EU AI Act in SMEs: Provider or Deployer?
8 min. read
One concern dominates SME discussions about the EU AI Act: here comes the next wave of red tape. In practice, the actual workload hinges first on a question of roles – does the company develop an AI system itself and bring it to market, or does it deploy an existing system? That answer determines whether manufacturer obligations apply or whether far lighter duties for operators are all that’s required. Clarifying this early avoids unnecessary effort and focuses work on the rules that actually apply.
Key Takeaways
- Provider or deployer – that is the core question. Those who build and market AI carry the heavy obligations. Those who merely deploy a finished system face far fewer requirements. Most SMEs are operators.
- High-risk obligations are clearly defined. Risk management, documentation, logging, human oversight. For operators, the focus is on supervision and compliant use – not the full burden of a manufacturer.
- SME relief is built in. Small businesses may maintain simplified technical documentation. The deadline for high-risk obligations falls in mid-2026; a postponement is under discussion, but nothing is confirmed.
Related:Make-or-Buy in AI / Why AI Fails on Sequence
Your Role Determines Your Workload
What is the EU AI Act? The EU AI Act is the first comprehensive regulation for artificial intelligence in the European Union. It classifies AI systems by risk level – from prohibited to high-risk to minimal – and ties graduated obligations to each tier. The strictest requirements apply to high-risk systems, such as those used in personnel selection, credit assessment, or critical infrastructure.
Before an SME thinks about specific obligations, it must establish its role. The AI Act draws a sharp line between the provider – who develops an AI system and places it on the market – and the deployer, who simply puts such a system to use. This distinction is anything but academic; it determines the scope of the work ahead.
Most SMEs are deployers. They purchase a recruitment tool, a credit-checking solution, or analytics software and use it. That puts them under deployer obligations, not the full weight of a manufacturer. Companies that miss this and prepare for provider duties are planning for work that will never apply to them. Conversely, those who assume that being a pure operator means no obligations at all are overlooking their own – considerably lighter – responsibilities.
Four core obligations apply to high-risk AI
Once a system is classified as high-risk, clearly defined requirements come into force. They are distributed differently between providers and deployers, however. The overview below separates who is responsible for what.
| Obligation | Provider | Deployer |
|---|---|---|
| Risk management | build and maintain throughout the lifecycle | apply in accordance with instructions |
| Technical documentation | compile in full | retain, not create |
| Logging | implement automatic logging | retain logs for at least six months |
| Human oversight | make it possible | actually exercise it |
| Registration | register the system in the EU database | generally not required |
For the typical mid-sized company acting as a deployer, the core tasks are manageable: use the system only for its intended purpose and in line with the instructions, ensure genuine human oversight, retain the logs, and in certain cases carry out a fundamental rights impact assessment. That still takes effort. But it is nowhere near the level of compliance burden facing manufacturers – the one that puts so many companies off.
Mid-2026 is where preparation levels will matter
Every management team should know three key facts. The first is the deadline. The high-risk obligations become binding in mid-2026. Discussions at the European level about pushing back individual deadlines are ongoing, but until any change is formally adopted, the original date stands. Counting on a delay is a risky bet.
The second point is that sanctions framework itself. It makes clear the AI Act is no toothless document. The third point offers some relief for SMEs: small and medium-sized enterprises benefit from built-in concessions. They may maintain technical documentation in simplified form, and the European Commission provides a dedicated simplified template for this purpose. The relief has also been extended to small mid-cap companies. Smaller organisations still have to meet the obligations – but they are not expected to document at the same scale as a large corporation.
Clarify Roles and Establish Oversight Now
The situation calls for a sober list of priorities – one that separates genuine necessities from avoidable actionism.
What you don’t need to do
- Prepare for full manufacturer obligations as a pure end user
- Treat every AI tool in use as automatically high-risk
- Wait for a deadline extension before one has actually been decided
- Launch an expensive large-scale project when a simple inventory will do
What actually matters
- Take stock of your AI systems and classify them by risk level
- Clarify your role for each system: provider or deployer
- Secure human oversight and logging for high-risk applications
- Take advantage of the SME relief provisions for documentation
The common thread is proportionality. The AI Act does not ask SMEs for corporate-scale compliance – it asks for an honest assessment of your own systems and a handful of reliable routines for the few truly critical applications. Anyone who starts with an inventory and clarifies their role for each system has already resolved the bulk of the uncertainty. What remains is maintenance, not a revolution.
Frequently Asked Questions
Does the EU AI Act apply to small businesses too?
Yes, but on a graduated basis. Obligations depend on the risk level of the system and the role of the company – not primarily on its size. Small and medium-sized enterprises may keep technical documentation in a simplified form, and this relief has been extended to small mid-caps. Being small doesn’t exempt you, but it does make compliance more manageable.
What is the difference between a provider and a deployer?
A provider develops an AI system and places it on the market. A deployer simply uses a ready-made system. The heavy obligations – technical documentation, conformity assessment, registration – fall on the provider. The deployer’s main responsibilities are to use the system as intended, ensure human oversight, and retain logs.
Which AI systems are classified as high-risk?
Systems used in sensitive areas – such as candidate screening, credit decisions, critical infrastructure, or certain safety components. A basic text assistant or translation tool generally does not fall into this category. Classification follows the intended use case, not the underlying technology alone.
When do the high-risk obligations take effect?
They become binding in mid-2026. Discussions about shifting individual deadlines are ongoing at the European level, but no decision has been taken. Until then, the original date stands. Companies should not make their preparations contingent on a possible – but far from certain – extension.
What is the best place to start preparing?
With an inventory. Which AI systems are in use, what are they used for, and is your company acting as provider or deployer in each case? That overview immediately reveals which systems could qualify as high-risk and where obligations actually apply. Without this inventory, every subsequent measure is a shot in the dark.
Editor’s Reading Picks
- Generative AI in the Mittelstand: 78 Percent Adoption, Little Impact
- People First, Then Tools
- The AI Bottleneck in the Mittelstand Lies in Legacy Systems
More from the MBF Media Network
Image credit: Cover image AI-generated (June 2026), C2PA certificate embedded in image
