Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Guide

The AI Act for SMEs: proportionality, sandboxes and costs

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

The AI Act applies to SMEs too, but builds in relief: proportionate documentation, priority and lower cost in regulatory sandboxes, and fines with an SME cap. This guide shows what to watch for as a small business.

Short answer: The AI Act makes no exception for SMEs, but it does build in relief. The weight of the obligations depends on the risk of your AI system, not on your company size โ€” but for small businesses there is proportionate documentation, priority in regulatory sandboxes, and a fines regime that takes size into account. So start with the risk question, not the panic question.

First the risk question, not size

Most AI applications in SMEs fall into the minimal or limited risk categories: then at most transparency duties apply, such as telling a user they are dealing with AI. Only if you provide or deploy a high-risk system do the heavy obligations come into play. Many SMEs panic needlessly: first honestly determine which risk category your application falls into โ€” see the state of AI regulation.

Proportionality in practice

Where obligations do apply, the way you meet them may be proportionate to your size. The AI Act and accompanying guidelines allow small businesses to keep technical documentation in a simplified form, as long as the essence is demonstrably present. Proportionality does not mean "exempt", but it does mean: no documentation burden that only a large group can carry. What you must have ready at minimum is set out in preparing for an audit.

Regulatory sandboxes

Every Member State must set up at least one regulatory sandbox: a controlled environment in which you can develop and test an AI system under supervision before market launch. SMEs get:

  • priority and free or affordable access to the sandbox;
  • guidance from the supervisor, which lowers uncertainty and legal costs;
  • room to learn without immediate enforcement risk, provided you stick to the arrangements.

For a small business the sandbox is often the cheapest route to certainty.

Controlling costs

The costs lie mainly in documentation, conformity assessment and governance. Limit them by: following standards and codes of practice instead of reinventing the wheel, reusing supplier documentation, and making use of the AI Office and national help desks. The fines regime applies the lower of the percentage or fixed-amount cap for small businesses, so the penalty is not business-threatening โ€” but the norm itself applies in full.

What to do

  • Classify your systems: minimal, limited or high risk โ€” that determines everything.
  • Use a sandbox if you are developing something new; request priority as an SME.
  • Reuse documentation from suppliers and follow codes of practice.
  • Keep it proportionate: simplified documentation is allowed, as long as the essence is right.
  • Know the SME fines cap โ€” see fines and enforcement.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act); Art. 57-63 on regulatory sandboxes and support for SMEs, and Art. 99 on proportionate fines.
  2. https://digital-strategy.ec.europa.eu/en/policies/ai-office
    European Commission; the AI Office supports SMEs with guidelines and codes of practice.

Share on LinkedIn

Read next

W

What does AI Act compliance cost?

The cost of AI Act compliance depends mainly on your risk class, role and number of AI systems. The law requires proportionality, so most organisations with low-risk AI face limited costs.

A

AI fraud detection by government: the lessons after SyRI

After the SyRI ruling (District Court of The Hague, 2020) and the Dutch childcare-benefits scandal, government fraud detection with AI is high-risk under Annex III. The lessons: no opaque risk scores, no proxy discrimination, but proportionality, explainability and a rights assessment.

W

The EU declaration of conformity under the AI Act (Article 47)

The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.