It’s Too Hard for Small and Medium-Sized Businesses to Comply With the EU AI Act: Here’s What to Do

Summary:

• The EU AI Act creates a heavy compliance burden for SMBs, risking innovation and competition, as smaller firms lack the resources and expertise of larger enterprises.
• Targeted solutions are needed, including tiered compliance frameworks, direct funding and collaborative industry support to help SMBs meet regulatory requirements.
• Practical support like regional compliance hubs, multilingual guidance, and streamlined regulatory sandboxes can level the playing field and ensure AI innovation is accessible to all EU businesses, not just tech giants.
• Early and effective compliance will help SMBs win contracts, build trust, and prepare for global expansion as AI regulations spread worldwide.

The European Union's AI Act sets a global standard for AI regulation. Still, it creates a significant implementation gap for small and medium-sized businesses (SMBs) because they often lack the financial resources, technical expertise and compliance infrastructure needed to meet these standards. This policy brief proposes targeted solutions to EU policymakers for balancing robust AI standards with essential support for SMBs, which represent 99% of EU businesses.

Addressing the implementation gap is key for keeping market competition healthy and meeting the EU’s digital sovereignty and economic growth goals. Since the adoption of the AI Act, the EU is now openly looking for ways to slim down its AI rulebook and make compliance less of a headache for businesses.

This brief lays out policy steps that tackle uneven compliance burdens without losing sight of the Act’s core protections. These recommendations fit with the EU’s new push to streamline rules and remove obstacles that slow down European companies.

If policymakers follow through, AI innovation will be an option for businesses of all sizes, not just the largest players. That way the EU can avoid power becoming concentrated in a few hands and keep its AI ecosystem diverse and competitive.

What is the EU AI Act?

The EU AI Act is the world's first comprehensive legislative framework for regulating artificial intelligence. It adopts a risk-based approach, categorizing AI systems based on their potential impact on fundamental rights, safety and well-being. The Act imposes varying obligations depending on whether systems are classified as minimal, limited, high-risk or prohibited. It began phased implementation in August 2024 with full application by August 2026.

Evidence of disproportionate burden

For ‘high-risk’ AI systems, the Act requires extensive technical documentation and comprehensive risk management systems. This creates several specific challenges that impact SMBs more severely than their larger counterparts.

What makes an AI system ‘high-risk’?

The EU AI Act classifies systems as high-risk if they are used in critical infrastructure, education, employment, essential services, law enforcement, migration or justice administration. This includes AI that evaluates creditworthiness, screens job applicants, prioritizes public services or assists judicial decisions. High-risk systems face the most stringent requirements for documentation, risk assessment and human oversight.

Documentation demands

Consider the hypothetical company TechSolve, a 17-person software firm in Prague that uses AI to streamline and automate business operations. To comply with the Act, they would face the prospect of dedicating 30% of their technical capacity just to creating compliance documentation, delaying their product updates by two quarters.

Similarly, RecruiTech – a hypothetical company with 45 employees providing AI-based recruitment tools – estimates compliance costs at €12,000 per high-risk system, representing 20% of their quarterly R&D budget.

The compliance capacity gap between enterprises (larger businesses) and SMBs manifests in three key areas:

• financial resources: enterprises can allocate dedicated budgets to compliance, while less wealthy SMBs face difficult tradeoffs
• technical expertise: enterprises can employ specialists while SMBs rely on generalists
• infrastructure: enterprises can adapt existing systems while SMBs must build from scratch

An illustrative compliance burden comparison

Cross-sector evidence

This challenge spans diverse sectors. For illustration, consider the examples of MedianDiagnostics, a 25-person medical device manufacturer that faces AI documentation costs equaling 15% of their R&D budget; PrecisiousTech, a manufacturing firm with 120 employees that lacks specialized governance expertise for their predictive maintenance AI; and ShopSmart, a retail analytics provider that must both comply themselves and guide their small business clients through downstream responsibilities.

Historical data from previous regulations reveals consistent patterns of disproportionate impact from legislation. GDPR implementation hit SMBs particularly hard – a study by the International Association of Privacy Professionals found that compliance costs for SMBs averaged €130,000, with some reporting costs up to €500,000. Similarly, research on financial services regulations demonstrated that compliance costs led to reduced competitiveness specifically for smaller players.

The European Commission's research on environmental regulations highlighted that compliance costs created significant barriers to entry and growth for smaller businesses. In the healthcare sector, compliance costs were substantially higher for SMBs relative to revenue, challenging their ability to make a profit while maintaining competitiveness.

Lessons from global approaches

Three alternative regulatory models offer insights for the EU framework.

The U.S. employs a decentralized approach to regulation through multiple agencies (e.g. FDA, FTC), which reduces the immediate compliance burden but creates regulatory inconsistency across sectors.

Japan focuses on collaborative governance through industry partnerships and targeted interventions, with METI programs specifically supporting smaller businesses in AI adoption – a pragmatic strategy the EU could partially adopt.

The UK implements a principle-based approach through existing regulators, with pro-innovation provisions reducing burdens on smaller organizations via the AI Security Institute.

These models demonstrate how tiered compliance, sector-specific support and SMB-focused assistance can be integrated while maintaining protective standards.

Policy solutions that maintain standards

To bridge the compliance gap without compromising the Act's protective goals, policymakers should consider the following targeted interventions.

A tiered compliance framework

Define tiered thresholds based on organization size and AI system complexity with implementation extensions (12 months for businesses under 50 employees, 6 months for those with 50-250). This follows successful EU precedents in GDPR, where smaller organizations received exemptions from certain requirements while maintaining core protections.

Criteria should include organizational size, annual turnover (under €10 million for small businesses) and AI system risk level. Complementing this approach with simplified assessment templates for common SMB use cases would reduce compliance burden while preserving the Act's protective intent.

Financial support mechanisms

Smaller businesses need direct funding support. Establishing grants of €5,000–€15,000 through the Digital Europe Programme would help SMBs invest in essential compliance infrastructure. The programme already provides funding for digital transformation across various sectors and could serve as a model for supporting SMBs in developing AI compliance infrastructure. Similarly, Horizon Europe offers grants to support research and innovation, including projects related to AI and digital technologies, which could help SMBs develop innovative AI solutions that meet regulatory requirements.

During GDPR implementation, some EU member states and industry associations offered specific support mechanisms, including funding and guidance to help SMBs comply with data protection regulations. These initiatives demonstrate how existing EU programs can provide financial support to SMBs and could be adapted or expanded to address AI compliance needs.

Tax credits of 25–50% for documented compliance expenditures could follow successful models from R&D incentive programs, helping offset immediate costs while encouraging necessary investments.

Compliance vouchers for external expertise and consulting services could provide SMBs with immediate access to specialized knowledge without requiring permanent hires.

Collaborative solutions

Industry associations and public-private partnerships can play a role in reducing compliance barriers for resource-constrained SMBs by developing:

• Standardized assessment methodologies for common AI applications in their sectors
• Template documentation to help companies meet regulatory requirements while reducing implementation costs
• Regional compliance hubs where SMBs can access expertise and testing environments, such as European Digital Innovation Hubs (EDIHs), the European DIGITAL SME Alliance's regulatory navigation network and regional Chambers of Commerce providing localized compliance guidance
• Pooled resources for developing open source compliance tools for documentation, monitoring and reporting
• Knowledge-sharing networks where best practices can be disseminated efficiently across the SMB ecosystem
• Multilingual guidance addressing linguistic diversity challenges

Member state authorities can enhance compliance through dedicated support desks with expertise in sector-specific implementation challenges and proactive outreach programs designed to reach smaller organizations.

SMBs in the European economy

Small and medium-sized businesses represent 99% of all businesses in the EU, employ around 100 million people, and create more than half of Europe's GDP. They're defined as enterprises with fewer than 250 employees and either turnover of €50 million or less, or a balance sheet total of €43 million or less. The vast majority (93%) are micro-enterprises with fewer than 10 employees.

Regulatory sandboxes optimized for smaller players

Current sandbox models often unintentionally favor organizations with dedicated regulatory affairs teams. Evidence shows that targeted modifications can improve SMB access: for example, Singapore's Sandbox Express, which enables testing within 21 days through predefined eligibility criteria, or the UK FCA, which allows scaled testing with limited customer numbers.

For AI Act implementation, similar approaches could include streamlined applications, predefined parameters for common SMB AI applications and dedicated support teams focused on smaller organizations.

Strategic opportunities beyond compliance

Meeting the Act’s standards such as rigorous documentation, risk controls and governance addresses requirements that large enterprises and public sector bodies demand from their suppliers. Public sector procurement processes and enterprise tenders often require bidders to demonstrate compliance with relevant regulations, risk management and ethical AI practices. By achieving these standards, SMBs can

• Qualify for more contracts: Many public sector and large enterprise contracts are only open to vendors who can prove regulatory compliance and ethical practices. Documentation and risk controls are often mandatory in tender specifications.
• Build trust and credibility: Demonstrating governance and transparency reassures clients especially in sensitive sectors that the SMB’s AI solutions are reliable and low-risk.
• Level the playing field: Compliance infrastructure, once established allows SMBs to compete with larger firms who have traditionally dominated regulated markets.
• Prepare for global expansion: Early compliance positions SMBs to enter other markets as similar AI regulations emerge worldwide, simplifying international growth.

Multilingual challenges

The EU's linguistic diversity creates additional challenges that require specific solutions. While the EU AI Act allows flexibility in documentation language, market requirements often necessitate preparing materials in national and target market languages. This multiplies the compliance workload for SMBs without established translation resources.

The expertise gap compounds this problem, as AI governance specialists are unevenly distributed across language regions, leaving SMBs in smaller language markets struggling to find qualified personnel who understand technical and regulatory aspects in their local language.

The urgent implementation timeline

The August 2025 implementation of General-Purpose AI [GPAI] Model Requirements introduces a new layer of complexity for SMBs. While primarily targeting developers of foundation models (like OpenAI, Anthropic, etc.), these requirements also affect downstream SMB implementers who build applications on top of these models. SMBs will face new transparency requirements regarding their use of GPAI components, demands for additional documentation about model behaviors, and potential compliance costs related to fundamental rights assessments. For SMBs leveraging GPAI, this represents an implementation hurdle that comes six months before the Act’s full application, requiring them to prepare for foundation model requirements and sector-specific obligations simultaneously.

A balanced path forward

For policymakers committed to innovation and safety, three priority recommendations emerge:

1. Implement a tiered compliance approach explicitly scaled to organizational size
2. Establish dedicated funding mechanisms focused on SMB compliance support
3. Develop SMB-specific guidance materials in partnership with industry associations

Without these targeted interventions, regulatory disparities may lead to AI innovation being concentrated among a few large players, undermining the EU's broader goals of digital sovereignty and inclusive economic growth.

‍

About the author

Gideon Abako is an AI governance specialist who has worked on the EU AI Act compliance frameworks and also develops policy solutions for SMBs navigating regulatory requirements. His expertise spans AI ethics, regulatory compliance assessment, and cross-sector implementation strategies, with a focus on balancing innovation with governance requirements. He has contributed to international AI governance frameworks through multiple policy programs.

Contact: g.abako@neuravox.org.

‍