EU AI Act for SMEs
The EU AI Act is live. Most Belgian SMEs don't need to panic. Here's what actually matters, what you can ignore, and what to do about it.
The 30-Second Summary
The EU AI Act is the world's first comprehensive AI regulation. It came into force in August 2024, with most rules kicking in by August 2026.
If you're using ChatGPT to write emails or build a chatbot for customer support, you're probably fine. If you're building AI that scores job candidates, predicts creditworthiness, or is used in healthcare — you have work to do.
If your AI reads emails, writes reports, or helps your team work faster — you are most likely in the clear. This guide helps you confirm that.
Does this apply to me?
Before reading all four risk levels, answer these three questions to find out which section matters for your business.
Does your AI make decisions about people?
Hiring, credit scoring, insurance, medical diagnosis
Does your AI interact with end users who might not know it is AI?
Chatbots, AI-generated content, deepfakes
Does your AI help your internal team work faster?
Email drafting, document analysis, data entry, reporting
How the Act Works: Risk Levels
The Act classifies AI systems into four risk categories. Your obligations depend on where your AI lands.
Unacceptable Risk (Banned)
AI systems that manipulate behavior, exploit vulnerabilities, or enable mass surveillance. These are outright banned in the EU.
Examples:
- Social scoring (like China's citizen score)
- Real-time facial recognition in public spaces (with narrow exceptions for law enforcement)
- AI that manipulates people into harming themselves
What you need to do: Don't build these. You won't.
High Risk
AI used in sensitive areas where mistakes can seriously harm people. These systems face strict requirements.
Examples:
- AI that scores job candidates or screens CVs for hiring
- AI that decides who gets a loan or credit
- AI used in healthcare (diagnosis, treatment recommendations)
- AI in critical infrastructure (transport, energy, water supply)
- AI in education (grading, admission decisions)
What you need to do:
- Risk management: document what could go wrong and how you're mitigating it
- Data governance: ensure training data is high-quality, unbiased, and representative
- Transparency: users must know they're interacting with AI
- Human oversight: a human can intervene or override the AI
- Record-keeping: log how the AI makes decisions
- Conformity assessment: get certified by a third party (similar to CE marking)
Limited Risk (Transparency Rules)
AI systems that interact with people must be transparent about being AI.
Examples:
- Chatbots must tell users they are talking to AI
- AI-generated content like images or text must be labeled
- Emotion recognition and biometric categorization require user notification
What you need to do:
- Add clear disclosures
- Label AI-generated content
- Be transparent
Minimal Risk (No Specific Obligations)
Most AI applications used by SMEs fall here. No special compliance requirements beyond existing laws.
Examples:
- AI-powered email drafting and sorting
- Internal document analysis and summarization
- Sales quote generation
- Data entry automation
- Translation tools
What you need to do: Nothing specific under the AI Act. Follow existing GDPR and data protection rules as you already should.
Your 4-step action plan
List your AI use cases
Write down every tool or system in your organization that uses AI. Include third-party tools like ChatGPT, Copilot, and any custom-built systems.
Classify the risk level
Map each use case to the four risk levels above. Most internal productivity tools will be Minimal Risk.
Document what is needed
For High Risk systems: prepare technical documentation, human oversight plans, and data governance records. For Limited Risk: add transparency disclosures.
Get an independent audit
Have a specialist review your classification and documentation. Catching a misclassification now is far cheaper than a fine later.
How Fly AI helps with EU AI Act compliance
Our AI Audit service was designed for exactly this situation. We review every AI system in your organization, classify each one against the EU AI Act risk framework, identify gaps in documentation or transparency, and deliver a clear action plan with priorities and timelines. For most Belgian SMEs, the audit confirms that your AI usage is Minimal Risk and no further action is required — but having that confirmed in writing gives you legal peace of mind and a competitive edge when working with public sector clients who increasingly require compliance documentation.
AI Audit — Risk Assessment
We classify your AI systems against the EU AI Act, review GDPR alignment, and deliver a compliance report with actionable recommendations.
Learn about our AI AuditAI Agent Management
Already deploying AI agents? Our management portal gives you real-time oversight, audit logs, and the ability to pause any agent instantly — built-in compliance by design.
Explore Agent ManagementNot sure if your AI is compliant?
Related Articles
What is an AI Agent?
AI agents go beyond chatbots — they read data, make decisions, and take action inside your business tools.
LLMs vs Traditional Software
Not everything needs AI. A practical guide to choosing the right tool and knowing when to combine both.
AI Audit Service
Comprehensive assessment of your AI systems, GDPR compliance, and actionable recommendations.
