What the AI Act means for SMBs having software built

You read about it somewhere, or someone brought it up: European legislation for AI is coming, and it's called the AI Act. Now you're wondering whether it has consequences for your business, especially if you're about to have software built or a new website. The short version first: if you're having a normal website or a regular business application built, you're almost certainly fine. No need to panic. In this piece I'll explain in plain terms what the AI Act really means for SMBs, what changes, and when.

One thing up front: this is general information, not legal advice. If you have a specific doubt about your situation, run it past a lawyer.

First, some reassurance

The AI Act is about AI. Not about software in general. A standard website, a CMS, a connection to your CRM, a booking system, or some basic automation without AI simply doesn't fall under it. Nothing changes there.

It only gets interesting once actual artificial intelligence is involved. And even then: the law looks at what the AI does and how much risk comes with it. Most everyday software falls in the lowest category, where no obligations apply.

The four risk levels, in plain language

The AI Act works from a risk mindset. The more a system can affect people, the stricter the rules. There are four levels.

1. Unacceptable risk (banned)

These are uses that simply aren't allowed. Think of social scoring of citizens, or certain manipulative and biometric applications. These bans have been in force since early 2025. For a normal SMB this is a non-issue, because you wouldn't be building this kind of thing anyway.

2. High risk (allowed, but strictly regulated)

This is about AI used in sensitive areas where it genuinely affects people. For example, AI that helps decide who gets hired, who gets credit, or who gets access to essential services. Biometrics belong here too. Serious obligations come with this. For most SMBs this doesn't come into play, unless you're having AI make or heavily influence exactly those kinds of decisions.

3. Limited risk (transparency)

This is the category a regular business is most likely to deal with. It comes down to being honest. If you have a chatbot on your site, the user needs to know they're talking to AI and not a person. AI-generated content needs to be recognizable as such. That's not a heavy burden, it's just a bit of openness.

4. Minimal risk (no obligations)

The largest group. Spam filters, recommendations, basic automation, most productivity tools. No mandatory rules apply here. The vast majority of commercial software sits here.

The 2 August 2026 moment

You hear that date mentioned a lot, so let's be clear about what happens then. From 2 August 2026, the broad layer of the law really takes effect: the heavy obligations for high-risk uses and the transparency rules for the limited-risk category (like that chatbot notice).

What it does not mean: that ordinary business software suddenly becomes a compliance burden. If your software falls in the minimal-risk group, practically nothing changes for you on that date.

For completeness, there are a few earlier moments too. The law entered into force in August 2024. The bans took effect in early 2025. And since August 2025 there are obligations for providers of so-called general-purpose AI models. That last one sounds broad, but it's aimed at the parties that build such foundation models themselves (think of the big model makers), not at companies that simply use such a model via an API. If your software calls an existing AI model, you're not the model maker.

When it does start to matter more for your SMB

Two situations to be clear about.

The first: AI that helps decide about people in a sensitive area. If you have software built that pre-selects applicants, estimates creditworthiness, or determines access to important services, you're heading toward high risk. In that case it's wise to go through this carefully with your builder, and possibly a lawyer, beforehand.

The second, much lighter: a customer chatbot. That's limited risk, not high risk. You don't need to set up the whole machinery of high-risk obligations. Mainly, you need to make clear that the visitor is talking to AI. A simple notice is enough.

Provider or user, why that difference matters

The law distinguishes between two roles, and that determines how heavy your responsibilities are.

If you're a user (deployer), you put an existing AI system to professional use without developing it yourself or substantially adapting it. For example, a SaaS tool with an AI feature, or an external AI API you call. Users have lighter obligations. Most SMBs that use ready-made AI tools fall here.

If you're a provider, you develop an AI system and bring it to market under your own name. Watch out for this one: if you have an AI system custom-built, to your specifications and with your data, you're probably the provider, even if an external developer does the actual building. Providers have more obligations than users. So it's good to know in advance which role you're in. Want to go deeper on this? Read our piece about app developer in Tilburg and how custom work plays out in practice.

And what about the fines?

You sometimes read alarming figures. Good to know: those are maximum fines for the most serious violations. The law explicitly takes a company's size into account and scales proportionally for SMBs. I'm deliberately not naming concrete numbers here, because the figures going around almost never apply to the situation of a regular business with tidy, low-risk software.

Questions you can comfortably ask your software builder

A short, practical list for your next conversation:

• Is there actually AI in what we're having built, or is it ordinary software?
• If so, which risk category does it likely fall into?
• Does this make me a provider or a user in the sense of the AI Act?
• If there's a chatbot or AI content in it, is the transparency handled properly?
• Are we using AI anywhere to make decisions about people in a sensitive area?

With those questions you've got the most important part covered without having to know the whole law yourself.

In closing

For most SMBs having software built, the AI Act is no cause for worry. If you're building something ordinary, you're in the lowest category and little changes. If it gets more serious, you now know what to watch for and which questions to ask.

Not sure whether your plan is AI-sensitive? Feel free to run it by us, and we'll think along with you, no strings attached, about how to handle it cleanly and without hassle.

One more time for clarity: this is general information and not legal advice. For your specific situation, a lawyer remains the right place to go.