The European Regulation on Artificial Intelligence (AI Act), which entered into force in 2024, represents the world's first major attempt to regulate the development and use of AI systems. Designed with particular attention to SMEs, this text offers both opportunities and obligations that need to be understood.
Regulation Designed for Small Structures
The text mentions SMEs 38 times (compared to 7 mentions of the word "industry"). Microenterprises, startups, and VSEs are clearly in the sights of the European legislator—but with a focus on flexibility rather than sanctions.
Specific measures include:
- Regulatory sandboxes (experimental spaces): each Member State must establish at least one sandbox by 2026, accessible free of charge and as a priority for SMEs. These spaces allow testing AI under real conditions, with supervision, without risking administrative fines.
- Reduced and proportionate fees for conformity assessments.
- Simplified documentation for small structures, accepted by national authorities.
- Training programs and dedicated support channels to understand and apply the law.
Obligations Adjusted According to Company Size
The AI Act applies the principle of proportionality. In other words, the smaller the company, the lighter the obligations.
This is particularly true for:
- Providers of general-purpose AI models (such as those that write, code, or summarize texts).
- Models presenting systemic risk (extreme computing power, potential impacts on public health, fundamental rights, or society). These must meet stricter obligations: risk assessment, testing, enhanced cybersecurity, etc.
However, for the vast majority of SMEs, what matters is not the power of the AI model, but the intended use of their solution. Companies must position themselves within one of the three risk categories of the AI Act:
- Prohibited systems
- High-risk systems
- Systems with specific transparency obligations
What Should Companies Pay Attention To?
Here are some key points to avoid common pitfalls:
- Do not underestimate the categorization of your system: some seemingly mundane functionalities (e.g., automatic CV sorting, assisted diagnosis) may fall under the "high risk" category.
- Anticipate documentation: even if simplified, it requires a certain level of rigor and must be developed from the early stages of the project.
- Distinguish between supplier and end user: even if you integrate a model developed by a third party (such as GPT-4o, Mistral, or Gemini), you may be considered responsible for the final system.