The EU AI Act for SMBs: a practical guide.
What you actually need to do if your business uses AI — without hiring a lawyer. We walk through 5 common scenarios with concrete actions for each, mapped to the act's risk tiers.
Read→AI-powered websites, automation, and customer support for European businesses that want to move faster — without hiring a tech department.
Answering the same customer question for the third time today. A website that was "temporary" two years ago. Spreadsheets copied between systems because no one had time to connect them.
You don't need a digital transformation. You need the three or four automations that give you your week back.
Modern, fast, conversion-focused. Sub-second loads, no WordPress bloat.
Explore →Trained on your product, your tone. Escalates when it matters.
Explore →Data entry, reports, invoices, lead routing — handled in the background.
Explore →Your CRM, invoicing, inventory — talking to each other.
Explore →OOPUO is small by design. One engineer who writes the code. One process that doesn't bloat. We work with five clients at a time. When we say something will ship in 4 weeks, it ships.
No slide decks. We write the code, you see the work in week one.
Five active clients max. You get attention, not a junior.
One price, one timeline. No "it depends" answers.
What you actually need to do if your business uses AI — without hiring a lawyer. We walk through 5 common scenarios with concrete actions for each, mapped to the act's risk tiers.
Read→A 30-minute call is all it takes to find out which automations will save you the most.
Modern, fast, conversion-focused. Built on frameworks that load in under a second and rank on Google without ongoing SEO retainers. No WordPress bloat.
What's inside: design system tailored to your brand, copy collaboration, analytics setup, A/B testing scaffolding, performance monitoring after launch.
2.3× signup rate within 6 weeks. Loaded in 480ms.
Replaced WordPress, cut hosting bill 70%. Organic +40% in 3 months.
Direct bookings 1.6× first quarter. €0 in OTA commissions on those.
From Squarespace to a custom build, 3-week delivery.
A 4-step process. Fixed timeline. No "it depends".
30-min call. We map your audience, your competitors, your three core conversion goals.
Wireframes + visual direction within a week. You approve before we touch code.
Astro + Tailwind, sub-second loads, accessibility baked in. Staging URL day one.
DNS, analytics, monitoring. We watch the first two weeks of traffic and tune.
Fixed scope, fixed price. No retainers.
An assistant trained on your product, your FAQs, your tone of voice. Handles repetitive questions in any language, escalates to humans when intent shifts or sentiment drops.
What's inside: training pipeline on your docs, channel integrations (web, WhatsApp, email), human handoff flows, monthly performance review.
68% of tickets resolved unassisted. First reply from 4 hours to instant.
Support headcount held flat through 2× user growth.
After-hours enquiries answered 24/7. 1.4× conversion on late-night traffic.
Phone volume down 40%. Staff freed for clinical work.
A 4-step process. Live in under three weeks. No "it depends".
We feed it your docs, FAQs, and past tickets. It learns how your team actually talks.
We test it on real questions, set escalation rules, and decide what it must never answer alone.
Web, WhatsApp, email — wherever your customers already are. Human handoff built in.
A monthly read of every conversation. We catch gaps, retrain, and tighten the answers.
Fixed setup, predictable monthly. No per-conversation surprises.
Data entry, report generation, invoice processing, lead routing — handled by AI agents that run reliably in the background.
What's inside: agent design, integration with your existing tools, monitoring dashboard, audit logs for compliance.
Manual entry from 15 hours to 1 a week. Zero typos since.
Orders routed in seconds, not hours. 99.7% accuracy.
Every inbound scored and logged overnight. Sales starts the day sorted.
12 reports built and sent automatically. Two days back, every month.
A 4-step process. Most automations live in two weeks. No "it depends".
We sit with the person doing the task and write down every step. The boring detail is the point.
We build the agent against your real tools and real data — not a demo environment.
It runs alongside your team for a week. We compare every output before it takes over.
It goes live with a monitoring dashboard and audit logs. You see exactly what it did.
Priced per automation. One scope, one price.
Your CRM talks to your invoicing tool talks to your inventory system. We connect the platforms you already use so data flows where it needs to go.
What's inside: integration mapping, middleware setup, data sync verification, error monitoring, documentation your team can read.
Sales, stock, and invoices in one ledger. Month-end reconciliation gone.
A signed deal becomes a project and an invoice on its own.
Stock accurate to the minute. Oversells dropped to zero.
One patient record across three systems. Staff stopped re-typing.
A 4-step process. Fixed timeline. No "it depends".
We list every tool, every data field, and every place the same number lives twice.
We agree the source of truth for each piece of data. One system wins; the rest follow.
We build the middleware, sync the data, and verify every record matches end to end.
Error alerts, retry logic, and documentation your team can actually read.
Fixed scope, fixed price. No retainers.
This sub-page follows the same template as Websites.
For now, try M.01 Websites to see all four sub-pages filled in.
The Act passed in 2024. Most provisions take effect in 2026. If you use AI in any form — a chatbot, a copywriting tool, a recruitment scorer — you almost certainly fall under it. The good news: most SMB use cases are low-risk and need very little. The bad news: the few high-risk ones can be expensive to get wrong.
Here's the practical version, without the legalese.
It puts every AI system into one of four tiers based on how it's used. Not what model it runs — what it does. The same GPT-4 call is unregulated in one app and high-risk in another, depending on the context.
The four tiers, simplified:
1. Customer support chatbot. Limited risk. You need a clear "you're talking to an AI" notice, an option to reach a human, and basic data handling docs. About a day of work.
2. AI-generated marketing copy. Minimal risk in itself. But if it's deceptive — deepfake testimonials, fake reviews — it becomes a separate consumer-protection problem regardless of the AI Act.
3. CV screening tool. High risk. This is the one to be careful about. If AI ranks or filters candidates, you're in the heavy tier. Either keep AI strictly assistive (final decision is human, documented) or invest in compliance.
4. AI-assisted code generation. Internal tool, minimal risk. No special obligations beyond your existing IP and security practices.
5. Personalisation engine on your site. Limited risk for recommendations. Becomes higher risk if it segments by sensitive attributes (health, politics, sexuality) — avoid that pattern entirely.
The Act isn't designed to kill SMB AI use. It's designed to make sure the few genuinely consequential systems are accountable. Treat the high-risk cases seriously, document the limited-risk ones lightly, and move on.
If you want help mapping your tools to tiers, that's the kind of work we do. One call usually settles it.
Most SMBs we work with have 5–10 weekly hours of busywork hiding in plain sight. Not big-ticket processes — small ones, repeated. Each one is too small to bother automating in isolation. Together they're a full working day per week, every week.
Here are the ones we deploy most.
Lead routing. New form submission → enrich with company data → score by fit → route to the right rep → log to CRM. Saves the four-minute manual triage on every inbound. At 30 leads/week, that's two hours.
Invoice processing. PDF arrives → extracted to structured data → matched against PO → flagged for approval or auto-posted. Ten invoices/week at eight minutes each was the typical baseline. Down to 30 seconds of review.
Status update generation. Pulls from project tracker, git, calendar → drafts the weekly client update in your voice → you edit and send. About 45 minutes saved per client per week, and people actually read shorter, structured updates.
Meeting notes and actions. Transcript in → summary, decisions, action items out → posted to the project channel with owners and due dates assigned. Frees the meeting organiser from being a stenographer.
Customer onboarding sequence. Triggered on signup. Sends personalised emails referencing the customer's specific use case (extracted from their sign-up form), schedules the kickoff call, provisions accounts, posts to a private Slack channel. 90 minutes of human work, done in two.
Competitive monitoring. Watches competitor sites, pricing pages, blog, LinkedIn for changes. Daily digest. Used to be a marketing intern's morning ritual.
They share three things: they happen often, they have a predictable input shape, and the cost of an occasional mistake is recoverable. That's the right starting set. We don't recommend automating one-off creative decisions or anything where a wrong answer is hard to undo.
A bundle of five or six of these runs €8–15k to design and deploy, depending on integrations. They run for €40–150/month in API and infra costs. Most clients break even inside three months on time saved alone, before counting the second-order benefits of faster response times and fewer dropped balls.
The single highest-leverage automation is almost always the one that's getting in the way of growth. Ask your team: what's the thing they spend 30 minutes on, three times a week, that they hate? Start there.
If you want a free 30-minute audit of where automation would pay back fastest in your business, that's a call we're happy to do.
The reason AI projects fail audit isn't usually the model. It's that nobody can answer the basic questions: what did it do, when, with what input, and why?
Observability solves this. It's the boring infrastructure layer underneath every AI system that has to answer to anyone — customers, auditors, regulators, your own ops team.
For every agent call:
That's the minimum for being able to reconstruct what happened on any given interaction.
Three things, in order of importance:
The EU AI Act explicitly requires logging for high-risk AI systems, with retention for the life of the system plus 10 years. GDPR adds the right to explanation. Sector regulations (FCA, MDR, etc.) layer on top.
You don't need to be in a heavily regulated sector to benefit. Most clients discover that having logs at all transforms their relationship with the system — they stop trusting it on faith and start trusting it on evidence.
A standard observability layer is a half-day setup for new clients. OpenTelemetry traces, a small ClickHouse instance, a Grafana dashboard, retention policies wired to your data classification. Sits underneath whatever LLM provider you use.
If your AI is in production and you can't pull a complete trace of yesterday's interactions, you're not ready for the inevitable audit. Fix it now, not after.
We have five active clients. Sometimes four. Never more than five. People ask why, often skeptically — surely we'd grow faster with ten? Twenty? Some kind of agency?
We've run that experiment. The answer is no.
A studio of three engineers can give one client about two days of focused attention per week without that attention degrading. Past five clients you start to notice things: response times slip, context-switching overhead eats Friday, the senior engineer becomes a router instead of a builder. You can grow the team, but the team's attention budget grows linearly while coordination overhead grows quadratically. By twelve people you've reinvented an agency, and now your fixed cost per client is high enough that you can't afford to take the small interesting projects anymore.
Continuity. The same person who scoped your project is in the code two months later. Nothing gets lost in handoff because there's no handoff.
Speed of decision. A client question gets a real answer in an hour, not three days of internal sync. The bottleneck of most agency work isn't the work itself — it's waiting for someone with context.
The boring kind of quality. When the same five people are going to maintain something for two years, the incentives to cut corners disappear. Tests get written. Logs get added. Documentation exists.
Selectivity. Five client slots means we say no to good projects, not just bad ones. The compounding effect of working only on things we'd be proud to ship is enormous.
The obvious one: revenue ceiling. Five clients × €X is a much smaller number than fifty clients × €X. We're fine with that. Our cost structure is built for it.
The less obvious one: we can't help you tomorrow. Lead time is real — usually four to six weeks before we can start. If your project is urgent and you need a partner who can spin up next Monday, we're not it.
Companies that value the engineer being three feet from the problem more than they value the agency org chart. Founders who've been burned by handoffs. Anyone who's seen the inside of an agency where 80% of the meeting attendees aren't doing the work.
If that's you, we'll probably get along. Drop us a line.
EU AI Act compliance, risk assessments, and technical governance — from an engineering team that understands both your systems and the regulation.
The regulation entered into force in August 2024. Prohibitions on unacceptable AI practices apply from February 2025. High-risk system requirements hit in August 2026. The compliance clock is already running.
If your company uses AI for hiring, credit scoring, content moderation, customer profiling, or automated decision-making — you're almost certainly in scope. Even off-the-shelf AI tools can trigger deployer obligations under the Act.
The question isn't whether you need to comply. It's whether you'll do it proactively or under enforcement pressure.
We map every AI system in your organization against EU AI Act requirements. You get a clear picture of your risk exposure, obligation category (provider, deployer, distributor), and a prioritized remediation roadmap.
DeliverableA comprehensive audit report with risk classification, gap analysis, and an actionable compliance timeline.
For each AI system classified as high-risk, we conduct a structured risk assessment following the regulation's framework. We identify failure modes, bias vectors, and data governance gaps — then build the controls that close them.
DeliverablePer-system risk assessment documentation, mitigation strategies, and residual risk evaluation.
You can't govern what you can't see. We implement tracing, logging, and monitoring across your AI agents so every decision is recorded, explainable, and auditable. When the regulator asks why a system made a decision — you have the answer.
DeliverableObservability infrastructure deployed, with dashboards, alerting, and audit-ready log exports.
The EU AI Act requires extensive documentation: data governance records, system architecture descriptions, performance metrics, and human oversight protocols. We write the documentation that satisfies Article 11 requirements — accurate, structured, and maintainable.
DeliverableComplete technical documentation package aligned to Annex IV requirements, ready for regulatory review.
Most compliance firms hand you a checklist and a slide deck. We embed with your engineering team. We read the code, understand the architecture, and build compliance into the system — not around it.
We don't just ask "do you have documentation?" We verify that the documentation matches the system. Architecture reviews, data flow tracing, model evaluation — the work that actually reduces risk.
Some data can't leave the building. We deploy observability and governance tooling on your infrastructure — local, private cloud, or air-gapped if needed.
We build processes your team can maintain after we leave. No vendor lock-in, no proprietary platforms, no dependency on us for ongoing operation.
Timelines vary by scope. A focused engagement on a single AI system can complete in 2–3 weeks.