AI Governance for SMEs: Proportionate Compliance Without the Overhead

The SME Challenge

Small and medium enterprises face a real tension when it comes to EU AI Act compliance: the obligations apply regardless of company size, yet SMEs often lack the internal legal, technical, and compliance resources of large corporations.

The good news is that the Act does recognise this. Article 55 requires Member States to provide SMEs with priority access to regulatory sandboxes, and several provisions allow for proportionate documentation where the AI system's risk level is lower.

What SMEs Are Likely Deploying

Most SMEs use AI as deployers rather than providers — they integrate third-party AI tools into their operations (CRM systems with AI scoring, HR tools with AI screening, AI customer service chatbots).

As a deployer, your obligations are lighter than a provider's, but they are not zero:

• You must use AI systems in accordance with the provider's instructions
• You must implement human oversight where required
• You must not use a high-risk AI system for purposes beyond its intended use
• You must report serious incidents and malfunctions

Practical Steps for SME Compliance

Step 1: Inventory Your AI Use

Create a register of every AI system your business uses. For each, note:

• Who the provider is
• Whether it appears in Annex III (high-risk)
• What decisions it influences

Step 2: Obtain Provider Documentation

For any high-risk AI, request the provider's instructions for use and technical documentation summary. File this centrally.

Step 3: Train Your Staff

Article 4 applies to you. Even a proportionate 2-hour AI literacy session for your team creates a documented compliance record.

Step 4: Designate an AI Lead

Appoint someone internally — even part-time — to own AI compliance. For most SMEs, this is a senior operations or IT manager.

AICI's SME compliance package provides everything you need in a single, affordable programme.