The EU AI Act is comprehensive, and for small and medium-sized businesses (SMBs), it can seem daunting. Without dedicated legal teams, how can you ensure you're compliant? The good news is that the Act uses a risk-based approach, meaning the burden is proportional to the risk. This practical checklist is designed to help you get started.

Step 1: Inventory and Initial Assessment

You can't comply if you don't know what you have. The first step is to create a complete inventory of all AI systems you use, develop, or sell.

• Create a list: Document every AI tool or feature. This includes third-party software (like a CRM with AI features) and any systems you've built in-house.
• Determine your role: For each system, define your role. Are you a 'provider' (developing it), a 'deployer' (using it), or a 'distributor' (selling it)? Your obligations change based on your role.
• Initial Risk Screening: Use our High-Risk Assessment Questionnaire to get a preliminary idea of each system's risk level. Is it likely prohibited, high-risk, or low-risk?

Step 2: Address Prohibited and High-Risk Systems

Your inventory will guide your priorities. Focus on the highest-risk systems first.

• Phase out prohibited systems: If you identify any systems that fall under the 'prohibited' category (e.g., social scoring), create a plan to phase them out immediately. The deadline for this is fast approaching.
• Document high-risk systems: If you have a high-risk AI system, your obligations are significant. Start preparing your technical documentation, risk management framework, and data governance policies now.
• Contact your suppliers: If you are a 'deployer' of a high-risk system from a third party, you need to request the necessary documentation and instructions for use from them.

Step 3: Implement Transparency and Governance

Even for low-risk systems, transparency is key. These steps are good practice for any business using AI.

• Inform your users: If customers interact with an AI (like a chatbot), you must inform them. Use clear, simple language. Our text module library has templates you can use.
• Label AI-generated content: If your system generates 'deepfakes' or other synthetic content, it must be clearly labeled as AI-generated.
• Appoint an owner: Assign a person or small team within your company to be responsible for AI Act compliance. This ensures accountability.
• Train your staff: Ensure relevant employees understand the basics of the AI Act and your company's policies.

Conclusion: A Proactive Approach for SMBs

For a small business, AI Act compliance is a journey, not a destination. By starting now with a clear inventory, focusing on the highest risks, and embedding transparency into your operations, you can navigate the regulation effectively. This proactive approach not only mitigates legal risk but also builds trust with your customers in an AI-driven world.