EU AI Act for Startups and SMEs: Simplified Obligations and Exemptions
The EU AI Act includes specific provisions to reduce the compliance burden on startups and SMEs — simplified documentation, free regulatory sandboxes, proportional fines, and priority support. This guide explains what applies to you and what does not.
The AI Act Was Written With SMEs in Mind — Partially
The EU AI Act's recitals and provisions include explicit acknowledgement that the regulation could disproportionately burden smaller companies. The legislator built in a set of compensating measures: simplified documentation forms, free access to regulatory sandboxes, proportional fines, and priority support channels.
But here is the critical point: the substantive obligations do not disappear because you are small.
If your AI system is high-risk under Annex III, you must comply with the full conformity framework — risk management, technical documentation, conformity assessment, EU Declaration of Conformity, registration. If you provide a GPAI model, Articles 51–56 apply. The SME provisions reduce friction and cost; they do not create a blanket exemption.
This guide explains precisely what is simplified, what is free, and what remains mandatory regardless of company size.
Are You an SME Under EU Law?
The EU AI Act uses the standard EU definition of SMEs:
| Category | Employees | Annual Turnover OR Balance Sheet |
|---|---|---|
| Microenterprise | < 10 | < €2 million |
| Small enterprise | < 50 | < €10 million |
| Medium enterprise | < 250 | < €50 million / < €43 million |
Startups are explicitly referenced throughout the Act — they are treated as SMEs for the purposes of these provisions despite lacking a formal EU legal definition.
What Is Simplified or Reduced for SMEs
1. Simplified Technical Documentation (Article 63)
For high-risk AI systems, Annex IV lists the full technical documentation requirements. For micro and small enterprises, the Commission is required to develop simplified technical documentation forms tailored to their needs. Authorities must accept these simplified forms for conformity assessments.
Microenterprises may also comply with quality management system requirements (Article 17) in a simplified manner.
This does not mean you need less documentation — it means the Commission provides a structured form that is less burdensome to complete than building documentation from scratch against raw regulatory text.
2. Proportional Conformity Assessment Fees (Article 62)
When third-party conformity assessment by a notified body is required (mainly for biometric identification systems), fees must be proportional to the size, market size, and other relevant factors of the SME. The Commission regularly evaluates and works to reduce these costs.
3. Proportional Fines — Lower Cap Applies
The AI Act's fines are expressed as a percentage of global annual turnover or a fixed euro amount, whichever is higher for large companies. For SMEs and startups, the rule is inverted: the applicable amount is whichever is lower.
| Violation | Large Company | SME / Startup |
|---|---|---|
| Prohibited AI practices | €35M or 7% (higher) | €35M or 7% (lower) |
| Most AI Act violations | €15M or 3% (higher) | €15M or 3% (lower) |
| Incorrect information | €7.5M or 1% (higher) | €7.5M or 1% (lower) |
For a startup with €500K annual turnover, 3% is €15,000 — not €15 million. The proportionality is real and significant.
4. Free Regulatory Sandboxes (Articles 57–60)
Member States must establish AI regulatory sandboxes — controlled environments where providers can develop, train, test, and validate AI systems before market placement. For SMEs:
- Priority access: SMEs receive priority access to national sandboxes
- Free of charge: Participation is free for SMEs (fees may apply to large companies)
- Simple procedures: Application processes must be simple, easy to understand, and clearly communicated
- Liability protection: Providers acting in good faith within an approved sandbox plan are protected from administrative fines (though they remain liable for damages to third parties)
- Compliance evidence: Participation in a sandbox is documented and can serve as evidence of good-faith compliance efforts
5. Support, Training, and Guidance (Article 62)
Member States are required to:
- Organise awareness-raising and training activities specifically tailored to SMEs and startups
- Provide dedicated communication channels for SME guidance and queries
- Offer technical and regulatory support throughout the development pathway
The Commission and Member States must also facilitate SME participation in AI standardisation processes, ensuring smaller companies can influence the technical standards that shape compliance requirements.
6. SME Representation in Governance (Article 67)
SME perspectives must be duly represented in the EU AI Act's advisory forum. This is a governance right — small companies have a formal channel to influence how the regulation evolves in practice.
What Is NOT Exempted for SMEs
This section matters more than the provisions above.
Risk classification does not change based on company size. A 12-person startup building an AI-powered CV screening tool has a high-risk AI system under Annex III §4. The company's size does not change this classification or eliminate the conformity obligations.
Core provider obligations remain. If you are a provider of a high-risk system, you must:
- Complete a conformity assessment
- Draw up an EU Declaration of Conformity
- Register in the EU database for high-risk AI systems
- Prepare technical documentation (simplified form available)
- Implement a risk management system
- Ensure human oversight, logging, and transparency
GPAI obligations remain. If you have trained and are providing an LLM or foundation model to EU customers, Articles 51–56 apply regardless of company size. Open-weight models under free licences are exempt from documentation and downstream information requirements — but not from systemic risk obligations if the model exceeds 10²⁵ FLOPs.
Prohibited practices are absolute. Article 5 prohibitions apply to every company regardless of size.
Key Questions for SMEs and Startups
"We're a seed-stage startup — do we need to comply now?"
If your product is already being used by EU customers: yes, to the extent obligations currently apply. If you are still in pre-market development, Article 2(8) exempts development activities before market placement — but "testing in real-world conditions" (live with real users) is covered.
"We integrate a third-party model (OpenAI, etc.) — are we a provider?"
Likely yes, for the system you have built around it. If you integrate a third-party model into a product you sell, you are generally the provider of that product for AI Act purposes. You are responsible for the conformity of the integrated system — even if the underlying model is compliant. Check whether your use case falls into Annex III.
"We're B2B — our customers deploy the AI. Are they responsible?"
Deployer obligations (Article 26) sit with whoever deploys the system. But provider obligations (Articles 9–49) remain with you as the provider. Both sides of the chain have independent duties. You cannot contractually transfer your provider obligations to customers.
"We're open source — are we exempt?"
Partially. Open-weight models under free licences are exempt from Article 53(1)(a) and (b) documentation requirements — but not if the model is also classified as having systemic risk. High-risk AI systems have no open-source exemption equivalent.
A Practical Compliance Roadmap for SMEs
Step 1 — Check if your AI is in scope (15 minutes) Does your product involve AI? Do any EU users interact with or are affected by its outputs? If yes, proceed.
Step 2 — Determine your risk tier (30–60 minutes) Map your system's function against the four tiers: prohibited, high-risk (Annex III), limited risk (Article 50), minimal risk. Most B2B SaaS tools land in minimal risk. Hiring, credit, education, and healthcare AI typically lands in high-risk.
Step 3 — If high-risk: use the simplified documentation form When available (Commission-developed), complete the simplified Annex IV technical documentation form. This is significantly less burdensome than building bespoke documentation from raw regulatory text.
Step 4 — Apply for your national regulatory sandbox If you are pre-market or planning a major new feature, check your national AI sandbox. Most EU Member States have established or are establishing sandboxes. Entry is free for SMEs and provides both compliance guidance and liability protection during testing.
Step 5 — Register in the EU database before market placement For high-risk systems, registration in the EU database is mandatory before placing the system on the market. It is a public database — and being listed demonstrates good-faith compliance.
How DilAIg Helps Startups and SMEs
DilAIg is designed to make this accessible for teams without a dedicated legal department. The 50-question audit takes 20 minutes and produces:
- A documented risk classification with applicable obligations listed article by article
- A prioritised action plan that distinguishes what is mandatory from what is optional
- For high-risk systems: the four mandatory documents — FRIA, EU Declaration of Conformity, Technical Documentation (Annex IV), and Transparency Notice — as professional drafts
The audit is free. Document generation is per document. There is no minimum commitment.
Start your free AI Act audit →
FAQ: AI Act for Startups and SMEs
Does the AI Act apply to a startup with only 5 employees?
Yes, if your AI system is placed on the EU market or its outputs are used in the EU. Company size affects the form of documentation and the cap on fines — it does not determine whether the regulation applies.
Are there sandbox programmes already available?
Yes. Several EU Member States have established AI regulatory sandboxes. The AI Office also coordinates a European-level sandbox framework. Check your national competent authority's website for current programmes.
Can we use a regulatory sandbox to delay compliance?
No. Sandbox participation allows you to develop and test AI systems before formal market placement. It does not extend deadlines for systems already on the market.
What is the simplified technical documentation form?
A Commission-developed structured form for micro and small enterprises that organises the Annex IV documentation requirements in a more accessible format. It covers the same substance as the full Annex IV documentation — it is simpler to complete, not simpler in content.
Does the proportional fine cap apply automatically?
Yes. The fine calculation for SMEs uses whichever of the two amounts (percentage or fixed) is lower. You do not need to apply for this — it applies automatically to any fine imposed on an SME or startup.
Key Takeaways
- SME size affects how you comply, not whether you comply
- Substantive obligations — risk management, conformity assessment, documentation — apply to all providers of high-risk systems regardless of size
- Simplified documentation forms are available for micro and small enterprises for Annex IV
- Regulatory sandboxes are free for SMEs and provide liability protection during testing
- Fines use the lower cap for SMEs: percentage or fixed amount, whichever is smaller
- Open-source is not a blanket exemption — high-risk systems have no licence-based opt-out
- DilAIg's audit is free and takes 20 minutes — built for teams without a legal department