EU AI Act obligations for SMEs — sandboxes, reduced fines, and simplified compliance

Who counts as an SME for AI Act purposes?

The EU AI Act cross-references the standard EU SME definition (Commission Recommendation 2003/361/EC), which covers enterprises with fewer than 250 employees and either an annual turnover not exceeding EUR 50 million or an annual balance-sheet total not exceeding EUR 43 million. Micro-enterprises (fewer than 10 employees; turnover or balance sheet ≤ EUR 2 million) are a subset.

The proposed Digital Omnibus (provisional political agreement of 7 May 2026 — not yet formally adopted or published in the Official Journal) would introduce a “small mid-cap” category covering enterprises with fewer than 750 employees and annual turnover not exceeding EUR 150 million (or balance sheet not exceeding EUR 129 million). Small mid-caps would benefit from the same AI Act support measures as SMEs under the proposal. Until the Omnibus text is adopted and published, the standard SME threshold remains the operative definition.

Article 55 — general measures for SMEs

Article 55 of Regulation (EU) 2024/1689 requires Member States and the Commission to take the following measures for the benefit of SMEs (including start-ups):

• Dedicated channels for guidance. National competent authorities must provide SMEs with guidance, information and assistance on how to comply with their obligations.
• Simplified technical documentation. Where full Annex IV documentation would be disproportionate, SMEs may use a simplified format to be specified in guidance from the AI Office.
• Reduced fees for conformity assessments. National notified bodies are required to set fees that are proportionate to the size and market share of SMEs.
• Awareness-raising and training. The Commission and Member States must organise awareness-raising activities specifically tailored to the needs of SMEs and start-ups.

Article 62 — regulatory sandboxes for AI

Article 62 requires each Member State to establish at least one AI regulatory sandbox by 2 August 2026. Sandboxes provide a controlled environment where providers — and in certain cases deployers — can develop, train, test and validate AI systems before market placement, under a competent authority’s supervision.

• SME priority access. Article 62(5) gives SMEs and start-ups priority access to national AI sandboxes. Participation does not grant an exemption from substantive obligations but provides supervised flexibility and early engagement with supervisors.
• Liability protection during sandbox testing. Under Article 63, where participants follow the sandbox plan and act in good faith, they are not subject to administrative fines for non-compliant elements of the AI system that emerge solely as a result of participation in the sandbox.
• Cross-border sandboxes. Two or more Member States may jointly establish a sandbox. The AI Office may support a Union-level sandbox for use cases with cross-border significance.

Article 99(6) — proportionate fine caps for SMEs

The AI Act’s fine structure applies in full to SMEs, but Article 99(6) caps the applicable amount at the lower of the two figures (the absolute EUR ceiling or the percentage of global turnover), rather than whichever is higher as for large companies. In practice this means:

• Prohibited-practice violations (Art 99(3)): up to EUR 35 000 000 or 7 % of global annual turnover — for an SME, the fine is the lesser of these two.
• High-risk and operator-obligation violations (Art 99(4)): up to EUR 15 000 000 or 3 % — for an SME, again the lesser amount.
• Incorrect or incomplete information supplied to authorities (Art 99(5)): up to EUR 7 500 000 or 1 % — lesser figure applies to SMEs.

National supervisory authorities retain discretion to set fines below the cap, taking into account factors including the size, economic resources and market share of the entity. Article 99(7) makes this discretion explicit for start-ups.

What remains fully applicable to SMEs

The proportionate measures above address process friction and financial exposure. They do not reduce the substantive obligations that every deployer must meet:

• AI literacy (Art 4) — in force since 2 February 2025; no SME carve-out.
• Prohibited-practice ban (Art 5) — in force since 2 February 2025; applies regardless of size.
• Deployer obligations for high-risk systems (Art 26) — human oversight, instructions for use, log retention (min. 6 months), worker notification — apply from 2 August 2026 for systems listed in Annex III. The proposed Digital Omnibus provisional agreement (7 May 2026, not yet adopted) proposes deferring stand-alone Annex III high-risk application to 2 December 2027; until formally adopted, 2 August 2026 remains binding.
• Article 50 transparency — chatbot disclosure, deep-fake marking — applies from 2 August 2026; no size exemption.

Practical compliance steps for SME deployers

1. AI inventory. Map every AI system in use: vendor, purpose, risk class. Identify which fall under Annex III.
2. Vendor contracts. Confirm that your vendor has supplied Art 13 instructions for use and that you have access to automatic logs (Art 26(6)).
3. AI literacy programme. Document an Art 4 literacy measure covering all staff and contractors operating AI systems on your behalf.
4. Sandbox enquiry. Contact your national AI authority to understand sandbox eligibility if you are developing or significantly customising an AI system.
5. Simplified Annex IV. If you are a provider of a high-risk system, engage early with your notified body about the simplified documentation pathway.

Common misconceptions for SMEs

• “We are too small for the AI Act to apply.” Size affects fine exposure, not substantive obligations. Every deployer of an AI system within the EU is in scope.
• “The Digital Omnibus has reduced our obligations.” The Omnibus is a provisional political agreement, not adopted law. Until published in the Official Journal, current Regulation (EU) 2024/1689 applies as enacted.
• “We only use off-the-shelf SaaS tools, so we are not a deployer.” Any natural or legal person who uses an AI system under its authority in a professional context is a deployer — regardless of whether it was developed in-house.
• “The sandbox exemption covers all compliance.” Sandboxes provide supervised testing flexibility; they do not exempt participants from the substantive obligations once the system is deployed commercially.

Related EU guides

• Deployer checklist — Article 26 obligations
• AI literacy obligation — Article 4
• Fines under the EU AI Act
• EU AI Act deployer timeline
• AI vendor contracts — 12-point deployer checklist

Sources

• Regulation (EU) 2024/1689, Articles 4, 5, 26, 55, 62, 63, 99 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• Commission Recommendation 2003/361/EC (SME definition): eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32003H0361
• European AI Office — SME support information: digital-strategy.ec.europa.eu