tools do not yet offer AI risk classification, Article 4 training documentation, or the multi-regulation simultaneous analysis that the current EU regulatory environment requires.
Category 3 — EU-native multi-regulation platforms
A new category of platforms built specifically for the 2024–2027 EU regulatory environment. Rather than addressing one regulation in depth, they analyse a company's situation simultaneously against multiple obligations (AI Act, GDPR, NIS2), identifying interactions and dependencies that single-regulation tools miss.
Key structural differentiators: EU data hosting (no data leaves Europe), explainable AI (every recommendation cites the relevant article number, so the output is defensible to a regulator), SME-calibrated workflows (built for companies without a compliance department, not for large enterprises), and continuous regulatory monitoring (updates as implementing regulations and enforcement guidance are published).
Themio is in this category , covering 37 countries across the EU, EEA, and candidate countries, with analysis completed in under two minutes and zero AI-generated hallucinations: every output is grounded in source regulation.
Best for:
EU SMEs managing multiple regulatory obligations simultaneously; companies in EU accession countries preparing for alignment; founders who need to demonstrate compliance readiness to EU investors without the cost of formal legal audit.
Limitation:
Not a substitute for formal legal counsel where specific high-risk AI system classification requires legal sign-off.
Category 4 — External legal counsel and manual compliance
Engaging a law firm or specialist compliance consultancy to conduct a formal AI Act audit. This delivers the most defensible compliance documentation and is the right choice for companies facing formal regulatory scrutiny or deploying AI in clearly high-risk categories where classification is contested.
The cost is significant: a full AI Act compliance program for an SME through legal counsel typically runs €5,000–€30,000 for the initial engagement, plus ongoing monitoring costs.
Best for:
Companies with confirmed high-risk AI deployments, companies facing regulatory inquiry, or companies for whom a formal legal opinion is required (e.g., for insurance, contracts, or investor due diligence).
Not efficient for:
Initial assessment of standard deployer obligations, Article 4 training documentation, or AI inventory for typical SMEs.
Five criteria that separate adequate tools from inadequate ones
- EU data hosting. Compliance documentation contains sensitive information about internal systems and risk assessments. It must be stored on EU infrastructure under EU data protection law. Always verify: which cloud provider? Which region? Ask for a DPA.
- Multi-regulation coverage. Any company subject to the AI Act is almost certainly also subject to GDPR (AI systems process personal data) and may be subject to NIS2. A tool covering AI Act alone creates compliance gaps from day one.
- Explainable, cited recommendations. Every compliance recommendation should reference the specific article and regulation it derives from. A compliance output you cannot trace to a source is not a compliance output — it is a checklist you cannot defend.
- Proportionate scope and pricing. An SME compliance workflow should look fundamentally different from an enterprise one. If a tool's default workflow assumes a large legal team, a multi-jurisdictional AI portfolio, and months of implementation, it is not the right tool.
- Regulatory update coverage. The AI Act's implementing regulations, technical standards (from CENELEC and ETSI), and enforcement guidance from the European AI Office are published continuously. Your compliance posture from today may be incomplete within six months without a tool that updates alongside the regulation.
A decision framework by company profile
| Situation | Recommended approach |
|---|---|
| EU SME using AI tools, no prior AI Act assessment | EU-native multi-regulation platform (Category 3). Gap analysis + Article 4 documentation + AI inventory. Typical cost: €500–€2,500/year. |
| EU SME with GDPR in place, now adding AI Act | Add an AI-Act-native layer to existing setup, or migrate to a multi-regulation platform to consolidate. |
| Company deploying AI in recruitment, credit scoring, or other high-risk categories | Category 3 platform for initial assessment, then legal counsel for formal high-risk classification sign-off. |
| Non-EU company whose AI outputs reach EU users | AI Act applies. Prioritise provider obligations (technical documentation, transparency, conformity assessment). Category 3 platform + legal review. |
| Western Balkans / Ukraine / Moldova company | AI Act does not yet apply domestically, but EU investors and enterprise buyers require alignment evidence. Start gap analysis and documentation now with a Category 3 platform. |