The AI Act applies to every company, including yours. What changes for smaller businesses are three concrete concessions: reduced conformity assessment fees, a simplified quality management system for microenterprises, and a fine cap that works in your favour instead of against you.
The fine cap is a mitigator — not a shield
Being an SME does not reduce your obligations. If your system violates a prohibition under Art 5, you face up to €35,000,000 or 7% of global turnover — whichever is lower for your size. A startup with €1M turnover faces up to €70,000, not €35M. A startup with €600M turnover faces up to €35M, not €42M. The obligation still fires; only the ceiling adjusts.
Art 5 violation
Large company: up to €35M or 7% — whichever is higher
SME / startup: up to €35M or 7% — whichever is lower
High-risk obligation violation
Large company: up to €15M or 3% — whichever is higher
SME / startup: up to €15M or 3% — whichever is lower
Does the AI Act apply to your system?
Regumatrix checks your system against Article 5 and every Annex III category and returns your risk tier, fine exposure, and the exact obligations that apply — in about 30 seconds.
The AI Act uses the standard EU definition from Commission Recommendation 2003/361/EC. Your size category determines which reliefs you can use. Headcount and financials are both checked — you must meet both thresholds.
Reliefs: Art 99(6) fine cap + Art 63 simplified QMS
Reliefs: Art 99(6) fine cap + Art 62 priority sandbox access + reduced conformity fees
Reliefs: Art 99(6) fine cap + Art 62 priority sandbox access + reduced conformity fees
Art 62 lists four concrete support obligations that Member States and the AI Office must fulfil for SMEs, including startups registered or with a branch in the EU. These are obligations on governments, not things you apply for from the Commission.
Member States must give EU-registered SMEs and startups priority access to their national AI regulatory sandboxes, provided you meet the eligibility conditions. This doesn't exclude other companies from applying — it means you move up the queue when capacity is limited. Inside a sandbox, you can test your AI system under supervision without triggering full compliance obligations during the testing period.
Under Art 62(2), when setting the fees for conformity assessment under Art 43, competent authorities must take SME needs into account and reduce fees proportionately to company size and market size. This applies whether you go through internal assessment or use a notified body.
Art 62(3)(a) requires the AI Office to provide standardised templates for areas covered by the AI Act — so you don't have to build compliance documents from scratch. The AI Office also maintains a single information platform and organises awareness campaigns.
Art 57(9)(e) requires national AI sandboxes to facilitate and accelerate access to the Union market in particular when the AI system is provided by an SME or startup. This is a design requirement for how sandbox programmes must operate — not just an administrative preference.
If you are a microenterprise (under 10 employees, under €2M, no partner/linked enterprises), you can comply with certain elements of the quality management system under Art 17 in a simplified manner. The Commission must publish guidelines specifying which elements can be simplified.
Art 63(2): the simplified QMS does not exempt you from anything else
Article 63(2) is explicit: the simplified QMS option does not relieve you of any other obligation. You still must comply with:
The simplification covers how you structure and document the QMS process — not whether you have one.
This is the most important financial protection for small companies. The AI Act normally sets fines as the higher of a fixed amount or a percentage of global turnover — whichever hits harder. For SMEs and startups, Art 99(6) reverses this: the fine is the lower of the two figures.
| Violation type | Large company cap | SME / startup cap |
|---|---|---|
| Art 5 prohibited practice Art 99(3) | €35M or 7% — whichever is higher | €35M or 7% — whichever is lower |
| High-risk obligation failure Art 99(4) | €15M or 3% — whichever is higher | €15M or 3% — whichever is lower |
| Misleading information to authorities Art 99(5) | €7.5M or 1.5% — whichever is higher | €7.5M or 1.5% — whichever is lower |
Worked example
A startup with €3M global turnover builds an emotion-recognition system for workplace monitoring — an Art 5(1)(f) prohibited practice. The fine ceiling is the lower of €35,000,000 or 7% of €3M (= €210,000). The startup's maximum exposure is €210,000. A large company with €2B turnover would face €35M (the lower of €35M or €140M). Neither company can build the system — only the financial ceiling differs.
The AI Act's concessions for SMEs have hard edges. These obligations apply to every company, regardless of size.
Social scoring, real-time biometric identification in public spaces, emotion recognition at work or school, criminal profiling AI, and AI that exploits vulnerabilities — all prohibited. No SME exception exists. The only difference is that the fine cap applies if you violate them.
If your AI system falls within Annex III (the list of high-risk AI categories — biometrics, education, employment, credit scoring, critical infrastructure, law enforcement, border control, justice), you must comply with Arts 9–15 (risk management, data governance, technical documentation, logging, transparency, human oversight, robustness), plus conformity assessment under Art 43 and registration under Art 49. The QMS can be simplified; the underlying obligations cannot be skipped.
If you deploy a chatbot, you must disclose it is an AI under Art 50(1) (in force since February 2025). If your system generates synthetic images, video, or audio, you must mark them as AI-generated under Art 50(2). These apply to every operator.
High-risk AI systems must pass a conformity assessment — internal (Annex VI) or via a notified body (Annex VII) — before they go to market. SMEs benefit from reduced fees and standardised templates, but they cannot skip the assessment. The declaration of conformity and CE marking requirements under Arts 47–48 still apply.
The Digital Omnibus on AI (COM(2025) 836) proposes major expansions to SME reliefs. If enacted, these changes would apply alongside the existing AI Act concessions.
New SMC (small mid-cap enterprise) category — 836 Art 1 pt3
836 proposes adding a legal definition of "SMC" (small mid-cap enterprise) to the AI Act's definitions article, referencing Commission Recommendation (EU) 2025/1099. SMCs would join SMEs in receiving most AI Act concessions — including priority sandbox access, the penalty cap under Art 99(6), and the simplified QMS obligation.
Simplified technical documentation form for SMEs and SMCs — 836 Art 1 pt8
836 proposes amending Art 11(1) to require the Commission to create a simplified technical documentation form for SMEs and SMCs. Notified bodies would be required to accept this simplified form for conformity assessments. Currently all providers must use the full Annex IV template.
Simplified QMS extended from microenterprises to all SMEs — 836 Art 1 pt21
Under the current AI Act, Art 63 simplified QMS is only available to microenterprises (under 10 employees, under €2M). 836 proposes expanding this to all SMEs including startups, removing the microenterprise-only restriction.
SMC fine cap added to Art 99(6) — 836 Art 1 pt29
836 proposes replacing Art 99(6) to include SMCs in the lower-of-two-figures fine cap. Currently only SMEs and startups benefit. If enacted, the favourable cap would extend to companies with up to ~750 employees.
EU-level sandbox with SME priority access — 836 Art 1 pt17
836 would allow the AI Office to establish an EU-level regulatory sandbox for AI systems under its exclusive supervision. The proposal requires this EU sandbox to provide priority access to SMEs — adding a Union-level option alongside the national sandboxes under Art 62.
High-risk obligations delayed — 836 Art 1 pt31
836 proposes that Chapter III (high-risk AI obligations) only applies after the Commission confirms adequate harmonised standards and support measures are in place. Fallback dates: 2 December 2027 for Annex III systems (20 months away) and 2 August 2028 for Annex I systems. This gives all providers, including small ones, more time.
None of the above is in force. These are proposals under COM(2025) 836, currently in trilogue in early 2026. Do not plan your compliance programme on proposals that may change.
Many startups land in a grey area. Your system may technically list in Annex III but still qualify as not high-risk if it passes the four-condition test under Art 6(3). Common uncertainty signals for SMEs:
COM(2025) 837 proposes no changes relevant to SME-specific AI Act provisions.
Yes — the AI Act applies to every AI provider or deployer that places a system on the EU market or uses it to affect EU residents, regardless of company size. Being an SME does not exempt you from the regulation. What it does is reduce certain obligations (simplified QMS, reduced conformity fees) and cap fines at the lower of the two figures under Art 99(6), rather than the higher.
For large companies, fines are the higher of the fixed amount or the percentage of global turnover. For SMEs and startups, Article 99(6) reverses this: fines are the lower of the fixed amount or the percentage. For example, on an Art 5 prohibition violation, a small startup pays up to €35 million OR up to 7% of global turnover — whichever is lower. A startup with €2M revenue faces up to €140,000, not €35 million.
A microenterprise has fewer than 10 employees and annual turnover or balance sheet under €2 million (Commission Recommendation 2003/361/EC). Under Article 63, microenterprises may comply with parts of the quality management system in a simplified manner, as long as they have no partner or linked enterprises. Article 63(2) makes clear this does not exempt microenterprises from any other obligation, including Articles 9–15, 72, and 73.
Yes. Article 62(1) requires Member States to provide SMEs and startups registered in the EU with priority access to AI regulatory sandboxes, provided they meet the eligibility conditions. This does not exclude other companies from applying — it means SMEs jump the queue when slots are limited. Sandboxes let you test your system under real conditions with direct regulatory guidance, without triggering full compliance obligations during the testing phase.
No. The prohibitions under Article 5 — including bans on social scoring, real-time biometric ID in public spaces, emotion recognition in workplaces and schools, and biometric profiling — apply to every operator regardless of company size. The Article 99(6) fine cap still applies if you violate them, but you cannot build or deploy a prohibited AI system even as a two-person startup.
EU AI Act Fines & Penalties
Full breakdown of all four penalty tiers under Art 99
Is My AI High-Risk?
Check all 8 Annex III domains in one checklist
Conformity Assessment Guide
Art 43 self-assessment vs notified body — when each applies
AI Provider Obligations
Complete checklist: Arts 9–21, conformity, registration
Banned AI Practices
All 8 Art 5 prohibitions — including what applies to startups
What Changes Under COM(2025) 836
All 14 major changes the Digital Omnibus proposes to the AI Act
Regumatrix checks your system against Article 5 and every Annex III category and returns: your risk tier, your Annex classification, the specific obligations that apply, your fine exposure under Art 99 (including the SME cap), and an 8-section cited compliance report.
