Your staff use AI tools today, policy or no policy. A good AI usage policy is one page that makes that use safe — not a 40-page document nobody reads. Here is what belongs in it, what the law expects, and a practical outline you can adapt.
Last updated: 11 June 2026
An SME's AI usage policy needs five elements: which tools are approved (and which accounts), what data may and may not go in, where human review is mandatory, who owns the policy, and how staff get trained. The AI Act's Article 4 literacy duty already applies — a policy plus a short training is the practical way to meet it.
Two reasons, one legal, one practical. Legally, the EU AI Act's Article 4 requires organisations to ensure adequate AI literacy in staff who use AI systems — a duty that is already in force (unlike parts of the high-risk regime, which have shifted via the Digital Omnibus — disclosed honestly in our AI Act checklist). And under the GDPR, client or personnel data pasted into a free consumer chatbot account is a processing problem you cannot explain away.
Practically: without a policy, every employee invents their own rules. The result is the worst of both worlds — data risk from the enthusiasts and zero productivity gain from the cautious.
A usable SME policy fits on one page. The structure we implement with clients:
The failure modes are predictable: a policy that only forbids (staff route around it on their phones), a policy nobody trained on (legally worth little as literacy evidence), no named owner (it ages into fiction within a year), and copy-pasted corporate templates full of roles an SME does not have. Keep it short, name real tools, review it twice a year.
Want it done properly in one go? Our AI Act check (€950) delivers a gap analysis including a policy tailored to your tools and data, and our AI-literacy training (€12,500) makes the training-plus-sign-off part real — training costs are often partly SLIM-eligible, which we check for free.
There is no article saying 'thou shalt have a policy' — but Article 4 of the AI Act requires demonstrable AI literacy of staff, and the GDPR requires controlled handling of personal data in AI tools. A policy plus training is the practical, defensible way to meet both.
The usage policy governs how staff use AI tools day to day. An AI register lists which AI systems your organisation uses and their risk classification — useful, and for some deployers of high-risk systems part of compliance. Start with the policy; add the register as your AI use grows.
Yes — it is usually the main reason the policy exists. Specify the approved business account, the data rules, and the outputs that need human review. See our guide on ChatGPT for business for the rollout side.
Keep it simple and documented: the policy itself, training attendance records, and signed confirmations. That combination shows staff were made adequately AI-literate — which is what the duty asks.
Yes. The AI Act check (€950 fixed) includes a gap analysis and a policy tailored to your actual tools and data flows, and the AI-literacy training makes it land with your team. We are consultants, not a law firm — for edge cases we advise involving your legal counsel.
AI Act check for a fixed €950: gap analysis + a policy tailored to your tools. Training often partly SLIM-eligible.
Book a free consultation →