EU AI Act compliance software for SMBs

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive law governing artificial intelligence. It applies to organisations that provide or deploy AI systems affecting people in the EU - including companies based outside the EU whose AI output is used in the Union. Penalties run up to €35M or 7% of global turnover for prohibited practices, and up to €15M or 3% for other breaches. ComplyAgent turns that obligation into a workflow an SMB can run in days.

Are you in scope?

Most SMBs are deployers - you use AI tools built by someone else (an AI recruiting screen, a support copilot, an analytics model). Some are also providers - you ship an AI feature in your own product. Both carry obligations, and the first question a regulator asks is the same for everyone: list every AI system you use. If your team touches ChatGPT, Copilot, Cursor, Gong, an AI-assisted ATS, or any model in your own stack, you are in scope.

The four risk tiers

Every system is sorted into one of four risk tiers, and the tier determines everything downstream:

• Unacceptable risk - prohibited outright under Article 5 (e.g. social scoring, most real-time public biometric identification).
• High risk - permitted but heavily regulated; listed in Annex III (recruitment, credit, education, biometrics) or as a safety component of a regulated product. Subject to Articles 9-15.
• Limited risk - transparency duties only under Article 50 (tell users they are interacting with AI or that content is AI-generated).
• Minimal risk - the majority of systems; no mandatory obligations.

What high-risk systems must document

If a system lands in the high-risk tier, you need a defensible evidence pack. The Act spells out what it contains:

• Article 9 - a risk-management system maintained across the lifecycle.
• Article 10 - data governance for training, validation and testing data.
• Article 11 + Annex IV - technical documentation (often ~40 pages per system).
• Article 12 - automatic logging / record-keeping.
• Articles 13-14 - transparency to users and effective human oversight.
• Article 15 - accuracy, robustness and cybersecurity.
• Article 47 - the EU declaration of conformity.

Key deadlines

AI literacy (Article 4)

Since 2 February 2025, Article 4 requires every organisation that deploys AI to ensure staff who use it have a sufficient understanding of AI - its opportunities, risks and possible harms. ComplyAgent includes role-aware AI-literacy modules with quizzes, certificates and completion tracking, so the obligation is covered out of the box and you have records to show an auditor.

A worked example: a 50-person HR-tech company

Say you sell recruiting software with an AI screening feature. That feature is high-risk (Annex III, point 4). You inventory it, classify it in the wizard (which cites Annex III and Article 6), and ComplyAgent drafts the Annex IV documentation, the Article 9 risk plan and the Article 14 oversight measures, then maps the same classification onto NIST AI RMF and ISO/IEC 42001 so a US enterprise RFP is answered too. What a consultant bills $50k-$200k to do once becomes a subscription that stays current as your stack changes.

How ComplyAgent covers the EU AI Act

ComplyAgent builds a live AI inventory (including auto-detection from your codebase), runs a 10-question classification wizard with citations, auto-drafts the required documentation, delivers Article 4 training, and assembles a one-click audit pack - and a living compliance score so you know where you stand between audits. Because you classify once and comply across three frameworks, the same work also answers NIST and ISO questions.

Get audit-ready

Start a 14-day free trial (no credit card), see pricing, or browse the AI compliance glossary.