AI Act compliance for an SME comes down to three concrete moves: classify each AI use by risk level, train the people who use it (an obligation in force since 2 February 2025) and keep written proof of both.
Read the full guide
AI Training for Business: The Complete 2026 Guide (Funding, Certification, EU AI Act)
Answer a few questions and get a personalized assessment with recommendations tailored to your industry.
Assess my AI maturityRelated articles
Dive deeper with these complementary articles.
AI training for businesses in France costs between €350 and €3,300 ex. VAT per person in 2026, with up to 100% OPCO funding for SMEs under 50 employees. Since August 2, 2026, the EU AI Act requires every company using ChatGPT, Claude, or Copilot to guarantee minimum AI literacy across its teams, with sanctions up to €7.5M or 1.5% of global annual turnover. Here is how to design a truly operational, funded, and compliant program.
AI Act compliance for an SME comes down to three concrete moves: classify each AI use by risk level, train the people who use it (an obligation in force since 2 February 2025) and keep written proof of both. The rest is mostly common sense and a little method. This article walks through the checklist we apply with our clients, starting from the real case of a company of 10 to 250 employees using ChatGPT, Claude or an in-house agent without knowing where to begin. For the full picture of funding and certification, the complete guide to AI training in business puts these obligations in context.
Most SMEs deploy no high-risk system, yet they still fall under two cross-cutting obligations: transparency and training. Regulation (EU) 2024/1689, known as the AI Act, sorts AI uses into four levels: unacceptable risk (banned), high risk, limited risk and minimal risk. CV screening, credit scoring or grading students fall into high risk. Drafting an email with an assistant, summarising a meeting or generating a product sheet sit in limited or minimal risk.
In practice, a service or retail SME that uses generative AI to produce content, answer customers or sort information has no high-risk compliance file to build. But it must inform users when they interact with an AI, and it must make sure its teams know how to use these tools properly. It is this second obligation, often overlooked, that bites earliest.
The deadlines shifted in late 2025: the heaviest high-risk obligations are pushed to late 2027, but the training obligation is already active. On 19 November 2025, the European Commission published the Digital Omnibus package to ease and stagger the schedule. A provisional agreement between the Council and Parliament was announced in May 2026. Here are the dates that matter for an SME.
| Deadline | What applies |
|---|---|
| 2 February 2025 | Ban on unacceptable-risk practices and training obligation (Article 4) |
| 2 August 2025 | Rules for general-purpose AI models and governance |
| 2 August 2026 | Setup of national supervisory authorities |
| 2 December 2027 | High-risk obligations (stand-alone Annex III systems), pushed back by the Digital Omnibus |
| 2 August 2028 | High-risk obligations for AI embedded in regulated products (Annex I) |
Keep the key point in mind: the delay covers high risk, not training or transparency. An SME that was waiting for 2027 to act is fighting the wrong battle. The 2 August 2026 date and its real effects are covered separately.
Since 2 February 2025, any organisation that uses an AI system must ensure a sufficient level of AI literacy among the people who operate it. This is Article 4 of the AI Act. It does not target employees only: it also covers contractors, temporary staff and anyone using the tool on the company's behalf. Training must be proportionate to each person's role and to the context of use. A salesperson drafting proposals with an assistant does not need the same level as a developer wiring an API to a model.
What Article 4 does not specify is the format. No diploma requirement, no minimum duration set by the text. What matters is that users understand what an LLM is, why it can produce a hallucination, how to phrase a useful request and which data should never be pasted into a consumer tool. The detail of what Article 4 precisely requires is covered in this dedicated article.
Here are the eight actions to run in order, achievable in a few weeks for an SME with no legal department.
This list is enough for the vast majority of SMEs. If you deploy a high-risk system, the work is heavier and deserves dedicated legal support.
In an audit, what counts is not your good faith but what you can show. Supervisory authorities may take the training obligation into account when investigating an AI-related incident. Three documents form a solid base: a register of AI uses (which tool, for what, which risk level), the team's training certificates, and the signed internal usage policy. A Qualiopi-certified training generates these certificates automatically and stands as more credible proof than an online tutorial with no traceability.
Bringing an SME's training into compliance runs to a few hundred euros per person, much of it fundable. A one-day group awareness module usually sits between 350 and 700 € per participant. This cost is eligible for OPCO funding for companies under 50 employees, and the FNE-Formation scheme can cover a large share of the remainder. The article on OPCO funding for AI training details the steps. Set against the penalty ceiling, these sums are marginal: the penalties set by the AI Act reach 35 million euros or 7% of worldwide turnover for banned practices, and 15 million euros or 3% for other breaches. For an SME, the lower of the two ceilings applies, but the order of magnitude stays deterrent.
Three reflexes cost time and money. The first: believing the AI Act concerns only the tech giants. Any company using an AI tool is a deployer under the regulation. The second: waiting for 2027 because deadlines moved, forgetting that training and transparency are already due. The third: confusing compliance with paperwork, and launching a heavy audit when a half-day inventory would do. Change management matters more than the thickness of the file: a team that understands the risks makes fewer mistakes than a team that signed a policy without reading it.
GrowthPerf is a Qualiopi-certified training provider specialising in AI and automation for SMEs and nonprofits in the Paris region. We run this checklist with you: inventory of uses, risk classification, role-based team training, and the certificates that serve as proof. Our AI awareness sessions for business cover the baseline required by Article 4, and the operational AI for SMEs track goes further for teams ready to scale their uses. To place these sessions in a full strategy, return to the complete guide to AI training in business. And if you first need to win internal buy-in, here are five reasons to train your teams in 2026.
Download our AI Act compliance checklist and book a 30-minute call to frame your compliance work.
My company only uses ChatGPT, am I covered by the AI Act? Yes. By using an AI tool, your company is a deployer under the regulation. You have no high-risk file to build, but the training obligation (Article 4) and transparency have applied to you since February 2025.
Is AI training really mandatory? Yes, since 2 February 2025. Article 4 requires a sufficient level of AI literacy for anyone using these systems in the company. The text sets neither duration nor diploma, but demands training proportionate to the role.
Does the 2027 delay buy me time? Not for training and transparency, which remain due. The Digital Omnibus mainly pushes high-risk obligations (stand-alone systems) to 2 December 2027, not the cross-cutting obligations already in force.
How long does it take to become compliant? For an SME with no high-risk system, a few weeks: a half-day inventory, a one-day group training, then setting up the register and usage policy.
What penalties apply for a breach? Up to 35 million euros or 7% of worldwide turnover for banned practices, and 15 million euros or 3% for other breaches. For an SME, the lower ceiling applies.
Is a training certificate enough as proof? It is a central element. Combined with a register of uses and an internal policy, it forms a solid base. A Qualiopi-certified training makes that proof more credible thanks to its traceability.
Do I need a full legal audit? Rarely for an SME in limited risk. A structured inventory and suitable training are enough. A heavy audit is justified mainly if you deploy a system classified as high risk.
