Yes — and there is no minimum size threshold. If your business uses AI tools professionally, the obligation applies to you regardless of headcount or revenue.
Yes. The EU AI Act applies to small businesses. There is no minimum employee count, no revenue threshold, and no grace period for smaller organisations. The AI literacy obligation has been enforceable since February 2025 and applies to any business that uses AI systems professionally — regardless of size.
If your team uses ChatGPT, Microsoft Copilot, Google Gemini, Canva AI, or any AI-powered feature in software your business uses at work, you are in scope.
The most common misconception is that the EU AI Act is a law for AI companies — businesses that build, develop, or sell AI systems. It is not. It is also a law for businesses that use AI, and those businesses are called deployers in the regulation.
A deployer is any organisation that uses an AI system in a professional context under its own authority. That definition covers the overwhelming majority of European SMEs. If your team uses AI tools at work, your business is a deployer under the EU AI Act.
The regulation does not distinguish between a ten-person agency and a ten-thousand-person corporation when it comes to the AI literacy obligation. Both are deployers. Both are in scope.
Article 4 of the EU AI Act requires providers and deployers of AI systems to take measures to support the AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.
There is no carve-out for small businesses. There is no phased rollout based on company size. The obligation is proportionate — meaning a three-person business will not be expected to have the same documentation infrastructure as a large enterprise — but it applies nonetheless.
Yes. This is the question we hear most often, and the answer consistently surprises people.
The EU AI Act does not regulate AI tools. It regulates AI use. Using an off-the-shelf tool like ChatGPT makes your business a deployer under the regulation, subject to the same AI literacy obligations as any other deployer.
There is no distinction in the law between a business that uses a general AI assistant and one that uses specialised AI software. What matters is that your staff are using AI systems professionally and that your business can demonstrate it has taken measures to support their responsible use of those systems.
The EU AI Act does not prescribe a specific set of documents. It sets an obligation and leaves the implementation to each business. That said, there is a clear set of elements that together constitute a defensible compliance position — one that a regulator or enterprise client could scrutinise and find credible.
A formal document setting out how your business uses AI — which tools are approved, what they can be used for, how staff should handle data when using AI tools, and who is responsible for compliance. Specific to your business, not a generic template.
Evidence of complianceA formal inventory of every AI system your business uses professionally — including the vendor, purpose, a risk assessment, and which roles interact with it. The foundation on which everything else is built.
Evidence of complianceIndividual records for each staff member who uses AI, confirming which tools they use and what measures have been taken to support their AI literacy. One record per relevant person.
Evidence of complianceA document mapping each role in your organisation to an appropriate literacy tier, demonstrating that your approach to AI literacy is proportionate and role-specific rather than a one-size-fits-all exercise.
Evidence of complianceAll four documents compiled into a single timestamped PDF — ready to produce immediately if a regulator requests evidence of compliance, or if an enterprise client asks as part of a procurement process.
Evidence of complianceFor many small businesses, the most immediate pressure to get this documentation in place is not regulatory — it is commercial. Enterprise procurement teams are adding EU AI Act compliance checks to supplier questionnaires alongside standard data security and GDPR requirements.
The question looks something like this: "Does your organisation have a documented AI usage policy and evidence of staff AI literacy training?"
If the answer is no, or “we are working on it,” you risk being deprioritised in favour of a competitor who can say yes. A complete, timestamped evidence pack removes that risk entirely.
The EU Digital Omnibus agreement of May 2026 made one significant change to the AI literacy obligation: it softened the wording from “ensure a sufficient level” of AI literacy to “take measures to support” AI literacy. This shifts the obligation from proving an outcome to demonstrating the steps taken. The obligation itself remains in force and unchanged for all businesses using AI. The Omnibus text is pending formal adoption, expected before August 2026.
Correct — there is no minimum size threshold in the EU AI Act’s AI literacy obligation. A three-person business using ChatGPT has the same obligation to take measures to support staff AI literacy as a 300-person organisation using the same tools. The obligation is proportionate in its implementation, but it applies regardless of size.
A training certificate is a useful supporting document but not a complete compliance position on its own. What constitutes a defensible position is documentation tailored to your specific business — your tools, your roles, and your context — not generic training that doesn’t reflect how your team actually uses AI.
A template tells you what to write but does not know which AI tools your business uses, what your roles are, or how your team interacts with AI. A templated policy that does not reflect your actual business context provides limited credibility if a regulator or procurement team scrutinises it.
Yes. Article 2(1)(c) of the EU AI Act applies to providers and deployers established in third countries where the output produced by the AI system is used in the EU. If your AI outputs are used by people in the EU — customers, employees, or users — the regulation applies to your business regardless of where you are based.
For most SMEs, producing a complete, defensible compliance position takes under 10 minutes using the right platform. The bottleneck is knowing what is required and having a structured way to capture your business context. Once that is in place, the documentation itself can be generated immediately.
Answer a short assessment about your business, your team, and the AI tools you use. We generate your complete compliance pack — all five documents, tailored to your specific context, formatted professionally, and compiled into an auditor-ready PDF.
Start your free assessment14-day free trial — no credit card required