The EU AI Act is the first comprehensive AI law in the world. It entered into force in August 2024 and its obligations are rolling out in stages through 2027. Most of the coverage is written for lawyers or for big tech. This note is written for the owner of a small or mid-sized European business who uses — or plans to use — AI agents in daily operations.
This is practical guidance, not legal advice. For binding decisions, involve a lawyer who knows your sector.
The one idea that explains the whole law
The AI Act is risk-based. It does not regulate “AI” as such — it regulates what you do with it. Obligations scale across four tiers: a short list of prohibited practices, a regulated list of high-risk uses, transparency duties for systems that interact with people, and essentially nothing for minimal-risk uses.
The second idea that matters: the law distinguishes providers (who build or sell AI systems) from deployers (who use them in their business). A typical SMB running AI agents on top of existing models is a deployer — and deployer obligations are much lighter.
What is simply forbidden
Since February 2025, a handful of practices are banned outright: social scoring, manipulative techniques that exploit vulnerabilities, emotion recognition in the workplace, untargeted scraping of facial images and a few others. For a normal SMB the practical takeaway is short: do not use AI to assess or manipulate people in ways you would not openly explain to them. If an agent scores your employees' emotions on calls — that is not a grey zone, it is prohibited.
When an SMB lands in “high-risk”
High-risk does not mean “the AI is powerful” — it means the use case is sensitive. The categories most likely to touch an SMB:
- Hiring and HR: AI that screens CVs, ranks candidates or evaluates employees.
- Credit and essential services: AI that decides who gets credit, insurance or housing.
- Education: AI that scores exams or admissions.
If your agents only draft emails, answer support questions from your knowledge base, reconcile invoices or assemble reports — those are not high-risk categories. Most back-office and customer-communication agents fall outside the high-risk list entirely.
The obligations almost every business does have
- Transparency: people must not be misled into thinking they are talking to a human. If a support agent chats with customers, say it is an assistant.
- AI literacy: since February 2025, companies must ensure staff using AI have an adequate level of AI understanding. A short internal training and usage policy covers this for most SMBs.
- Human oversight in practice: if you ever do touch a high-risk use, deployer duties include using the system per instructions, ensuring human oversight and monitoring operation. These are exactly the habits worth having anyway.
What to put in place now
The honest summary: for most SMBs the AI Act is not a compliance crisis — it is a push toward discipline you should want regardless.
- Keep an inventory of where AI actually runs in the company.
- Check the inventory against the prohibited and high-risk lists once, and at every new use case.
- Label customer-facing agents as AI.
- Write a one-page AI usage policy and brief the team.
- Keep logs and human approval points where decisions affect money or people.
That inventory-plus-controls exercise is, not coincidentally, the first half of an AI Agent Audit. If you want the map done for you in 7-10 days, book an intro call.