EU AI Act compliance checklist: 8 steps for small businesses (2026)
There are 27 days left until Article 50 of the EU AI Act becomes enforceable. This is the complete, practical checklist we use inside ActHub, free to follow with or without our product.
Who this checklist is for
You run a small business, an online shop, an agency, or a SaaS. Somewhere in your business there is AI: a chatbot, AI-written product descriptions, AI-generated images, an AI feature in your product, or staff using ChatGPT daily. If people in the EU interact with any of that, the EU AI Act applies to you, even if your company is not based in the EU. The good news: for most small businesses the duties are transparency duties, and you can complete all eight steps below in roughly one focused day.
Step 1: Inventory every AI system you use
You cannot comply with a law about AI if you do not know what AI you run. List every tool: the chatbot on your site, the AI features inside your SaaS, ChatGPT and Claude used by staff, AI image generators for marketing, AI note takers in meetings, AI screening in recruitment. For each tool record the vendor, the purpose, the people affected, and the data it touches.
Step 2: Classify each system by risk tier
The Act sorts AI uses into prohibited, high risk, limited risk, and minimal risk. Prohibited uses (like emotion recognition at work or social scoring) must stop. High risk uses (like AI CV screening) carry heavy duties. Most small business uses land in limited risk, which mainly means transparency. Classify every system in the inventory so you know which rules apply.
Step 3: Add a disclosure to every chatbot and voice agent
Article 50(1): people must be told they are talking to an AI at the first interaction, clearly and accessibly. Put it in the chatbot welcome message, in a persistent badge, or in a banner shown before the input field. For voice agents, the announcement is the first sentence of the call.
Step 4: Label AI-generated content, visibly and in the metadata
Article 50(2) and 50(4): AI-generated text, images, audio, and video that you publish need a visible label for humans and a machine-readable marker for platforms. For images the industry marker is the IPTC digital source type "trainedAlgorithmicMedia" embedded as XMP metadata.
Step 5: Publish an AI transparency page
Not strictly mandated as a single page, but it is the cleanest way to satisfy several duties at once and it is what regulators, customers, and business partners will look for. List the AI systems that touch your users, what they do, and how people can reach a human.
Step 6: Write a one-page internal AI policy
Article 4 requires AI literacy for staff operating AI systems. A short policy that says which tools staff may use, for what, with what data, plus a yearly awareness moment, covers the essentials and creates evidence of governance.
Step 7: Assemble your evidence dossier
When a customer, partner, or authority asks "show me your AI Act compliance", you want a dated PDF: the inventory, the risk classifications, screenshots of your disclosures, the transparency page, and the internal policy. Keep versions; the law rewards documented, dated diligence.
Step 8: Set a review rhythm
AI tools change monthly. Add a quarterly 30-minute review: new tools into the inventory, dead tools out, reclassify anything that changed, refresh the transparency page, and re-export the dossier.
What you can safely ignore (for now)
Most small businesses do not need: a notified body conformity assessment (that is for high-risk systems), a quality management system under Article 17 (providers of high-risk systems), or the general-purpose AI model duties (that is for the companies training the models, like OpenAI or Anthropic). If your only AI is bought-in tools used for normal business purposes, the transparency track above is your track.
The deadline and the fine, in one paragraph
Article 50 transparency obligations become enforceable on August 2, 2026. Non-compliance with transparency obligations can draw fines up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher (Article 99(4)). Prohibited practices go up to 35 million euros or 7 percent. National market surveillance authorities investigate complaints, and complaints can come from anyone, including competitors.
Do it manually or do it with ActHub
Everything above can be done with a spreadsheet, a text editor, and patience. ActHub does the same eight steps with guardrails: a guided inventory with 35 pre-loaded vendors, an automatic risk-tier wizard, a one-line chatbot disclosure widget, a metadata label injector for images, an auto-generated public transparency page, and a one-click evidence dossier PDF. Start with the free 60-second self-check to see which steps you are missing.
Sources: Article 50 full text, Article 99 penalties, Official SME guide, European Commission.
Check your status in 60 seconds
Ten questions. A personal action plan. No signup needed.
Take the free self-check