Regulation (EU) 2024/1689, known as the « AI Act », has been entering into application progressively since February 2025 and reaches its critical milestone on 2 August 2026. SMEs using or deploying artificial-intelligence systems, including common SaaS tools such as Microsoft Copilot or automated HR modules, must now document, classify and supervise these systems. Here is the 12-point operational checklist every SME leader should have ticked before the deadline.
1. Map your AI systems in production
First reflex: list every AI system in use, declared or not. The most dangerous blind spot is « Shadow AI »: according to the Microsoft Work Trend Index 2024, one in three enterprise AI tools escapes the IT department. ChatGPT used by HR to pre-screen applications, a GPT-based Excel plugin, a third-party credit-scoring tool: all are AI systems within the meaning of Article 3 of the AI Act.
2. Classify each system by risk level (Art. 6-9)
The regulation defines four levels: unacceptable risk (banned), high risk, limited risk, minimal risk. The classification grid relies on Annex III: HR, credit scoring, medical diagnosis, content moderation and biometric systems are almost always high risk. An SME using an AI HR tool to filter CVs is immediately concerned.
3. Prepare the technical documentation (Art. 11 + Annex XI)
For each high-risk system, the SME must produce a technical file: system description, training data, performance, limitations, risk-management measures. This documentation must be available in case of an AESIA (FR) or CNIL inspection.
4. Appoint an AI compliance owner
A named person, internal. Not necessarily a dedicated Chief AI Officer for an SME: often the DPO extends their scope, or the IT manager takes the role. But one identified, reachable person, with a written mandate.
5. Check your AI suppliers (contractual clauses)
Your contracts with OpenAI, Anthropic, Microsoft, Google, your HR/CRM SaaS vendors must now include: AI Act clauses, cross GDPR DPA, hosting region, model transparency, liability-transfer mechanisms. Many contracts signed before 2024 contain none of this. Renegotiation required.
6. Set up logging of algorithmic decisions
For high-risk systems, each decision must be logged in an auditable and replayable way. This requires a traceability infrastructure: who requested what, which model answered, with what confidence score, and what the human confirmation decision was.
7. Design a human-oversight procedure (Art. 14)
No high-risk decision can be purely automatic. A trained, identified person must be able to intervene, understand the proposed decision, and override it if needed. This procedure must be documented, tested and updated.
8. Train teams in AI literacy (Art. 4)
Obligation already in force since 2 February 2025. Every team operating or exposed to AI systems must receive training on the understanding of risks, limits and related obligations. Not a superficial e-learning module: a credible, traceable training.
9. Prepare transparency towards exposed persons (Art. 50)
Any user or person subject to a decision made by an AI system must be informed. Your screens, letters and HR processes must include this notice. Specific sanctions apply for omission.
10. Test your set-up in an AESIA audit simulation
AESIA (the Spanish AI Supervision Agency) and the CNIL (FR) can ask to see your files. An internal simulation, or one by a specialised external provider, identifies gaps before they become sanctions.
11. Track regulatory developments (Digital Omnibus, sector guidelines)
The AI Act is not frozen: the Digital Omnibus, sector guidelines and European case law regularly adjust the obligations. Active intelligence, or a third-party intelligence service, is needed to avoid being caught off guard.
12. Document your approach for inspections
Everything above must be consolidated into an evidence file, ready to present. Internal AI policy, systems register, technical files, training records, supplier contracts, logs: one binder, physical or digital, kept up to date.
What if you have done nothing?
Maximum sanctions: €35M or 7% of worldwide turnover for prohibited practices (Art. 5), €15M or 3% for other breaches, €7.5M or 1% for misleading information (Art. 99 §3). But more likely, in the short term: refusal of cyber insurance, blocking by a large account requiring compliance, loss of a public tender.
The time left before 2 August 2026 is measured in weeks, not months. The good news: an Express AI Act compliance audit, in the vast majority of cases, takes one week and costs between €2,500 and €4,000 excl. VAT. The worst case is to discover an unacceptable-risk system in use without knowing it, which is precisely what an audit reveals.