EU AI Act Compliance Checklist for Small Businesses

Not sure where to start with EU AI Act compliance? This checklist breaks it down into 12 concrete steps, organized by urgency. Some items should have been done already. Others have a deadline of August 2, 2026. All of them are achievable for a small business without hiring a law firm.

Phase 1: Immediate actions (already required)

1. 1

   Disclose AI in customer-facing systems Do now

   If you have a chatbot on your website, add a clear notice: "You are chatting with an AI assistant." If you send AI-generated content to customers, label it. This has been required since August 2, 2025 under Article 50.

2. 2

   Ensure AI literacy for yourself and your team Do now

   Article 4 requires that everyone using AI in your organization understands how the tools work, their limitations, and potential risks. This doesn't require formal certification — documented self-education counts.

3. 3

   Stop any banned AI practices Do now

   Verify you're not using AI for: manipulation of behavior, exploiting vulnerabilities (age, disability), social scoring, or real-time biometric identification. These have been banned since February 2, 2025.

Phase 2: Documentation (complete by June 2026)

4. 4

   Create your AI Inventory Register By June

   List every AI tool your business uses: ChatGPT, chatbots, analytics tools, AI features in your CRM or email platform. For each tool, note: provider, purpose, what data it processes, and risk category.

5. 5

   Classify each AI system by risk level By June

   Determine if each tool is minimal, limited, or high risk. Most business tools (ChatGPT, content generators) are limited risk. AI used in HR, education, or credit decisions is high risk. When in doubt, classify higher.

6. 6

   Write your AI Usage Policy By June

   Create internal rules for AI usage: which tools are approved, what data can be entered, who reviews AI outputs, and what's prohibited. This protects you legally and helps your team use AI responsibly.

7. 7

   Conduct a Risk Assessment By June

   For each AI system, assess: what could go wrong, who could be affected, how severe the impact would be, and what you're doing to reduce the risk. Focus on risks to people's fundamental rights.

8. 8

   Publish a Transparency Notice By June

   Create a public-facing notice explaining what AI systems you use, for what purposes, how automated decisions are made, and how customers can request human review. Put this on your website.

Phase 3: Full compliance (by August 2, 2026)

9. 9

   Set up human oversight procedures By Aug 2

   For high-risk AI systems: define who reviews AI decisions, how often, and how to override them. Create a simple log (even a spreadsheet) tracking AI decisions and human reviews.

10. 10

    Register high-risk AI systems By Aug 2

    If you operate high-risk AI systems (education, HR, credit), register them in the EU AI Database. This only applies to high-risk systems — most small businesses won't need this step.

11. 11

    Create an incident response plan By Aug 2

    Define what happens if an AI system malfunctions or produces harmful results: who to notify, how to stop the system, how to report to authorities if needed.

12. 12

    Schedule regular reviews By Aug 2

    Set up quarterly reviews of your AI inventory, risk assessments, and policies. AI tools change fast — your documentation should keep up. Add calendar reminders now.

How long does all this take?

For a typical small business using 2-4 AI tools (ChatGPT, a chatbot, maybe analytics):

• Phase 1 (immediate): 1-2 hours — add AI disclosures, review your tools
• Phase 2 (documentation): 2-4 hours manually, or 30 minutes with AI-powered tools
• Phase 3 (full compliance): 2-3 hours for procedures and review setup

Total: about a day of work spread over a few weeks. Not the months-long project many people fear.

This article is for informational purposes only and does not constitute legal advice. For complex compliance cases, consult a qualified legal professional.