Artificial Intelligence

EU AI Act: the compliance guide for Belgian SMEs

Published on By Dr Ir Hüseyin Cakmak
#eu ai act sme #ai act compliance #ai regulation belgium #european ai regulation #ai act obligations
EU AI Act: the compliance guide for Belgian SMEs

The EU AI Act is the first European legal framework on artificial intelligence. It applies in phases between 2025 and 2027, based on how AI is used rather than on company size. For a Belgian SME, the challenge is not to handle everything at once, but to know what concerns it, and when [1][3].

What is the EU AI Act and who is targeted in Belgium?

The EU AI Act, formally Regulation (EU) 2024/1689, entered into force on 1 August 2024. It is a European regulation: it applies directly in Belgium, without national transposition, exactly like the GDPR [1][2]. Its approach is risk-based: the more an AI system can harm health, safety or fundamental rights, the heavier its obligations.

One point often disorients business leaders: the text does not target a category of companies, but roles. You can be a "provider" if you develop or have an AI system developed under your brand, or a "deployer" if you use such a system in a professional context. The vast majority of Belgian SMEs are deployers first: they use a chatbot, a CV-screening tool, a writing assistant or scoring software supplied by a third party.

That distinction changes everything, because obligations differ by role. The regulation also provides support measures for small and medium-sized structures, so that the compliance burden stays proportionate [2]. The useful reflex is therefore not panic, but mapping: which AI systems are actually in service at your company, and in what capacity.

What is the EU AI Act application timeline?

The regulation does not apply as a single block. It follows a staggered timeline, which leaves time to organise provided you know the deadlines. Here are the main phases, as set out in the official implementation timeline [3].

Date What becomes applicable Typical impact for an SME
1 August 2024 Entry into force of the regulation No immediate obligation
2 February 2025 Prohibited practices and AI literacy Stop any prohibited use; train teams
2 August 2025 General-purpose AI, governance and penalties Check your AI model suppliers
2 August 2026 Most rules, including high-risk AI (Annex III) and transparency Core of the obligations for most cases
2 August 2027 High risk tied to regulated products (Article 6(1)) Mainly AI embedded in certified products

In short, two deadlines have already passed and bind your SME today: the ban on prohibited practices and the AI literacy obligation since February 2025, then the general-purpose AI regime since August 2025 [3]. The most structuring deadline going forward is 2 August 2026, which activates the bulk of the framework, notably for high-risk systems and transparency obligations.

This phased logic recalls the NIS2 directive in cybersecurity: a European framework, a gradual application, and a real risk in underestimating the preparation time. Anticipating remains cheaper than rushing into compliance.

Which AI practices have been banned since February 2025?

Since 2 February 2025, a base of AI practices is simply prohibited across the Union, regardless of sector [3][4]. These are uses considered contrary to European values and fundamental rights. An SME rarely deploys them, but it is worth checking that no tool in service falls under them.

Practices prohibited by Article 5 of the regulation include, among others:

  • behavioural manipulation exploiting a person's vulnerabilities to materially distort their decisions;
  • social scoring of individuals based on their behaviour or personal characteristics;
  • certain forms of emotion recognition in the workplace;
  • untargeted scraping of facial images to build recognition databases.

The full list and its exact wording belong to the text itself, and its interpretation evolves [4]. The right reflex for an SME is to review its HR, marketing and monitoring tools: these are the areas where a seemingly harmless use can tip into a sensitive category. When in doubt on a specific case, the advice of a specialised lawyer or technical guidance prevents a costly misjudgement.

Since the same date, these bans come with an AI literacy obligation (Article 4): those who operate or deploy AI systems must have a sufficient understanding of how they work and their limits [3]. For an SME, this translates concretely into awareness-raising for the teams concerned, proportionate to the systems actually in use.

Does your SME use a high-risk AI system?

This is the question that determines most of your compliance burden. The regulation classifies certain uses as "high risk" when they touch sensitive areas: recruitment and staff management, access to essential services, creditworthiness assessment, critical infrastructure, education, or certain safety devices [2][6]. A tool that automatically screens applications or assesses credit requests may thus fall into this category.

The regulation's four risk levels read like a scale:

  1. Unacceptable risk: prohibited practices (see the previous section).
  2. High risk: strict obligations on risk management, data quality, documentation, logging and human oversight.
  3. Limited risk: transparency obligations (informing the user they are interacting with an AI).
  4. Minimal risk: the majority of everyday uses, with no specific obligation.

For most SMEs, the reassuring truth is that their daily uses fall under minimal or limited risk. But a single high-risk system is enough to trigger heavy obligations, applicable for the most part from 2 August 2026 [3]. Hence the importance of an honest inventory rather than an assumption. At ITOPS.be, we approach this diagnosis as an upfront scoping exercise (Blueprint): identify the systems, qualify their risk level, then prioritise the actions before starting delivery.

eu ai act, scale of the four risk levels for a Belgian SME

What obligations apply to general-purpose AI and transparency?

Since 2 August 2025, general-purpose AI models, which power most generative assistants, are subject to their own obligations, borne mainly by their providers [3]. For an SME user, the impact is indirect but real: you must make sure that the providers of the AI tools you integrate actually meet their own obligations, notably regarding technical documentation and transparency.

From 2 August 2026, the transparency obligations of Article 50 step up [3][7]. Concretely, a user must be informed when interacting with an AI (a chatbot, for example), and content generated or manipulated by AI, including deepfakes, must be identifiable as such. For an SME deploying a conversational agent on its site or producing AI-assisted visuals, these rules impose a clear and honest disclosure.

These requirements do not stand alone. They combine with the GDPR as soon as personal data is involved. The Data Protection Authority stresses that GDPR compliance remains fully mandatory alongside the EU AI Act, with both regimes applying in parallel and not one instead of the other [5]. A Belgian SME must therefore reason on two planes at once: lawfulness of the data processing on one side, compliance of the AI system on the other.

How do you make your SME compliant, step by step?

The good news is that a methodical approach is enough for most SMEs. It is not about handling everything at the same time, but about following a logical order that mirrors the regulatory timeline.

  1. Inventory your AI systems: list every tool using AI, your role (provider or deployer) and its purpose. Without this map, no obligation can be qualified correctly.
  2. Qualify the risk level: classify each system across the four levels. First rule out any use falling under prohibited practices [4].
  3. Handle the urgent first: check compliance with already-applicable obligations (prohibited practices and AI literacy since February 2025, general-purpose AI since August 2025) [3].
  4. Prepare the August 2026 deadline: for any high-risk or transparency-bound system, document, frame and plan the necessary measures before the application date.
  5. Align with the GDPR: for each system processing personal data, align the AI Act approach with your existing GDPR obligations [5].

This sequencing fits naturally into our two-step approach: a scoping phase (Blueprint) that clarifies what concerns you, followed by delivery (Build) that turns the diagnosis into concrete measures. To place this AI governance in a broader strategy, our guide on AI for SMEs and its concrete use cases shows how compliance and business value advance together.

One last note of caution: the precise arrangements, thresholds and application guidance of the EU AI Act keep being published and refined by the European and Belgian authorities. Treat this framework as a living workstream to follow over time, rather than a box to tick once and for all. Always check the law in force with official sources before any committing decision.

Frequently asked questions

Does the EU AI Act apply to a small Belgian SME?

Yes, the regulation applies based on how AI is used, not on company size. An SME that deploys or uses an AI system falls under its obligations, with a lighter regime provided for small structures on certain steps [1][2].

What are the key EU AI Act dates to remember?

Prohibited practices and AI literacy have applied since 2 February 2025, obligations on general-purpose AI since 2 August 2025, and most rules on high-risk systems from 2 August 2026 [3].

Does an SME risk sanctions for non-compliance?

The regulation provides for administrative fines, with the highest caps targeting prohibited practices. Amounts take company size into account, but non-compliance remains a risk to assess case by case [1].

Does the EU AI Act replace the GDPR for SMEs?

No. The two texts coexist: the GDPR governs personal data, the EU AI Act governs AI systems. The Data Protection Authority stresses that GDPR compliance remains mandatory in parallel [5].

Sources and References

  1. EUR-Lex: Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act)
  2. European Commission: European regulatory framework for artificial intelligence
  3. AI Act: Phased implementation timeline
  4. AI Act: Article 5, prohibited AI practices
  5. Data Protection Authority: Artificial intelligence and data protection
  6. AI Act: Article 6, classification rules for high-risk systems
  7. AI Act: Article 50, transparency obligations