The EU AI Act enforcement date is August 2, 2026. That is less than six months away. If your business uses any form of artificial intelligence — from chatbots to automated decision-making tools — you are required to comply. The requirements vary by risk category, but no business using AI in the EU is exempt.
Many large corporations have dedicated legal and compliance teams preparing for this. But if you are a small or medium-sized enterprise, a freelancer, or a solo founder, you likely do not have those resources. That does not exempt you from the law.
This checklist breaks down the 10 essential steps you need to take before the enforcement deadline. Each step is practical, actionable, and designed for businesses without a dedicated compliance department.
The 10-Step Checklist
Audit All AI Systems You Currently Use
Before you can comply, you need to know what you are working with. Make a complete inventory of every AI tool, API, model, or automated system your business uses. This includes third-party tools like ChatGPT, Copilot, AI-powered CRMs, automated email tools, recommendation engines, and any custom models you have built or deployed. Document what each system does, what data it processes, and who has access to it.
Classify Each System by Risk Level
The EU AI Act classifies AI systems into five categories: prohibited (banned outright), high-risk (strict requirements), limited-risk (transparency obligations), minimal-risk (AI-literacy training only), and out-of-scope (military, pure research, personal use). Most SMEs will find their AI tools fall into the limited-risk or high-risk categories. For example, if you use AI for hiring decisions, credit scoring, or medical diagnosis, those are high-risk. A customer support chatbot is limited risk. You must classify each system accurately because the compliance requirements differ significantly between tiers.
Verify Where Your Data Is Stored and Processed
The EU AI Act does not directly mandate where your data must be stored — but GDPR does restrict cross-border transfers of personal data. If your AI systems process personal data of EU residents, you need to know exactly where that data is stored, which servers process it, and whether any data leaves the EU. Many popular AI services route data through US-based servers. This creates a GDPR compliance risk. Document the data flow for each AI system and evaluate whether EU data residency is needed for your situation.
Implement Audit Logging for All AI Interactions
Under the EU AI Act, providers of high-risk AI systems must build automatic logging into their systems (Article 12). As a deployer, your obligation is to keep the logs generated by the provider’s system for at least six months (Article 26(6)) and make them available if a regulator requests them. If you are using third-party AI tools, check whether they provide exportable audit logs. If they do not, you may have a compliance gap — because you cannot retain logs that were never generated.
Ensure Transparency and Disclosure
When your customers or users interact with an AI system, they have the right to know. The AI Act requires that AI-generated content is clearly labeled, users are informed when they are communicating with an AI (not a human), and any AI-driven decisions that affect individuals are explainable. Review all customer-facing AI touchpoints and add appropriate disclosures. This includes chatbots, automated emails, AI-generated recommendations, and content.
Design Human Oversight Mechanisms
The AI Act mandates that high-risk AI systems must be designed for human oversight — this is primarily a provider obligation (Article 14). As a deployer, your obligation is to assign competent persons to oversee the system, follow the provider’s instructions for human oversight, and intervene or escalate when the system behaves unexpectedly (Article 26(2)). For SMEs, this does not mean hiring a dedicated AI supervisor. It means having a clear process: who reviews AI outputs, how they escalate issues, and what the override procedure is. Document this process.
Create Compliance Documentation
Regulators will expect written documentation. At minimum, you need a register of all AI systems with their risk classifications, a data processing record for each AI system, a transparency policy describing how you disclose AI use, an incident response plan for AI malfunctions or errors, and evidence of human oversight procedures. This documentation does not need to be hundreds of pages. But it must exist, be accurate, and be up to date.
Review Your AI Supply Chain
If you use third-party AI tools or APIs, you still have deployer obligations — even though the provider bears the heavier compliance burden. The AI Act holds both providers and deployers accountable, but for different things. Contact your AI vendors and ask whether they are EU AI Act compliant, where their servers are located, whether they provide audit logs and transparency features, and what their data retention and deletion policies are. If a vendor cannot answer these questions satisfactorily, consider switching to a compliant alternative before the deadline.
Train Your Team
Article 4 of the EU AI Act requires that all staff who operate or interact with AI systems have sufficient AI literacy. This does not mean everyone needs a technical AI education. It means they should understand what AI tools the business uses and why, what the compliance requirements are, how to identify and report AI errors or unexpected behavior, and what the escalation process is. Even if you are a solo founder, document your own understanding and procedures. If you hire later, this becomes your onboarding material.
Set Up Ongoing Monitoring and Updates
Compliance is not a one-time task. The EU AI Act will evolve as the European AI Office issues new guidelines, interpretations, and standards. You need a system to monitor regulatory updates and adjust your practices, review your AI inventory periodically as you add or remove tools, update your documentation when changes occur, and re-assess risk classifications as your AI usage evolves. Think of it like tax compliance — the rules change, and you need to stay current.
The Reality Check
If you completed this checklist honestly, you probably realized: this is a lot of work for a small team. Auditing every AI interaction, ensuring EU data residency, maintaining export-ready logs, tracking regulatory changes — these are infrastructure-level challenges, not something you solve with a spreadsheet.
SME penalty caps: Article 99 provides proportionality for small businesses. For each penalty tier, the fine is capped at the lower of the fixed amount or the turnover percentage. A freelancer with €100,000 in annual revenue faces a maximum Tier 2 fine of €3,000 (3% of turnover), not €15 million. The caps protect you from existential fines — but not from the enforcement process itself.
Large enterprises will hire compliance teams and build internal tooling. But SMEs, freelancers, and solo founders need a different solution — one that handles compliance at the infrastructure level so you can focus on your actual business.
How Hlinix Handles This for You
Hlinix is an AI hosting platform built specifically for EU AI Act compliance. Instead of managing each of these 10 steps manually, Hlinix builds them into the infrastructure.
Steps 3 and 4 — Data stays on EU servers (supporting your GDPR obligations), and provider-generated logs are stored, timestamped, and export-ready for regulatory review from day one.
Steps 5 and 6 — Transparency controls and usage limits are configurable from your dashboard. Set content filters, risk-level tags, and usage caps without writing code.
Step 8 — By hosting on Hlinix, your AI supply chain compliance is simplified. You know exactly where your infrastructure is, how it is configured, and that it meets EU requirements.
Step 10 — As the EU AI Act evolves, Hlinix updates its compliance features. You do not need to track regulatory changes yourself — the platform stays current so you stay compliant.
Pricing starts at 25 euros per month, with a 14-day free trial. No legal team required.
Not Sure If the EU AI Act Applies to You?
Find out in 2 minutes — free, no signup required.
Check Your Risk LevelStop Building Compliance From Scratch
Join the waitlist and let Hlinix handle the infrastructure-level compliance so you can focus on building your business.
Join the WaitlistSummary
The EU AI Act is not optional, and the August 2026 deadline is approaching fast. Whether you handle compliance manually or use a platform like Hlinix, the important thing is to start now. Use this checklist as your starting point, work through each step methodically, and do not wait until enforcement begins to discover you are not ready.
If you found this guide useful, share it with other founders and business owners who use AI. The more prepared the SME community is, the better.
Next Read
You know the steps. Now understand what happens if you skip them.
EU AI Act Enforcement: Who Investigates, How You Get Caught, and What Happens Next →