← Back to all articles

The EU AI Act sounds like something only large enterprises with legal departments need to worry about. For most small businesses, the reality is calmer than the headlines — but "calmer" isn't the same as "ignore it." Here's the plain-language version.

This is a general explainer, not legal advice. If you're doing something genuinely high-stakes with AI, talk to a specialist. For the everyday case, though, the picture is simpler than it looks.

The one idea that explains the whole thing

The Act sorts AI uses by how much risk they pose to people, and applies more rules as the risk goes up. That's it. Everything else is detail. The four levels:

  • Unacceptable risk — banned outright. Things like social scoring or manipulative systems that exploit vulnerable people. Almost no normal business is anywhere near this.
  • High risk — allowed, but with real obligations. Think AI used in hiring decisions, credit scoring, medical contexts, or critical infrastructure. This is where documentation, oversight, and testing requirements kick in.
  • Limited risk — mostly a transparency duty. If people are talking to a chatbot or seeing AI-generated content, they should be told. This covers a lot of everyday business use.
  • Minimal risk — no special rules. Spam filters, AI in your accounting tool, a writing assistant. The vast majority of tools land here.

Where most small businesses actually sit

If you're using AI to draft emails, summarise documents, answer customer questions, or automate internal admin, you're almost certainly in limited or minimal risk. Your obligations are light and mostly common-sense:

  • Tell people when they're interacting with AI rather than a human.
  • Label AI-generated content where it could be mistaken for real.
  • Don't quietly use it to make consequential decisions about people without a human in the loop.

The moment you drift toward decisions that affect someone's livelihood, health, or rights — automated hiring, lending, anything safety-related — you've potentially stepped into high-risk territory, and the rules get serious. That's the line to watch.

The simplest compliance question: "Could this AI's output materially harm a person?" If yes, slow down and get advice. If no, keep it sensible and you're fine.

Three things worth doing now

  1. Write down where you use AI. A simple list — tool, what it does, what data it touches. You can't manage risk you haven't mapped, and an inventory takes an afternoon.
  2. Add transparency where people interact with it. A one-line "you're chatting with an AI assistant" covers most of the limited-risk duty.
  3. Keep a human on the consequential stuff. If AI helps make a decision about a person, make sure a human reviews and can override it. Good practice anyway.

That's most of it. The Act is being phased in over time, with the heavier obligations landing on the higher-risk uses — so for everyday business use, you have room to get this right rather than panic about it.

The honest takeaway

For most businesses in the Netherlands, the EU AI Act is a reason to be tidy and transparent, not a reason to avoid AI. Know where you use it, be open about it, and keep humans in charge of decisions that matter. Do that and you're in good shape.

Want a clear read on where your AI use sits?

We help organisations map their AI, classify the risk, and keep the paperwork sane — without overcomplicating it.

Get in touch