Back to blog
EU regulationCompliance

The EU AI Act: what it means for small business

The world's first comprehensive AI law doesn't regulate the technology - it regulates how you use it. Find out which risk tier you fall in, and what you actually have to do.

NOMELIA9 min read
Share

Regulation (EU) 2024/1689 - the AI Act - is the world's first comprehensive law on artificial intelligence. Its goal is simple: to protect people and their fundamental rights while letting business grow fairly and safely. The key thing to grasp is that the law doesn't regulate the technology - it regulates how it's used. The same model can be out of scope in one application and tightly regulated in another.

A risk-based framework

The Act sorts AI uses into four tiers:

  • Prohibited practices. You can't use AI to monitor employees' emotions, manipulate customers, or do social scoring. That's an immediate violation.
  • High risk. This is where most small businesses need to be most careful (see below).
  • Limited risk (transparency). When a customer talks to your chatbot or sees AI-generated content, you must tell them.
  • Minimal risk. The bulk of software - spam filters, recommendation engines. No specific obligations.

When AI is "high-risk"

The most important list for business is Annex III. AI is high-risk when used in:

  • hiring (HR);
  • granting credit or insurance;
  • education;
  • police, courts, border control;
  • biometrics (facial recognition);
  • critical systems such as electricity, water and banking.

Separately, Annex I covers ordinary products - cars, toys, medical devices, machinery. If the AI embedded in them is safety-relevant (a car's brakes, say), it automatically becomes high-risk.

If you're in high risk, the obligations are real: documentation, data checks, guaranteed human oversight and strong security. That brings extra work and cost.

Provider or deployer?

Small businesses are most often deployers - using an off-the-shelf AI tool. But beware: if you modify an existing model and release it under your own brand, you become a provider and take on substantially more obligations.

The penalties

Fines are serious - up to EUR 35 million or 7% of turnover for prohibited practices. There is, however, protection for SMEs: the fine is set at the lower of the two figures, not the higher.

What's happening right now

As of March 2026 the picture is moving:

  • A strategic pause. Because technical standards are running late, the toughest rules for high-risk systems may be postponed to the end of 2027 - giving small firms more time to prepare.
  • Bulgaria is acting. While the national law is stuck in parliament, the administration is moving ahead - the revenue agency (NAP) has deployed the national language model BgGPT (by INSAIT) to automate tax services.
  • A trust label. The EU has finalized its "Code of Good Practice." By mid-2026 there will likely be a single European "AI" icon to mark generated content.

The rollout timeline

Application is phased (and may shift under the so-called "Digital Omnibus"):

  • 2 February 2025 (in force): ban on the most dangerous practices; start of the "AI literacy" obligation.
  • 2 August 2025 (in force): rules for general-purpose AI models (GPAI). Developers of large models publish summaries of their training data.
  • 2 August 2026 (upcoming): full application, including Annex III high-risk systems and deepfake transparency.
  • Possible delays: Annex III rules may move to December 2027, and Annex I to August 2028. Still not certain.

Who supervises in Bulgaria

At EU level the lead is the AI Office within the Commission. Nationally, coordination sits with the Ministry of e-Government, and seven institutions (including the Ombudsman and the data-protection and anti-discrimination authorities) already monitor fundamental-rights compliance in AI use.

What to do now

  • Take inventory. List every AI tool you use - from the chatbot on your site to your hiring software - and assign a risk tier to each.
  • Check supplier contracts. Make sure your AI software vendors warrant compliance with the Act, so you don't carry the full liability.
  • Train your team. "AI literacy" is now a legal obligation - staff must understand the risk of errors (hallucinations) and how to use the tools ethically.
  • Label content. If you publish AI-generated content, add a clear notice or use the common European symbol.

The good news: most startups sit in "limited" risk, where the obligation comes down to transparency. Start with the inventory - it's the document both the regulator and your investor will want to see.

Related articles