5 Things SMEs Must Do Before the AI Act Deadline

Start With What You Actually Have

Most SMEs don't actually know all the AI tools their teams use. Marketing is using ChatGPT. HR bought an AI screening tool six months ago. Finance is using something for forecasting. That SaaS product you signed up for last year has AI features you've never turned off. Start there — not with the regulation, but with your own inventory.^[1]

Spend an afternoon talking to each team lead. Ask them what AI tools they're using. You'll probably be surprised. A company of 30 people can easily have 10–15 AI-powered tools running without anyone having a full picture. You can't manage what you haven't mapped.

Classify Each Tool — Even Roughly

Once you have your list, you need to know which category each tool falls into. The AI Act has four: prohibited, high-risk, limited risk, and minimal risk. The easiest question to start with: does this AI make or influence decisions about individual people? Hiring, credit, access to services, education? That's probably high-risk territory. Is it a chatbot talking to customers? Limited risk — just needs a disclosure. Is it a writing assistant your team uses internally? Minimal risk. No specific obligations, just good practice to document it.^[2]

Don't guess on classification. Getting it wrong is the most common compliance mistake. Our free audit takes under 10 minutes and does this for you.

Add a Disclosure to Your Chatbot

Article 52 kicks in August 2, 2026. Every customer-facing AI needs to be disclosed as AI. For most chatbots, the fix is literally one sentence at the start of the conversation: "Hi, I'm an AI assistant." That's it. Clear, timely, done. If you're also publishing AI-generated images or video, add a label. "Generated with AI" in the caption counts. This is simpler than it sounds — the hard part is remembering to do it.

Write Down What You're Doing

The regulation requires that you can demonstrate responsible AI use. That means documentation. For minimal and limited risk systems, this doesn't have to be elaborate — a one or two-page summary per tool covering what it does, what data it touches, who in your company is responsible for it, and what human oversight exists. A Google Doc is fine. The point is that if a regulator ever asks, you have a paper trail showing you took this seriously.^[3]

For high-risk AI — if you have any — the documentation requirements are much heavier. Conformity assessments, technical specifications, training data records. This is the work that takes weeks, not hours. If you're in that territory, the proposed 2027 extension helps, but it's not final yet. Start now.

Brief Your Team

Article 4 requires AI literacy. That sounds more serious than it is. For most SMEs, a documented one-hour session per tool is sufficient — what the tool does, what it doesn't do well, when to question its output, who to raise concerns with. You don't need to train your team on how neural networks work. You need them to understand the tools they're using and know that "the AI said so" isn't always the end of the conversation.

Technically this was required from February 2025. If you haven't done it yet, do it now. Document it. A short email summary of what was covered counts as evidence.

The Order Matters

Steps one and two — inventory and classification — unlock everything else. Do those first. They take a day and tell you exactly what level of work you actually face. Most SMEs discover their compliance burden is much lighter than they feared. Some discover they have a high-risk tool they didn't know about. Either way, it's better to know.