RatedWithAI

RatedWithAI

Accessibility scanner

EU AI ActJuly 4, 2026

EU AI Act for Small Business & Startups 2026: What Actually Applies

"We're too small for the EU AI Act" is one of the most common — and most wrong — assumptions founders make. Size doesn't shrink your legal exposure, but it does change your paperwork burden. Here's exactly what a small business or startup owes, and what relief actually exists.

0
Size-based exemptions from prohibited-practice rules
SME
Gets simplified docs, not reduced obligations
Any size
Extraterritorial reach applies to non-EU companies too

The Myth: "We're Too Small to Matter"

The EU AI Act was written with big tech and high-risk deployers in mind, and most of the headlines cover Big Tech GPAI models and enterprise HR software. That coverage gives founders the false impression that a five-person startup is under the radar. It isn't. The regulation's obligations attach to what your AI system does, not how many employees you have. A two-person startup selling a hiring-screening tool to EU customers carries the same high-risk classification as a Fortune 500 vendor selling the same category of product.

Where size does matter is in how you demonstrate compliance — not whether you have to.

What Doesn't Change for Small Companies

  • Prohibited practices — subliminal manipulation, exploitative targeting of vulnerable groups, social scoring, and untargeted facial-recognition scraping are banned outright for companies of any size.
  • High-risk classification — if your product touches employment decisions, credit/insurance underwriting, biometric categorization, or other Annex III categories, you're high-risk regardless of headcount or revenue.
  • Extraterritorial scope — a US or non-EU startup with EU users or EU-market output is in scope exactly the way an EU-based company is.
  • Fines — the maximum penalty bands aren't proportionally capped for small companies in the way GDPR's are sometimes assumed to work; you can still face serious exposure for the worst violations.

What Actually Is Lighter for SMEs

Simplified technical documentation

SMEs and startups can use a simplified technical documentation template for high-risk systems instead of the full-length format expected from larger providers — same substance, less bureaucratic overhead.

Regulatory sandbox access

National authorities are required to give SMEs and startups priority (and often free or discounted) access to AI regulatory sandboxes, letting you test a system under supervision before full-scale deployment.

Awareness and training support

Member states must run awareness-raising and training activities specifically aimed at SMEs to help them understand and apply the rules — a genuine (if modest) reduction in the cost of figuring out what applies.

A Founder's Practical Checklist

Work through this in order — most early-stage products resolve at step 2 or 3.

Confirm whether you have any EU users, customers, or EU-market output — this triggers scope regardless of where you're incorporatedStart here
Rule out prohibited practices first: manipulation, exploitative targeting, social scoring, untargeted biometric scrapingEssential
Check Annex III high-risk categories: employment, credit/insurance, education, law enforcement, biometric categorization, critical infrastructureEssential
If minimal/limited risk (most early SaaS tools), implement transparency duties — disclose AI-generated content and chatbot interactionsCommon case
If high-risk, use the SME simplified documentation template rather than building a full enterprise compliance program from scratchCost saver
Apply for a national regulatory sandbox slot if you're building something novel and want supervised testing before launchOptional
Budget compliance costs into your EU go-to-market plan before you sign your first EU customer, not afterEssential

Get your compliance posture in shape before it costs you a deal

Enterprise buyers increasingly ask small vendors for accessibility and compliance evidence during procurement. RatedWithAI scans your site for the gaps that show up in due diligence.

Scan Your Site for Free →

Frequently Asked Questions

How many employees before the EU AI Act applies to me?

There's no headcount threshold that exempts you. What matters is whether your AI system is placed on the EU market, used by EU-based deployers, or its output affects people in the EU — plus what category (prohibited, high-risk, limited, minimal) your specific system falls into.

Can I just avoid EU customers to stay out of scope?

Technically yes — if you have zero EU users, zero EU customers, and your output never reaches EU-based individuals, the AI Act's territorial scope doesn't reach you. But this is a real product and go-to-market constraint, not a paperwork shortcut, and most SaaS companies eventually pick up EU users organically.

What happens if I ignore this until I actually land an EU customer?

You risk having to retrofit compliance under deal pressure, which is more expensive and stressful than building disclosure and documentation habits early. Enterprise EU buyers are increasingly asking vendors for AI Act compliance evidence during procurement, similar to how SOC 2 became a checkbox in enterprise sales.

Are free/open-source AI startups treated differently?

There are some carve-outs for free and open-source AI components in certain contexts, but they don't blanket-exempt a startup that builds a commercial product or service on top of them. If you're monetizing the output or deploying it in a high-risk use case, the underlying obligations still apply.

Related Guides