The AI Act applies to every company that uses AI. Here is what you need in place.

Why this applies to you too

Do you use ChatGPT, Claude, or Copilot in your business? Or is there a chatbot running on your website? Then you fall under the EU AI Act. This European AI law applies not only to tech companies that develop AI, but to every organization that uses it. Even if you simply have a subscription to a tool that happens to contain AI.

Yet most entrepreneurs are barely engaging with it. Research by the Dutch Chamber of Commerce shows that half of Dutch entrepreneurs are not aware of the law, and only a handful have actually taken measures.

The good news: for most SMEs, it is far less daunting than it sounds. What you need to arrange fits on a single page. In this article, we lay it out.

First things first: how is the AI Act structured?

The AI Act classifies AI applications by risk. The higher the risk, the stricter the rules. There are four categories:

Prohibited AI. Applications such as social scoring and manipulative AI are not allowed anywhere in the EU.

High-risk AI. AI that influences important decisions about people, such as systems that assess job applicants, check creditworthiness, or make medical diagnoses. The strictest requirements apply here: documentation, risk management, and human oversight.

Limited risk. Here a transparency obligation mainly applies. A chatbot must be recognizable as AI, and AI-generated content increasingly needs to be labeled.

Minimal risk. Spam filters, recommendations, most productivity tools. No specific obligations.

The vast majority of SMEs sit in those bottom two categories. If you use AI for text, emails, analysis, or customer contact, your obligations are light. The law also distinguishes between providers (companies that develop AI) and deployers (companies that use AI). This article is about that second group.

What you need in place if you use AI

1. Take stock of your AI tools. Claude, ChatGPT, Copilot, Gemini, a chatbot on your website, AI in your accounting software. Make a list: what does your team use, for what, and what data goes into it? This overview is the basis for everything else.

2. Write a one-page AI policy. What is allowed, what is not. Which data you never share. Who is the point of contact. Not a legal document, but clear for your people.

3. Arrange AI literacy for your team. The law requires that employees who work with AI understand what the tools can do, where the limitations lie, and what risks are involved. A session of a few hours in which your team learns to prompt, assess output, and recognize risks is enough for most companies. Document that it happened.

4. Be transparent with your customers. Are you deploying AI toward customers via a chatbot, generated content, or automated decisions? Make it known.

5. Check your suppliers. Is the provider of each AI tool itself compliant, and is there a data processing agreement? With mainstream tools this is usually sorted, but it is worth checking.

6. Keep it up to date. New tool? Update the policy. New employee? Include the AI policy in your onboarding. Compliance is not a one-off project, but a habit.

What about supervision and fines?

In the Netherlands, several regulators oversee the AI Act, each within their own sector, with the Dutch Data Protection Authority as coordinator. The highest fines making the news only apply to prohibited AI practices. For SMEs, the law also applies the lowest of the possible amounts. Anyone who has the basics in order has no reason to lose sleep over this.

Compliance as peace of mind, not noise

Compliance often feels like something you have to do on the side, while you just want to get on with your work. At the same time, having things in order brings peace of mind. And in this case, that is achievable: an afternoon of work, and you meet what the law asks of most SMEs.

The companies that take stock of their AI use and set policy around it have done more than just sort out their compliance. They also gain a clearer picture of where AI adds value in their organization. And that, ultimately, is the question that really matters.