The EU AI Act for small businesses: what applies, what you must do, what you can ignore

Since the EU AI Act came into force, I keep getting the same question, usually with an undertone somewhere between worry and irritation: “Do we now have to document something again?” The honest answer is: for most small businesses, less than the headlines suggest, but not nothing. Here is the take without legal jargon.

The basic idea in one sentence

The AI Act does not regulate AI across the board, but by risk. The more dangerous the use for people, the stricter the rules. Most of what a normal business does with AI falls into the lowest tier, and there the obligations are minimal. So it does not matter whether you use AI, but what you use it for.

The four tiers, briefly explained

• Prohibited. A few things are simply banned, such as social scoring of people or manipulative systems. For a normal business practically never relevant.
• High risk. This is where it gets serious: AI in personnel selection (rating, pre-sorting applicants), in lending, in critical infrastructure. Anyone who deploys something like that has real obligations. That also affects small businesses as soon as they use AI in recruiting.
• Limited risk. Above all a transparency duty: when a customer talks to an AI (chatbot, AI phone assistant), they must be able to tell. AI-generated content should be marked as such.
• Minimal risk. The large rest. Drafting texts, researching, summarising, building spreadsheets. Here there are no special obligations.

What that means concretely for you

For most small businesses the real obligations come down to three things:

1. Transparency in customer contact. If you use a chatbot or an AI phone assistant, make it clear that an AI is answering. That is no big deal, often a single sentence is enough. As a side effect it builds trust.
2. Caution in HR. As soon as AI has a say in selecting applicants, you are potentially in the high-risk area, with significantly higher requirements. Here you should look closely before you switch a tool on for real.
3. AI competence in the team. The AI Act expects people who use AI professionally to understand what they are doing. That does not mean certificates, but a basic briefing: what the tool can do, where it deceives itself, what does not belong in it.

What you can view calmly

You do not need an AI department, a 50-page policy or an expensive specialist consultant just because you use ChatGPT for drafting text. The bulk of everyday work falls into the lowest tier. Anyone who panics here mainly gives away the benefit.

The deadlines give breathing room too: the strict obligations take effect in stages, and the sharp parts concern high-risk applications above all. For a business that uses AI for text, research and standard communication, the acute pressure to act is low.

The one step that always pays off

Regardless of the legal text, one simple internal rule is worth gold: who on the team may put which data into which AI tool? That single decision answers most data-protection and AI Act questions in daily work before they even arise. It guards against the classic case of someone quickly dumping a customer list into some random tool.

This is exactly where we come in: we look at where you actually use AI, map it to the risk tiers, and you get a clear, concise list of actions instead of a binder. What is mandatory, we do properly. What is scaremongering, we leave out.

If you want to know where your business stands on the AI Act: I will do an honest stocktake with you, without the drama.

Tobias Wissen

Owner, WISSEN BERATUNG

→ Book a free intro call

This article is a practical orientation, not legal advice. When in doubt, and for high-risk applications, you should seek legal counsel.