Does the EU AI Act apply to a small company?

Yes — the EU AI Act applies by activity and risk, not by company size. A 5-person SaaS team or a solo founder using or building AI in the EU market can fall in scope. There is no blanket small-business exemption, though obligations are lighter for low-risk uses and the Act includes SME support measures.

I only use ChatGPT and a few AI tools — am I in scope?

Using third-party AI tools generally makes you a 'deployer'. For most low-risk uses your duties are limited (e.g. AI literacy, transparency where required, and using tools for their intended purpose). The obligations grow sharply if a system is high-risk — for example AI used to screen job applicants.

What is the deadline for the EU AI Act?

The Act entered into force in 2024 and applies in phases. Prohibited-use rules and AI literacy duties applied from early 2025; most high-risk system obligations apply from 2 August 2026. Treat August 2026 as the planning horizon for high-risk readiness.

Do solo founders and indie AI builders need to comply?

If you place an AI system on the EU market or put your name on it, you are likely a 'provider' and carry the heavier obligations for any high-risk system. Many solo builders ship only limited- or minimal-risk products, where duties are mostly transparency and good documentation.

EU AI Act for small teams: a practical readiness guide for SMEs, solo founders & AI builders

On this page

Does the EU AI Act even apply to a small company?
The four roles — which one are you?
Common AI uses in small teams and their likely risk
A practical readiness checklist
Key dates
Solo founders & indie AI builders
How AICVS helps

Does the EU AI Act even apply to a small company?

Short answer: probably, at least a little. The EU AI Act (Regulation (EU) 2024/1689) applies based on what you do with AI and how risky it is — not how many people you employ. There is no blanket "small business is exempt" clause. A seven-person SaaS company that uses an AI tool to screen CVs is in scope in exactly the same way a 700-person company is.

The good news for small teams: the Act is proportionate. The vast majority of everyday AI use — drafting copy, summarising tickets, writing code with an assistant — is limited or minimal risk, where your duties are light. The heavy obligations land on a narrow set of high-risk uses. The whole game, for a small team, is figuring out which bucket each of your AI systems falls into and keeping simple records to prove it.

The Act also includes explicit SME support measures (priority sandbox access, proportionate fees, simplified documentation). Being small is a reason to engage early, not a reason to assume you're out of scope.

The four roles — which one are you?

Your obligations depend on your role for each AI system. You can be different roles for different systems.

Role	You are this if…	Typical for small teams
Deployer	You use an AI system built by someone else, under your own authority.	Most SMEs — you use ChatGPT, Copilot, an AI support tool, etc.
Provider	You develop an AI system (or put your name/brand on one) and place it on the EU market.	AI builders, indie founders shipping an AI product.
Importer	You bring a non-EU AI system into the EU market.	Rare for small teams.
Distributor	You make an AI system available without being the provider or importer.	Rare for small teams.

Two roles cover almost every small team: you're a deployer of the AI tools you use, and possibly a provider if you build and ship an AI feature or product. Providers of high-risk systems carry the heaviest duties.

Common AI uses in small teams and their likely risk

Risk tier is the single most important thing to determine. Here's how everyday uses usually land (always confirm per your actual use — context changes the answer):

What you're doing	Likely tier	Why
Drafting marketing copy / blog posts with AI	Minimal	No effect on people's rights or safety.
Coding with an AI assistant	Minimal	Internal productivity tool.
AI chatbot that talks to customers	Limited	Transparency duty — tell people they're talking to AI.
AI that summarises or routes support tickets	Limited	Low impact, but document oversight.
AI that screens or ranks job applicants	High	Annex III — employment decisions about people.
AI used in credit, insurance, or essential-service decisions	High	Annex III — access to essential services.

The one to watch: recruitment and HR screening. It's the most common way a small company unexpectedly ends up with a high-risk system — and the obligations (risk management, human oversight, technical documentation, logging, registration) are substantial.

A practical readiness checklist

You don't need a compliance department. You need a short, maintained set of records. For a small team, this is realistically a few hours of work plus light upkeep:

List your AI systems. Every AI tool and AI-enabled feature your team uses or ships. Name, vendor, purpose, who owns it.
Note your role for each (deployer / provider).
Classify the risk tier for each (minimal / limited / high). Be honest about the HR/recruitment ones.
Cover the easy duties everyone has: basic AI literacy for staff using AI, and transparency where you use AI with customers (e.g. "you're chatting with an AI assistant").
For any high-risk system, start the real work: risk management notes, human-oversight design, data governance, technical documentation (Annex IV), logging, and — for providers — conformity and EU database registration.
Keep evidence linked, not scattered. Policies, vendor due-diligence, DPIAs, oversight records — attached to the system they belong to, so you can answer "show me" in minutes.
Set a review date and an owner for each system so the records don't go stale.

That's it. Most small teams find that once the list exists and the risk tiers are set, 80% of their systems need almost nothing, and they can focus the real effort on the one or two that matter.

Key dates

Aug 2024 — the Act entered into force.
Feb 2025 — prohibited AI practices banned; AI literacy duties begin.
Aug 2025 — rules for general-purpose AI (GPAI) models apply.
2 Aug 2026 — most high-risk system obligations apply. This is the planning horizon to aim for.

Solo founders & indie AI builders

If you're a one-person company shipping an AI product, two things matter most. First, are you a provider? If your name is on an AI system placed on the EU market, you are — and you carry the provider obligations for any high-risk parts of it. Second, what's your risk tier? Many indie AI products are limited or minimal risk, where your duties are mostly clear transparency and good documentation — very achievable solo.

The trap for solo builders isn't usually the rules; it's having no records at all when an enterprise customer's procurement team asks "are you EU AI Act ready?" A short, maintained inventory with risk tiers and a couple of policies turns that from a deal-blocker into a five-minute answer.

How AICVS helps

AICVS is built for exactly this: the 99% of EU companies that need EU AI Act readiness but can't afford Big Four consulting. You import or add your AI systems, classify likely risk with guided questions, attach evidence, and generate audit-pack and board-ready outputs — based on your own records. It's readiness support, not legal certification, and not a substitute for qualified legal review.

Know your AI. Prove it's under control.

Start free — register one AI system and see where you stand.

Start readiness check →

Disclaimer: This guide is general readiness information based on the EU AI Act as understood at the time of writing. It is not legal advice, not legal certification, and not a substitute for qualified legal, compliance, or technical review. Risk classification depends on your specific use; confirm your obligations with a suitable adviser. See the regulations library for authoritative sources.