Pattrn Logo
SMEEU AI ActcomplianceAI GovernanceImplementation

Which EU AI Act obligations apply to an SME as a deployer?

8 May 2026
Answered by Rohit Parmar-Mistry

Quick Answer

Which EU AI Act obligations apply to an SME as a deployer depends on the role, use case and risk level, but support schemes do not remove the duty to comply. Start with role mapping, usage records, human oversight and supplier evidence.

Detailed Answer

Why SME deployers need a clear EU AI Act map

For many SMEs, the practical EU AI Act question is not whether the business is “an AI company”. It is whether the firm deploys an AI system in a real workflow: screening CVs, triaging client queries, summarising regulated documents, detecting fraud, producing advice drafts or automating internal approvals.

If the SME uses a third-party AI tool inside its own operations, it may still have deployer duties. Vendor claims, SME guidance and regulatory sandboxes can make compliance easier, but they do not transfer accountability for how the system is used in the business.

The safe answer is to classify the role, then evidence the use

An SME should first decide whether it is a provider, deployer, importer, distributor or product manufacturer for each AI use case. Most ordinary business users will be deployers, but that label still brings obligations where the tool is used in a regulated or high-impact process.

The practical control is a short AI use-case register: what the system does, who owns it, the supplier, the data categories involved, the output users rely on, the risk category, and the human check before decisions affect a customer, employee or client.

Map your AI risk and efficiency gaps

Support mechanisms help, but they do not erase duties

SMEs can use official guidance, templates, sandboxes and proportionate support to reduce the burden of compliance. That support is useful, especially when a smaller firm lacks a dedicated compliance team.

But it should not be confused with an exemption from basic governance. If an AI tool is used in recruitment, credit, insurance, legal operations, compliance monitoring or other sensitive workflows, the firm still needs evidence that the system is understood, supervised and controlled.

What an SME deployer should keep on file

Keep the evidence simple enough that teams will maintain it. For each material AI use case, store:

  • the business purpose and process owner;
  • the supplier, model or product name, and contract version;
  • the data used, including any personal or confidential data;
  • the risk classification and rationale;
  • the human oversight step and escalation route;
  • testing notes, known limitations and monitoring cadence;
  • staff instructions covering safe use, prohibited inputs and output checks.

This is not paperwork for its own sake. It is the minimum record that lets a buyer, regulator or enterprise client see that the SME has operational control over AI-enabled work.

Put lightweight AI governance on a retainer

How to make this proportionate for a smaller business

Do not start with a fifty-page policy. Start with the five AI uses that create the most customer, employee, financial or confidentiality risk. Classify those first, then create reusable evidence packs for lower-risk tools.

A good proportionality test is whether a non-technical director can answer four questions: what are we using, where is it used, what could go wrong, and who checks the output before it matters?

Conclusion

For SME deployers, EU AI Act readiness is mostly operating discipline. Know your role, classify the use case, keep supplier and oversight evidence, train staff, and review the register when tools or workflows change. Support schemes can lower the friction, but the firm still needs a defensible record of control.

Turn the AI governance register into working implementation

FAQ

Does an SME avoid EU AI Act duties by buying a third-party tool?

No. A supplier may carry provider obligations, but the SME can still have deployer duties for how the tool is used in its own workflow.

What is the first document an SME should create?

Create an AI use-case register that records the owner, supplier, purpose, data, risk level, oversight step and review date for each material AI system.

Do support schemes and sandboxes remove the need to comply?

No. They can help SMEs interpret and implement the rules, but they do not remove accountability for safe and lawful deployment.

Which teams should own this work?

Ownership should sit with the process owner, supported by compliance, data protection, security and senior management where the risk is material.

Need More Specific Guidance?

Every organisation's situation is different. If you need help applying this guidance to your specific circumstances, I'm here to help.