Fines Can Reach €35 Million or 7% of Global Turnover — Yet Many Businesses Still Don’t Know If the Law Applies to Them
If your business is using AI in any shape or form, pay attention, this may apply to you!
Your staff could be using ChatGPT, Claude, or any of the array for AI tools now available on the market from generating text and images, using automation tools, implementing chatbots, or even using 3rd party software that may use AI with your data. And I am amazed at how many businesses have not heard about this yet.
The problem is simple: AI is already in use in many businesses, but AI governance is not.
That matters because the EU AI Act is now in force. The Act introduces legal obligations for certain uses of AI, with penalties for serious non-compliance reaching up to €35 million or 7% of global annual turnover, whichever is higher. For small businesses, the key question is not:
“Are we an AI company?”
The better question is:
“Are we using AI in a way that creates legal, operational or customer risk?”
What Is the EU AI Act?
The EU AI Act is a regulation that sets rules for how artificial intelligence can be developed, supplied and used. And the official website setup to set out the eu ai act can be confusing with pages of text for you to digest.
But in plain English, It is based on risk.
- some AI uses are banned
- some AI uses are classed as high-risk
- some AI uses require transparency
- some AI uses may only need basic internal controls
The European Commission describes the AI Act as a framework to support responsible AI development and deployment in the EU. And this is not just a law for large technology companies. It can also matter to ordinary businesses that use AI tools in their operations.
Why Small Businesses Should Pay Attention
Most SMEs will not need a complex AI compliance programme. That’s where the confusion for most small businesses lay, compliance for most businesses can be quite simple.
At the very least, you should be aware of:
- what AI tools are being used
- what business processes they affect
- whether staff are using AI safely
- whether any AI use touches customers, employees or sensitive decisions
- whether the business serves EU customers or operates in EU markets
The Act includes specific support measures for SMEs, including access to regulatory sandboxes, training, awareness activities and reduced conformity assessment fees in some cases. That support exists because smaller organisations are also expected to understand their obligations where relevant. But ignoring the issue is not a strategy.
Could the EU AI Act Affect a UK Business?
Yes, potentially. A UK business may need to pay attention to the act if it:
- sells products or services into the EU
- has EU customers or users
- deploys AI systems that affect people in the EU
- supplies AI-enabled software or services into the EU
- uses AI in areas such as recruitment, employment, credit, education, healthcare or access to essential services
Even where the Act does not directly apply, customers, partners, insurers and procurement teams may increasingly expect basic AI governance. For many businesses, this is becoming a commercial trust issue as well as a legal one.
Common AI Uses That May Need Review
Small businesses should review AI use cases internally as well as with 3rd party vendors. Such areas may include:
Recruitment and HR: AI used to screen CVs, rank applicants, assess interviews or monitor workers may create higher compliance risk.
Customer Support: Chatbots and automated customer interactions may create transparency obligations, especially where users may not realise they are interacting with AI.
Marketing and Content: AI-generated images, text, video or synthetic content may need proper review, disclosure or internal controls depending on use.
Data Analysis and Decision Support: AI tools used to assess customers, produce recommendations or influence decisions should be reviewed carefully. This includes 3rd party software such as SEO, lead gen and automation tools.
Internal Productivity Tools: Tools such as ChatGPT, Microsoft Copilot, Claude and other AI assistants may be lower risk in many cases, but businesses should still control how staff use them, especially with confidential data.
External Vendors: Entities supplying 3rd party services from marketing to a AI services that may expose your data hence would need review.
The Real Problem: Most Businesses Have No AI Inventory
The first step is not legal panic. The first step is visibility by assessing where you stand.
Most small businesses cannot answer basic questions such as:
- Which AI tools are staff using?
- What data is being entered into them?
- Are outputs checked by a human?
- Are customers affected by AI-generated decisions?
- Are employees using AI with personal or confidential information?
- Are any tools used for recruitment, finance, legal, healthcare or compliance-related work?
Without this information, you cannot sensibly assess risk.
What Should a Small Business Do First?
A practical first step is to complete a basic AI usage assessment. Include your staff to ensure any unknown use of AI can be discovered.
This should identify:
- where AI is being used
- whether the use is low-risk or needs review
- whether staff guidance is needed
- whether policies or documentation should be introduced
- whether specialist advice is required
For many SMEs, low-level action may be enough to comply with the act by carrying out a simple internal audit and create a document trail. Review this often to capture any changes that take place within the organisation. Some of these steps include:
- create an internal AI use policy
- train staff on safe AI use
- document tools currently in use
- avoid entering sensitive data into public AI tools
- add human review for AI-assisted decisions
- check whether AI suppliers provide compliance information
Free EU AI Act Compliance Assessment Tool for UK Businesses
To help small businesses understand where they stand, we created a free online assessment tool.
The compliance assessment form is designed to give business owners a fast, plain-English indication of whether they may need to take action or seek further advice.
The tool helps you assess:
- whether your AI use could fall within relevant risk areas
- whether your current use appears low-risk
- what basic actions may be sensible
- when further compliance review may be needed
Try the free EU AI Act Compliance Assessment Tool:
Basic Questions Answered
Does every small business need to comply with the EU AI Act?
Not every small business will have direct obligations. It depends on how AI is used, who is affected and whether the business operates in or supplies into the EU.
Does using tools like ChatGPT, Claude, Copilot automatically create a compliance issue?
Not necessarily. Using AI for basic drafting or productivity tasks may be low risk. The risk increases when AI affects decisions about people, customers, employees or regulated services.
What is a high-risk AI system?
High-risk systems are AI systems used in areas where the impact on people can be significant, such as employment, education, essential services, law enforcement, healthcare and certain financial decisions.
What are the fines?
For the most serious breaches, penalties can reach up to €35 million or 7% of worldwide annual turnover. Other breaches can also attract substantial fines.
Should SMEs panic?
No. But they should get clear on how AI is being used and whether any simple safeguards are needed.
Final Point
The businesses most exposed are not always the ones building AI. They are often the ones using AI without knowing where, how or why. And from my experience, this is something that can easily happen in any small business today.
The EU AI Act is a reminder that AI adoption needs basic control. For many small businesses, the right response is not a heavy compliance project. It is a simple, structured review of current AI use.
Start by understanding your position by using our Free EU AI Act Compliance Tool. Contact us if you need further advice or help to implement an AI compliance system.
Use the free EU AI Act Compliance Assessment Tool: