Most of what SMEs read about the AI Act is either panic or sales copy. The honest version: most small and mid-sized companies are 'deployers' with limited obligations — but the AI-literacy duty (Article 4) already applies to every company whose staff use AI, and the next wave of obligations starts on 2 August 2026. Here's the checklist, without the fear marketing.
Last updated: 11 June 2026
Most Dutch SMEs are 'deployers' of AI under the EU AI Act, with limited obligations. Two things matter now: the AI-literacy duty (Article 4) already applies to every organisation whose employees use AI tools like ChatGPT or Copilot, and the high-risk obligations start on 2 August 2026 (parts have been deferred by the EU's Digital Omnibus). Our fixed-price AI Act Check (€950) tells you in one week which category your AI use falls into and exactly what to arrange — and, just as often, what you can safely ignore.
The AI Act regulates uses of AI, not AI itself. Four classes decide your obligations:
| Class | Examples | What it means for an SME |
|---|---|---|
| Prohibited | Social scoring, manipulative AI, emotion recognition at work | Simply don't. These are banned outright. |
| High-risk | AI in recruitment/selection, credit scoring, safety components | Heavy obligations (risk management, logging, human oversight). Most SMEs only touch this via HR tooling — check your recruitment software. |
| Limited risk | Chatbots, AI-generated content | Transparency: people must know they're talking to AI or seeing AI content. |
| Minimal risk | Spam filters, spellcheck, most office AI use | No specific obligations — but Article 4 AI literacy still applies to your staff. |
Our AI Act Check gives you certainty for a fixed €950 (ex VAT), delivered within one week: an inventory of your AI use, a risk classification per system, your role (provider/deployer) per system, an AI usage policy template tailored to your business, and a concrete to-do list — including what you can safely ignore. If training is needed, the SLIM subsidy often covers a substantial part of the cost. We are AI practitioners, not a law firm: for contested legal questions we'll tell you honestly when you need a lawyer.
The AI Act entered into force in stages. Prohibitions and the Article 4 literacy duty already apply. The high-risk obligations become binding on 2 August 2026, but the EU's Digital Omnibus agreement (2026) deferred parts of the high-risk regime by 12–16 months for many categories. What this means in practice: the fear-marketing deadline is softer than advertised — but the literacy duty and transparency rules are not postponed, and they're the ones that actually touch most SMEs. Verify current status on the official implementation timeline; this page reflects the position at the 'last updated' date above.
First practical step for most SMEs: writing an AI usage policy.
Yes — but proportionally. Most SMEs are 'deployers' with limited obligations: AI literacy for staff (Article 4, already in force), transparency for chatbots and AI content, and care with AI in decisions about people. The heavy high-risk regime mostly concerns providers and specific uses such as recruitment screening or credit scoring.
Article 4 requires every organisation that uses AI to ensure its staff have a sufficient level of AI literacy — understanding what the tools do, their risks and limitations. It already applies. There is no prescribed course; documented, role-appropriate training is the practical way to demonstrate compliance.
Using ChatGPT or Copilot makes your company a 'deployer' of a general-purpose AI system. That doesn't trigger high-risk obligations by itself, but Article 4 (AI literacy) applies, and you should have a usage policy governing what data staff may enter.
Maximum fines are severe on paper (up to €15 million or 3% of turnover for high-risk violations), but the Act instructs regulators to weigh company size, and an amended SME framework provides reduced fines and simplified compliance. For a typical SME deployer, the realistic exposure is being unable to demonstrate literacy training or transparency — cheap to fix now, awkward to explain later.
Crux Digits' AI Act Check is a fixed-price (€950 ex VAT) one-week assessment: an inventory of your AI use, risk classification per system, your role per system, a tailored AI usage policy template and a concrete to-do list — including what you can safely ignore.
Partially. The EU's Digital Omnibus (2026) deferred parts of the high-risk regime by 12–16 months for many categories. The prohibitions, the Article 4 literacy duty and transparency rules were not postponed — those already apply.
AI Act Check: €950 fixed, delivered in one week — including what you can safely ignore.
Book your AI Act Check →