EU AI Act Mandatory Compliance Guide 2025-2026

EU AI Act for AI Agent Providers: Obligations, Compliance and Opportunities for Agencies and Consultants Selling to SMEs

The EU AI Regulation is in force. From 2025 to 2027, new obligations progressively apply to those who develop, sell or manage AI systems — including consultants and agencies bringing AI Agents to SMEs. It is not just a risk to manage: it is a competitive advantage to seize.

June 2026 12 min read

This article is not legal advice

It provides an operational overview of the EU AI Act for those selling or managing AI Agents for SMEs. For specific applications, consult a lawyer specialised in digital and AI law.

What is the EU AI Act and Why It Changes Everything for AI Consultants

Regulation (EU) 2024/1689 on Artificial Intelligence — commonly known as the EU AI Act — entered into force on 1 August 2024. It is the world's first binding AI law with concrete sanctions: up to 7% of annual global turnover for the most serious violations, up to 3% for violations of other obligations.

Application is progressive: from February 2025 absolute prohibitions (banned AI), from August 2025 general-purpose AI systems (GPAI), from August 2026 high-risk systems, from August 2027 specific legacy systems. This means you are already within the regulatory perimeter, even if full sanctions arrive in 2026-2027.

Who is subject to the AI Act?

Provider: anyone who develops or has developed an AI system and places it on the market — even for free — under their own name or brand.

Deployer: anyone who uses an AI system in a professional context to provide services or products to third parties.

A consultant who configures an AI Agent and delivers it to an SME client is typically both: provider of the configured system and deployer towards the end client.

Risk Classification: Where AI Agents for SMEs Fall

The AI Act classifies AI systems into 4 risk levels. Understanding where typical AI consultant use cases fall is the first step towards compliance.

BANNEDUnacceptable Risk

Social scoring, subliminal behavioural manipulation, predictive policing, real-time biometric recognition in public spaces. Banned since February 2025. No standard SME use case falls here.

HIGH RISKStringent Obligations

HR systems (selection, evaluation), credit scoring, access to essential public services, critical infrastructure systems, AI in medical devices. Require registration, technical documentation, mandatory human oversight and certified conformity. Avoid without a dedicated compliance structure.

LIMITED RISKTransparency Obligations

Chatbots and virtual assistants, content generation systems (text, images, audio, video), deepfakes. Users must know they are interacting with an AI. This is where most SME AI Agents fall (customer support, content generation, FAQ bots). Applicable now.

MINIMAL RISKNo Specific Obligations

Spam filters, internal data analysis AI, content recommenders, automated decision systems on non-personal data. No specific AI Act obligations — only existing general regulations (GDPR, sector directives).

Practical conclusion: the vast majority of use cases for SMEs (customer support bots, content generation, lead qualification, workflow automation) fall into limited or minimal risk. Compliance is achievable — but not automatic.

Concrete Obligations for AI Agent Providers Serving SMEs

1. Transparency Obligation (Art. 50 AI Act)

If your SME client uses an AI chatbot to manage their customers' requests, end users must know they are interacting with an automated system. This doesn't mean a window listing all AI models used: a clear indication ("You are chatting with an AI assistant") at the start of the interaction is sufficient.

Exception: if the user has explicitly consented to interacting with an AI, the immediate disclosure obligation lapses. But consent must be documented.

2. Data Governance and Data Quality (Art. 10 AI Act)

High-risk AI systems require specific data governance practices. For limited-risk systems, the rule is more pragmatic but not absent: data used to train, fine-tune or operate the AI must comply with GDPR. If the AI Agent handles personal data of SME clients, a proper Data Processing Agreement (DPA) between the AI consultant and the SME is required.

3. Technical Documentation (Art. 11 AI Act — high risk)

For high-risk systems: complete technical documentation before market placement, maintained up to date. For limited-risk systems it is not formally required, but basic documentation (which AI model is used, which data it manages, which decisions it makes) is strongly recommended for two reasons: it protects the consultant in case of disputes, and it differentiates serious professionals from amateurs.

4. Human Oversight (Art. 14 AI Act)

High-risk systems require human oversight in the decision loop — the AI cannot make autonomous decisions on sensitive categories. For limited-risk systems, best practice is to implement a human escalation mechanism for requests the AI cannot handle with certainty.

5. EU Database Registration (Art. 49 AI Act — high risk)

High-risk systems must be registered in the EU database before market placement. This obligation does not apply to limited or minimal risk systems.

EU AI Act + GDPR: The Dual Compliance You Must Master

GDPR and the AI Act overlap significantly when an AI system handles personal data — which is almost always the case in SME use cases (client data, order history, emails, CRM).

The 5 Critical GDPR ↔ AI Act Intersections

  1. Legal basis for processing: GDPR requires a legal basis for processing personal data. The AI Act does not replace it: if AI processes personal data, consent, legitimate interest or contract is required under GDPR.
  2. Right not to be subject to automated decisions (Art. 22 GDPR): strongly aligned with the AI Act's human oversight requirements for decisions impacting people.
  3. DPIA (Data Protection Impact Assessment): already required by GDPR for high-risk processing — overlaps with the AI Act risk assessment for high-risk classified systems.
  4. Privacy by design: GDPR principle that naturally extends to secure AI system design.
  5. Right to explanation: the AI Act requires explainability for high-risk systems; GDPR requires explanation of significant automated decisions. Two converging obligations.

Penalties and Timeline: When Do They Take Effect?

DateWhat appliesWho is affected
Aug 2024AI Act enters into forceEveryone
Feb 2025Absolute bans applicable, sanctions activeUnacceptable risk
Aug 2025GPAI (general purpose AI models) — documentation and transparency obligationsLLM and foundation model providers
Aug 2026High risk — full obligations + registration + 3-7% sanctionsHigh-risk providers and deployers
Aug 2027Legacy systems integrated in existing productsPre-existing AI products

For the AI consultant serving SMEs with limited/minimal risk use cases: transparency obligations are already applicable now. The main practical risk in the short term is failure to disclose to the end users of SME clients.

How AI Workspace Agency is Built for Compliance

AWA was not designed as a generic technical tool: it was built with GDPR and EU AI Act compliance as an architectural requirement from day one.

Compliance as Business Leverage: Why Being "AI Act Ready" Pays Off

1. Access to Corporate and Public Procurement

From 2026, public tenders and large company procurement will begin requiring AI Act compliance declarations from suppliers. AI-ready consultants will have access to clients that amateurs cannot touch.

2. Higher Margins with Larger Clients

Growing SMEs — those reaching 50, 100 employees — have more stringent legal requirements. A certified, compliance-ready AI consultant can follow them through growth without losing the client. The generic consultant gets replaced by a specialist.

3. Trust as a Business Asset

The SME chooses its AI consultant like it chooses its accountant: for trust and continuity. A consultant who demonstrates staying current on GDPR, EU AI Act and data security becomes difficult to replace — and can charge higher rates.

Compliance Checklist: Are You AI Act Ready?

Work on Compliance-Ready Infrastructure

AWA is designed for those who want to offer AI to SMEs with GDPR and EU AI Act already integrated into the infrastructure. You don't start from scratch.

Sources: Regulation (EU) 2024/1689 — EU AI Act | European AI Office, Guidance Documents 2025 | ENISA, AI Cybersecurity Guidelines