The EU AI Act: what small and mid-size businesses actually have to do

The EU AI Act entered into force in stages. The ban on certain "unacceptable" uses has applied since February 2025, and the rules for general-purpose AI models (GPAI) became effective in August 2025, per the European Commission. This is not a future law to watch. It already applies.

At the same time the picture is messy: through spring 2026 the Council and Parliament have been discussing adjustments to parts of the framework, what lawyers have dubbed "AI Act reloaded". A law being fine-tuned while it's implemented makes planning harder, not easier.

The fines are not symbolic. Under Article 99, breaches of the prohibited uses can reach up to €35 million or 7% of global turnover. GPAI providers risk up to €15 million or 3%, and supplying incorrect information up to €7.5 million or 1%. Small and mid-size firms get lower tiers. But "lower" is not the same as "negligible".

Most smaller companies don't build their own AI models. They use them, in CRM, support tools and Office. So the question isn't "are we a high-risk AI provider" but "do we even know which AI features are already switched on, and what data they touch?". That's where most fall short: not through bad intent, but through lack of overview.

• Inventory. Map which AI tools and features are actually in use, and what data they process.
• Set simple rules. What may be fed into which tools? Write it in plain language, not legalese.
• Tie it to GDPR. AI compliance and data protection are the same question seen from two angles.

We help companies with exactly this under Consulting & Projects: policies people can actually follow. Not sure where you stand? Book a consultation.