Home
AI Act
AI Act AI Benchmark
Product Pricing Team Barometer
Regulation (EU) 2024/1689 · In force

The AI Act applies to your SME.
Here is what you need to know — and do.

The European AI Act is the world's first regulatory framework dedicated to artificial intelligence. It concerns any organization using an AI tool in Europe — including third-party SaaS software. Themio identifies your obligations and structures your compliance, without an in-house lawyer.

Join the waitlist → See how Themio classifies your AI systems →
The essentials in 4 points

Risk-based approach

4 classification levels: Unacceptable, High, Limited, Minimal. Your level determines your exact obligations.

Every SME is affected

If you use a third-party AI tool, you are a "deployer" and have compliance obligations.

New deadline: December 2, 2027

The compliance deadline for high-risk systems is extended to December 2, 2027. Note: compliance remains mandatory, only the timeline has changed.

Fines up to 7% of global turnover

In case of violation of prohibitions (unacceptable risk systems), penalties are immediate and severe.
What is the AI Act?

AI Act, AIA, Regulation (EU) 2024/1689: one text, multiple names

The AI Act — also called AIA (Artificial Intelligence Act) or Regulation (EU) 2024/1689 — is the European legislation that governs the development and use of artificial intelligence systems within the European Union. Published in August 2024, it is the world's first comprehensive regulatory framework dedicated to AI.

Its goal is twofold: to ensure trustworthy AI that respects fundamental rights and privacy — while preserving space for innovation. By legislating first, Europe is taking a global strategic lead on this issue.

Key Takeaways

  • AI Act = AIA = Regulation (EU) 2024/1689 — a single text
  • In Europe, national authorities and administrations often use AIA
  • Progressive application from February 2025 to August 2027
Who is concerned?

Your SME is concerned — even if you didn't develop the AI yourself

The regulation applies to any organization that develops OR uses an artificial intelligence system in Europe. According to the official definition, an AI system is any automated system capable of generating predictions, recommendations, decisions, or content having an impact on a physical or digital environment.

In concrete terms: a SaaS software integrating an AI feature falls under the scope of the regulation as soon as it influences a decision or automates a process — even if you haven't written a single line of code.

Provider or deployer: what is the difference?

Provider Deployer
Develops or places an AI system on the market Uses an AI system developed by a third party
Ex: publisher of an automated HR scoring tool Ex: SME using this same tool for recruiting
Maximum obligations — documentation, compliance, registration Obligations of verification, monitoring, and transparency
Few SMEs are in this category The vast majority of SMEs are deployers

Note: If your SME uses a CRM with AI scoring, an automated recruiting tool, or a decision-making chatbot, you are a deployer — and you have obligations.

The risk-based approach

The 4 classification levels of the AI Act

Level 1: Unacceptable risk
PROHIBITED — IN EFFECT SINCE FEB. 2025

Prohibited systems: immediate sanctions

AI systems with unacceptable risk are strictly prohibited since February 2, 2025. They are incompatible with European fundamental rights.

Specifically prohibited are:

  • Subliminal manipulation systems influencing behavior without the user's awareness
  • Social scoring (behavioral scoring of individuals)
  • Real-time biometric identification in public spaces (except for strict public security exceptions)
  • Systems exploiting the vulnerabilities of specific groups
Alert: If your organization uses one of these systems, exposure to sanctions is immediate. There is no transition phase — the prohibition is in effect.
Level 2: High risk
STRICT OBLIGATIONS — NEW DEADLINE: DECEMBER 2, 2027

High-risk systems: mandatory compliance by December 2, 2027

May 2026 Update: following the Digital AI Omnibus agreement of May 7, 2026, the compliance deadline for high-risk systems (Annex III) has been postponed from August 2026 to December 2, 2027. Formal adoption is expected before the end of July 2026. The timeline is extended — the obligations remain.

This is the most impactful level for SMEs and mid-caps. It covers use cases already deployed in many business functions. The regulation identifies 8 high-risk areas (Annex III):

Domain Concrete example for an SME
Recruiting & HR Automated CV sorting, candidate scoring
Credit & insurance Financial scoring or solvency evaluation
Health Automated medical diagnostic assistance
Education Automated evaluation of learners
Critical infrastructure Automated energy or transport management
Justice Judicial decision assistance
Law enforcement Automated surveillance systems
Migration Automated border control

What obligations apply to your company before December 2027?

  • Comprehensive technical documentation of the AI system
  • Conformity assessment before deployment
  • Registration in the European database for high-risk AI systems
  • Effective and traceable human oversight
  • Fundamental Rights Impact Assessment (FRIA) — applicable to public bodies and operators of essential services

Good news for SMEs: the Omnibus extends the simplifications planned for SMEs to small mid-caps (< 750 employees, < €150M turnover), with streamlined documentation templates and priority access to regulatory sandboxes.

SME alert: If you use an automated CV sorting tool, credit scoring, or any automated evaluation system in your HR or financial processes, you are affected. Themio determines your risk level in a few minutes.
Level 3: Limited risk
TRANSPARENCY OBLIGATIONS

Limited risk systems: inform users

These systems do not present a major structural risk but must respect transparency obligations. Users must be informed that they are interacting with an AI.

Examples:

  • Chatbots and conversational assistants
  • Content generation tools (text, image)
  • Commercial recommendation systems
Main obligation: Clearly inform the user that they are interacting with an AI — notably on your website, your app, or your customer service (Article 50). Assess your Article 50 compliance in 3 minutes →
Level 4: Minimal risk
NO SPECIFIC OBLIGATIONS

Minimal risk systems: free use

The majority of general-purpose AI applications fall into this category. They are not subject to any specific regulatory obligations under the AI Act, although the GDPR and other regulations may still apply.

Examples:

  • Spam filters
  • Standard automatic translation tools
  • Non-decisional content recommendations
Timeline

AI Act Timeline: key deadlines you cannot miss

Date Obligation Status
August 2024 Publication of the regulation in the Official Journal of the EU
In effect
February 2025 Prohibition of unacceptable risk systems (Level 1)
In effect
August 2025 Obligations for General Purpose AI models (GPAI)
In effect
July 2026 (expected) Formal adoption of Digital AI Omnibus — confirmation of new deadlines
Pending
Aug. 2026 → Dec. 2027 Mandatory compliance for high-risk systems Annex III (HR, credit, education...)
Postponed
Aug. 2027 → Aug. 2028 Full application — high-risk systems Annex I (medical devices, machinery...)
Postponed

We are in June 2026. The Digital AI Omnibus political agreement (May 7, 2026) has pushed the main deadline to December 2027 — but formal adoption is imminent and obligations will not disappear. This is the ideal window to start your compliance without last-minute pressure. Themio determines your risk level in a few minutes.

What Themio does for you

Themio automates your AI Act compliance — without an internal legal team

The AI Act imposes a structured compliance process: classifying your systems, documenting your obligations, and producing evidence for the regulator. Themio transforms this process into an automated workflow.

Classification of your AI systems

Themio determines the risk level of each AI system you use or deploy — via a deterministic rules engine, not a guessing chatbot. Result: Unacceptable, High, Limited, or Minimal, with an article-by-article explanation.

Auditable, explainable result, citable to a regulator

Mapping of your exact obligations

Once your risk level is established, Themio lists the precise obligations that apply to you — based on your role (provider or deployer), your sector, and your systems. No generic lists. Your obligations, linked to the applicable article.

Prioritized action plan, exportable as a PDF

Generation of your governance documents

Risk management plans, AI governance policies, system registers, transparency notices — generated automatically and ready to present to your regulator or investors.

Ready for audit from day one
FAQ

Frequently Asked Questions about the AI Act and SME compliance

What is the AI Act and who does it apply to?
The AI Act (EU Regulation 2024/1689) is the world's first comprehensive legislation governing the use of artificial intelligence. It applies to any organization that develops or uses an AI system in Europe — including SMEs that use third-party SaaS software integrating AI features. If your company is based in the EU or if you offer services to EU users, you are affected.
My company uses ChatGPT or a CRM with AI — am I subject to the AI Act?
Yes, potentially. As soon as a tool you use meets the definition of an "AI system" under the regulation (generating predictions, recommendations, or automated decisions), you are considered a "deployer" and have obligations. The level of your obligations depends on the classification of the system involved (High risk, Limited, or Minimal). See how Themio classifies your systems in minutes.
What are the penalties for non-compliance with the AI Act?
Fines vary according to the severity of the infringement. The use of an unacceptable risk system (prohibited since February 2025) is punishable by fines of up to €35 million or 7% of total worldwide annual turnover (whichever is higher). Other violations are penalized up to €15 million or 3% of global turnover. Proportionate sanctions are provided for SMEs, but the compliance obligation remains fully in force.
What is the difference between the AI Act and the GDPR?
The GDPR regulates the processing of personal data. The AI Act regulates artificial intelligence systems. The two often overlap: an AI system that processes personal data is subject to both regulations simultaneously. Themio analyzes your documents against both frameworks in the same audit, avoiding any blind spots.
How can I determine if my AI system is "high risk"?
The regulation defines 8 high-risk areas in its Annex III: recruiting and HR, credit and insurance, health, education, critical infrastructure, justice, law enforcement, migration. If your organization uses an AI system in one of these areas — even via a third-party tool — you likely fall into the high-risk category. Themio determines your classification via a rules engine built article by article, with an explainable and auditable result.
How long does it take to become compliant with the AI Act?
It depends on the number of systems involved and their risk level. The first step — classifying your systems and identifying your obligations — can be completed with Themio in minutes. Full compliance implementation (documentation, internal processes, governance) generally takes from a few weeks to a few months depending on your organization's complexity. With the August 2026 deadline for high-risk systems, the time to act is now.

Identify your AI Act obligations in under 2 minutes.

Themio classifies your AI systems, maps your obligations article by article,
and generates your governance documents — without an internal legal team or costly consultants.

Join the waitlist → Request a demo

🔒 EU Hosting · Data not shared · No commitment