EU AI Act readiness for SMEs

Step one: know where AI is used

Start with a list. Every AI tool, feature, vendor model, or workflow that touches your product, employees or customers. Include the intended purpose, data involved and who is responsible. This inventory is the foundation everything else builds on.

Most companies can complete this in a week. Most have never written it down.

Step two: classify your EU AI Act role

For each system, you need to know whether you are a provider, deployer, distributor or importer under the AI Act. Role determines which obligations apply. Many SMEs using third-party AI#models are deployers with specific requirements around transparency, oversight and documentation.

A quick classification exercise for your main AI systems takes a day and gives you a defensible position if buyers ask.

Step three: document your controls

Write down how AI decisions are reviewed, who can override them, how incidents are reported and what supplier checks you do. A one-page control summary per system is enough for most procurement questions.

Three steps. Most SMEs can complete them in six to eight weeks. The output is real evidence, not a compliance checkbox.

Step one: know where AI is used

Step two: classify your EU AI Act role

Step three: document your controls

Related articles

The EU AI Act timeline may move. Buyer evidence expectations will not.

How ISO/IEC 42001 supports AI Act compliance

Designing an AI governance operating model that teams will use