What the EU AI Act is
The EU AI Act is the first comprehensive legislation in the world to regulate the use of artificial intelligence. The law was adopted in 2024 and comes into force in stages. In 2026 most provisions are operational, including the rules for high-risk AI systems and the transparency obligations.
For large tech companies that develop AI models, the impact is enormous. For SMBs that use AI as a tool in their operations, the picture is more nuanced.
What is relevant for you as an SMB owner
The AI Act works with a risk classification. AI systems are sorted into four categories: unacceptable risk (banned), high risk (strict requirements), limited risk (transparency obligations) and minimal risk (no extra requirements).
Most AI applications that SMBs use fall into the minimal or limited risk category. Think of AI for email processing, content generation, data analysis, customer-service support and process orchestration. No heavy compliance requirements apply to these.
Transparency obligation: If you use AI in customer contact, you must make clear that the customer is communicating with an AI system. That is the most important concrete obligation for most SMBs. In practice this means: if you have an AI chatbot on your website, state that it is an AI.
High risk applies specifically to: AI in recruitment and selection, credit assessment, access to essential services and certain government processes. If you use AI to screen applicants or make creditworthiness decisions, you fall under stricter rules. Most SMBs do not do this.
What you can ignore
The vast majority of the AI Act is written for developers of AI models and for organisations that deploy AI for high-risk applications. If you use AI as an entrepreneur to improve your business processes, you do not need to worry about training foundation models, conformity assessments for AI systems, or extensive technical documentation.
That does not mean you should be careless. But the obligations that apply directly to you are manageable and often already covered by common sense and existing GDPR compliance.
What you do need to do
Three concrete actions that are relevant for every SMB. First: know which AI tools you use and for what. Make a simple overview. This takes an hour and gives you a grip. Second: make sure customers know when they are communicating with AI. Transparency is mandatory and also increases trust. Third: check with your AI suppliers whether they are GDPR compliant and whether data is not processed outside the EU or used for model training. This is a GDPR obligation you already have anyway.
What InnoWorks pays attention to
In everything we build, we make sure it complies with both the GDPR and the AI Act. Data is processed in Dutch data centres, we work model-agnostic so there is no vendor lock-in, and we always build with a human in the loop: AI advises, the human decides.
That is not a compliance checkbox. That is how we think AI should work: transparent, reliable and under the control of the entrepreneur.
