EU AI Act Compliance Checklist for SMBs

What this checklist covers

EU AI Act compliance for an SMB comes down to five repeatable steps: inventory every AI system you use, classify each one by risk tier, document the high-risk systems, deliver Article 4 AI-literacy training, and keep that evidence current as your tools change. The EU AI Act is Regulation (EU) 2024/1689, and its obligations are already partly in force.

Key dates to plan around: prohibited practices and the Article 4 AI-literacy duty have applied since 2 February 2025; general-purpose AI and governance rules since 2 August 2025; most high-risk obligations apply from 2 August 2026; and high-risk AI embedded in regulated products from 2 August 2027. A 'Digital Omnibus' package has been PROPOSED that would defer some deadlines, but it is NOT yet adopted, so treat the dates above as the law.

Penalties are real: up to EUR 35M or 7% of global annual turnover for prohibited practices, and up to EUR 15M or 3% for most other breaches. Work through the steps below in order.

Step 1 - Inventory every AI system you use

You cannot comply with what you cannot see. Build one living register of every AI system your organisation provides or deploys, including the shadow tools individual teams adopted without IT sign-off.

1. List every AI tool in active use: chat assistants, coding copilots, AI features inside your CRM, ATS or support desk, and any model in your own product.
2. Record, for each one, the vendor, the business owner, where it runs, and what data it touches.
3. Note your role for each system: are you the provider (you build or ship it) or the deployer (you use someone else's), because obligations differ.
4. Capture which people or decisions the system affects, for example candidates, customers, or employees.
5. Assign a single accountable owner per system so the register has a name attached, not just a tool.

Step 2 - Classify each system by risk tier

The EU AI Act sorts systems into four tiers, and the tier decides how much work each one needs. Classify once, then reuse that decision across your other frameworks.

• Prohibited: practices banned under Article 5, such as social scoring or untargeted facial-recognition scraping. If you find one, stop using it now.
• High-risk: systems under Article 6 and Annex III, including AI used in recruitment, worker management, credit scoring, education, or essential services. These carry the heaviest obligations.
• Limited-risk: systems with transparency duties, such as chatbots and generated content that must be disclosed to users.
• Minimal-risk: everything else, for example spam filters, which carry no mandatory obligations beyond AI literacy.
• Write down the reasoning for each classification, especially any system you decide is not high-risk, because that decision is exactly what an auditor will challenge.

Step 3 - Document your high-risk systems

High-risk systems need an evidence file an auditor can read. For systems you provide, the technical documentation in Annex IV is the backbone; for systems you deploy, you keep records of how you use and monitor them.

1. Assemble technical documentation per Annex IV: system purpose, design, data, and performance.
2. Document the risk-management process required under Article 9 and how you keep it running across the lifecycle.
3. Describe data governance under Article 10: training, validation, and testing data, and steps taken to address bias.
4. Record the human oversight measures under Article 14 that let a person intervene or override the system.
5. Confirm logging, accuracy, robustness, and cybersecurity measures, and keep automatically generated logs.
6. As a deployer, follow the provider's instructions for use, assign trained human oversight, and monitor the system in operation.

Step 4 - Deliver Article 4 AI-literacy training

Article 4 has applied since 2 February 2025 and covers everyone, not just high-risk users. Anyone who operates AI on your behalf must have a level of AI literacy that matches their role and the systems they touch.

• Identify every group that uses or oversees AI: staff, contractors, and relevant third parties.
• Match the training depth to the risk: light awareness for minimal-risk tool users, deeper training for anyone overseeing a high-risk system.
• Cover the basics: what AI can and cannot do, its limits, and the specific risks of the tools your teams use.
• Record who was trained, on what, and when, because Article 4 expects you to be able to show literacy, not just claim it.
• Refresh training when you add new tools or when roles change, and brief new hires as part of onboarding.

Step 5 - Keep your evidence current

Compliance is a state you maintain, not a project you finish. AI tools, vendors, and use cases change constantly, and stale evidence is the fastest way to fail an audit. Put a light recurring rhythm in place.

1. Re-run the inventory on a fixed cadence, for example quarterly, and add any newly adopted tools.
2. Re-classify any system whose purpose, data, or audience has changed, since a tier can shift.
3. Update documentation and logs whenever a high-risk system or its vendor is updated.
4. Watch for regulatory change, including whether the PROPOSED Digital Omnibus deferrals are ever adopted, and adjust deadlines only once they become law.
5. Keep your training records, classification reasoning, and Annex IV files in one place so the evidence is ready when a regulator or customer asks.