Try all features for free — 3 credits included on sign-upTry for free
Skip to main content
Free Diagnostic

Glossary

25 key definitions of the Regulation

Obligations

24 detailed articles with deadlines

Timeline

Key dates from 2025 to 2027

Diagnostic

Identify your obligations in 3 minutes

SME Compliance

Check your AI Act obligations in 30 seconds

European Sovereignty

100% hosted in France

AI Assistant

Contextual AI with cross-section memory

Document generation

Annex IV compliant text generated by AI

Diagnostic

Automatic classification of your system

Versioning

Full traceability of your project changes

Multi-client

Multi-client management for agencies

PDF Export

Professional PDFs ready for audit

PricingBlogSign in
Compliance · Practical Guide

AI Act Checklist for SMEs: 10 priority actions for 2026.

The EU AI Regulation imposes clear obligations but also provides support measures for small businesses. Here are the 10 steps to follow now, ranked by priority.

Jérémy Pierre
Jérémy Pierre
AI Act Compliance Expert
12 June 2026 8 min read
AI Act Checklist for SMEs: 10 Priority Actions for 2026
Key takeaways · 4 figures to remember
38
occurrences of the term "SME" in the AI Act text
2 August 2026
deadline for national regulatory sandboxes
10
priority actions to start compliance
Art. 55
priority access to sandboxes for SMEs
01 - Compliance

1. Inventory all AI tools used in the company

First essential step: identify which AI tools are used, even informally.

Shadow AI poses a major risk for SMEs. According to several studies, nearly 40% of AI tools used in businesses are undeclared. This step helps identify systems covered by the AI Act and avoid surprises.

List all AI tools, including features integrated into existing software (e.g., CRM, recruitment tools, chatbots).
Responsible: CIO, compliance officer or director Estimated time: 2 to 4 hours AI Act Article: Art. 3(1) (definition of AI system) + Art. 50 (transparency)

Use a simple table with the following columns: tool name, provider, main function, processed data, internal users. This inventory will serve as the basis for subsequent steps.

02 - Compliance

2. Conduct a risk assessment for each system

Not all AI tools are subject to the same obligations. This step helps prioritise actions.

Classify each tool according to its risk level: prohibited, high-risk, limited risk, minimal risk. Use the interactive tool from the AI Office to help you.
Responsible: Compliance officer or director Estimated time: 30 minutes per tool AI Act Article: Art. 6 (high-risk systems) + Annex III

For limited or minimal risk systems, obligations are light. For high-risk systems, specific measures apply from December 2027.

03 - Compliance

3. Identify your regulatory role

The AI Act distinguishes two main roles: provider and deployer. Obligations differ depending on your status.

Determine whether your company is a provider (designs or places on the market an AI system) or a deployer (uses an AI system in the course of its activities).
Responsible: Director or legal officer Estimated time: 1 hour AI Act Article: Art. 3(2) (definition of provider) + Art. 3(4) (definition of deployer)

Deployers have lighter obligations compared to providers. For example, they must ensure the system is compliant but are not responsible for its design.

04 - Compliance

4. Verify that prohibited practices are not used

The AI Act has prohibited certain practices since February 2025. This step helps avoid heavy sanctions.

Review AI tools to ensure none correspond to the prohibited practices listed in Article 5 of the AI Act: subliminal manipulation, social scoring, emotion recognition at work, etc.
Responsible: Compliance officer or director Estimated time: 1 to 2 hours AI Act Article: Art. 5 (prohibited practices)

If a tool corresponds to a prohibited practice, it must be withdrawn immediately. Penalties can reach €35 million or 7% of global turnover.

05 - Training

5. Implement an AI literacy programme

The AI Act requires minimal training for employees using AI tools.

Train employees on AI basics, associated risks and best practices for use. Use the official resources from the AI Office for SMEs.
Responsible: HR or training officer Estimated time: 2 to 4 hours preparation + 1 hour training AI Act Article: Art. 4 (AI literacy)

This training can be integrated into existing modules on data protection or cybersecurity. It should be adapted to the risk level of the tools used.

06 - Documentation

6. Request documentation from your providers

Deployers must ensure their providers comply with the AI Act. This step secures your supply chain.

Request from each AI system provider a compliance statement for the AI Act, as well as technical documentation (Annex IV) if the system is classified as high-risk.
Responsible: Procurement officer or compliance officer Estimated time: 1 to 2 hours per provider AI Act Article: Art. 13 (technical documentation) + Art. 28 (deployer obligations)

Keep these documents in a dedicated register. They may be requested during an inspection.

07 - Documentation

7. Create an internal register of AI systems

Deployers must maintain a register of AI systems used, especially if they are classified as high-risk.

Create a register listing all AI systems used, with for each: name, provider, risk level, deployment date, internal responsible person and associated documentation.
Responsible: Compliance officer or DPO Estimated time: 2 to 3 hours AI Act Article: Art. 29 (register of high-risk systems for deployers)

This register can be integrated into an existing tool (e.g., GDPR processing register). It must be updated regularly.

08 - Oversight

8. Document human oversight

The AI Act requires human oversight for AI systems, particularly those classified as high-risk.

For each AI system, identify who is responsible for human oversight and document the procedures in place (e.g., regular review of decisions, ability to challenge an automated decision).
Responsible: Operational manager or compliance officer Estimated time: 1 to 2 hours per system AI Act Article: Art. 14 (human oversight)

This documentation must be accessible and understandable for the employees concerned.

09 - Assessment

9. Prepare the FRIA if applicable

AI systems used in sensitive areas may require an impact assessment.

Check if your AI systems require a Fundamental Rights Impact Assessment (FRIA). If so, begin preparing this assessment using CNIL templates or sector-specific guides.
Responsible: DPO or compliance officer Estimated time: 4 to 8 hours AI Act Article: Art. 27 (fundamental rights impact assessment)

The FRIA is mandatory for high-risk systems listed in Annex III. It must be conducted before the system is put into service.

10 - Monitoring

10. Establish a post-deployment monitoring plan

The AI Act requires continuous monitoring of AI systems to detect deviations or incidents.

Implement a monitoring process to track the performance and risks of AI systems in production. Plan regular audits and an incident reporting mechanism.
Responsible: Operational manager or compliance officer Estimated time: 2 to 3 hours AI Act Article: Art. 61 (post-deployment monitoring)

This plan can be integrated into existing risk management or compliance procedures.

SMEs benefit from specific support measures in the AI Act:

  • Reduced fees: Article 43(4) provides preferential rates for high-risk system conformity assessments.
  • Priority access to regulatory sandboxes: Article 55 guarantees SMEs priority access to these schemes, which allow testing AI solutions in a secure framework.
  • Lighter obligations for GPAI: Article 53(3) reduces requirements for SME providers of general-purpose AI models.

In France, ARCOM and CNIL are working jointly on a regulatory sandbox, which should be operational by August 2026.

Identify your obligations in 3 minutes

Our free assessment tool helps you determine which priority actions apply to your business.

11 - FAQ

Frequently asked questions

Answers to the most common questions SMEs have about the AI Act.

Yes. The AI Act applies to all businesses, regardless of size, as soon as they use or provide AI systems in the European Union. However, the text provides specific support measures for SMEs, such as reduced fees or priority access to regulatory sandboxes.

Penalties can reach €35 million or 7% of global turnover, whichever is higher. For SMEs, supervisory authorities generally prefer support over sanctions, but reputational and legal risks remain significant.

An AI system is classified as high-risk if it is used in one of the areas listed in Annex III of the AI Act. For example: recruitment, education, financial services, healthcare, or critical infrastructure. Use the interactive tool from the AI Office to check.

A regulatory sandbox is a controlled environment that allows businesses to test innovative AI solutions under the supervision of competent authorities. Article 57 of the AI Act requires each Member State to create at least one by August 2026. SMEs benefit from priority access.

The AI Act does not explicitly require the appointment of an AI compliance officer. However, it is recommended to designate a reference person to coordinate compliance actions, especially if the company uses multiple AI systems or high-risk systems. This person could be the DPO, legal officer or a trained employee.

Jérémy Pierre
Jérémy Pierre
Founder aiacto.eu · AI Act Compliance Expert

Supports AI providers and deployers in regulatory compliance.

Share this article