The EU AI Act is enforceable — what SMB and enterprise actually have to do

If your company sells or operates AI in Europe — or to European customers — the Act applies to you. That includes US SaaS companies with EU users, SMBs using AI in customer-facing products, and any organization fine-tuning a model for European use.

Many teams read the Act once in 2024, decided enforcement was far off, and moved on. The deadline did not move. This post is the short version of what changed, what tier you fall into, what you actually have to do, and how big the documentation lift really is.

If you are a founder or CEO: this is the compliance roadmap your team has probably not started. If you are in legal: this is the engineering work you need from your product team. If you are an engineer: this is what your legal team is about to ask you for.

Different parts of the Act became enforceable on different dates.

February 2025: prohibited practices. Things the Act bans outright. Some social scoring, some biometric surveillance, emotion recognition in workplaces and schools.

August 2025: rules for general-purpose AI models. The foundation-model providers (OpenAI, Anthropic, Google, etc.) and anyone running their own large model now have specific obligations.

August 2026: the bulk of high-risk system obligations. Conformity assessments. EU database registration. Post-market monitoring. National regulators in every EU member state are now processing complaints.

If your AI touches EU users, the question is no longer whether the Act applies. The question is which tier you fall into.

The Act sorts every AI system into one of four buckets.

Unacceptable risk — banned. Social scoring, real-time biometric surveillance in public, emotion recognition at work or school. If you are building one of these, you are out of compliance the moment you ship.

High risk — heavy compliance. AI used in hiring, school admissions, credit and insurance, essential services, law enforcement, border control, and the safety layer of any product already regulated by EU law (medical devices, vehicles, machinery). This tier is where the real work is.

Limited risk — transparency only. The agent has to tell the user it is an AI. AI-generated content has to be labeled. Most consumer AI products land here. The obligations are cheap to comply with and easy to skip by accident.

Minimal risk — no obligations beyond existing law. Most internal AI tools fall here.

The first piece of compliance work is classifying your systems correctly. A wrong classification does not change your obligations — it just means you are out of compliance and unaware.

If you have a high-risk system, the Act requires three big things.

A documented risk management process that runs continuously — not a one-time assessment. Identify the risks. Mitigate them. Test under real conditions. Monitor after deployment. Update as new risks emerge.

Data governance: the training, validation, and testing data has to be relevant, representative, and free of significant errors. You need to document the choices you made and check for bias.

Human oversight that meets the Act's definition — not just "a human is in the loop somewhere." The Act is specific: the human has to be able to understand the system's limits, recognize automation bias, override outputs, and halt the system if needed.

Each of these becomes documentation that a regulator can ask for.

Teams focus on high-risk because the cost is visible. The limited-risk obligations are cheap but often missed.

The chatbot on your website has to disclose it is an AI, at the point of interaction. Buried language in a privacy policy does not count. The voice assistant in your product needs a clear notice. Vague "this product uses AI" copy is not enough.

AI-generated images, video, and audio that look like real people, places, or events have to be labeled as synthetic. The Act expects both invisible watermarks (which can be stripped) and visible labels (which cannot).

These are simple to implement. The reason they get missed is that they are not on the engineering roadmap, because nobody told the engineering team.

If you build on OpenAI, Anthropic, Google, or any other foundation model, you depend on the provider's compliance for parts of your own.

The Act requires foundation model providers to document the model, summarize the training data, comply with EU copyright law, and give downstream users (you) enough information to understand the model's capabilities and limits.

What this means in practice: ask your provider for their AI Act documentation. They have it. You will need it when a customer asks how your product complies. If they cannot produce it, that is a vendor risk you should be tracking.

The single biggest cost of compliance is not the AI work. It is the documentation.

For a high-risk system, the technical file includes a description of the system, detailed development documentation, monitoring and control mechanisms, validation and testing procedures, conformity assessment results, instructions for use, the standards you followed, and a declaration of conformity.

This is a regulator-facing artifact that has to reflect the actual running system. Slide decks do not count. Engineering wikis written two years ago do not count. The file has to be current, traceable, and signed off.

Most organizations we audit have the material spread across slides, wikis, and people's heads. Consolidating it into a single living technical file is a multi-week project even for small systems.

AI Act fines follow the GDPR pattern: percentage of global revenue, scaled by severity.

Prohibited practices: up to 35 million euros or 7 percent of worldwide annual turnover, whichever is higher.

Most other violations (high-risk obligations, transparency, foundation models): up to 15 million euros or 3 percent.

Giving regulators incorrect or misleading information: up to 7.5 million euros or 1 percent.

SMBs get slightly reduced caps. The percentages still scale with the company. The first enforcement actions have shipped, and the penalty structure rewards regulators for pursuing real cases.

If you have not started, here is the sequence.

Days 1 to 15 — inventory. Every AI system in or affecting the EU. Every fine-tuned model, every chatbot, every recommendation system, every internal tool that uses an LLM. You probably have more than you think. Sort each into one of the four tiers.

Days 15 to 30 — triage. For high-risk systems, assign an owner. For limited-risk systems, ship the disclosure changes — these are usually small UI copy edits. For prohibited systems, stop.

Days 30 to 60 — close documentation gaps. For each high-risk system, list what exists and what is missing. Fill the gaps, oldest and highest-impact first.

Days 60 to 90 — conformity assessment plan. For high-risk systems, decide which assessment route applies (internal for most cases, notified body for regulated product categories). Start the work. Register what needs registering in the EU database.

This is not full compliance in 90 days. It is enough to show you are moving — which matters when a regulator looks at you.