dbrd

EU AI Act Compliance Checklist: 10 Actions for DACH SMEs

EU AI Act compliance is in force. Here are 10 practical actions DACH SMEs can complete in 30 days to classify risk and document AI use.

EU AI Act compliance checklist for DACH SMEs with risk classification

EU AI Act Compliance: 10 Actions for DACH SMEs

The EU AI Act has been in force since August 2024. The first compliance deadlines hit in February 2025. For most DACH SMEs, the timeline is now: act in the next 90 days or face exposure to fines of up to €15 million or 3% of global annual turnover.

The Act is not a future problem. It is operational, and it applies to most companies using AI in any meaningful way — not just the model providers. The obligations sit with the deployer. If your team uses AI for email drafting, customer support triage, document summarization, or process automation, this applies to you.

This is not legal advice. It is an operational checklist for getting your company into a defensible state within 30 working days.

The Four Risk Tiers (and Where Your SME Lands)

The Act classifies AI systems into four risk categories. Most DACH SMEs will sit in the Limited Risk or High Risk tiers — and a small number will be using General Purpose AI (GPAI) models that carry their own obligations.

Unacceptable Risk — banned outright. Social scoring, real-time biometric identification in public spaces, manipulative AI. Most SMEs do not use these. If you do, stop.

High Risk — used in employment, education, credit, healthcare, law enforcement, critical infrastructure. The obligations are substantial: conformity assessments, risk management systems, logging, human oversight, accuracy and cybersecurity requirements, and registration in the EU database. If your AI makes decisions about hiring, firing, credit, or access to services, you are in this tier.

Limited Risk — chat interfaces, content generators, deepfakes. Transparency obligations: users must know they are talking to an AI, AI-generated content must be labeled. This is where most SME AI deployments sit.

General Purpose AI (GPAI) — foundation models like GPT, Claude, and Gemini. The provider carries most obligations, but deployers must track what they use, for what purpose, and the known system limitations.

For the typical 20-50 person Mittelstand company using AI for back-office work, the answer is usually: Limited Risk, with pockets of High Risk if you operate in a regulated vertical. Knowing where you land drives the rest of the work.

The 10 Compliance Actions for DACH SMEs

This list is sequenced. Steps 1-4 take one week. Steps 5-8 take the second week. Steps 9-10 are ongoing.

1. Inventory every AI system in use. Walk through every department. List the AI tools, what they do, who uses them, what data they touch, and who is the data controller. A spreadsheet is fine. The point is completeness — auditors will ask “what AI do you use” and the answer must be a list, not a shrug.

2. Classify each system by risk tier. Apply the four-tier framework above. Be conservative. If a system could be High Risk, treat it as High Risk until you have evidence otherwise. The cost of over-classification is process overhead. The cost of under-classification is regulatory exposure.

3. Map data flows into and out of each AI system. For each tool, document: what data goes in, where it is stored, whether it is used for model training, where the model is hosted (EU vs. US vs. Asia), and what the data retention policy is. This is the foundation for both AI Act compliance and your existing DSGVO documentation.

4. Identify the deployer and provider for each system. Under the Act, the deployer (your company, when you are using AI for your own operations) carries most of the operational obligations. The provider (OpenAI, Anthropic, Google, your vendor) carries the rest. Document which is which. This determines who files what during an audit.

5. Draft a single AI Acceptable Use Policy. Two pages is enough. What employees may and may not do with AI. Which tools are approved. What data is forbidden (personal data of customers, financial records, health data without a DPIA). How to escalate edge cases. This document is your defense if an audit happens.

6. Configure access controls and audit logging. Every AI tool must run under your identity and access management. SSO where possible. Admin access for a small number of named individuals. Audit logs enabled. For most DACH SMEs running Google Workspace, this means a combination of managed Google Workspace controls and vendor-specific admin settings.

7. Run a Data Protection Impact Assessment (DPIA) for each High Risk system. This is a DSGVO requirement that also satisfies the AI Act’s risk management obligation. The DPIA template from your local Datenschutzbehörde works. For High Risk AI specifically, the assessment must include the model’s intended purpose, training data provenance, known bias patterns, and the human oversight mechanism.

8. Document human oversight procedures. For every AI system that makes or influences a decision, document: who reviews the output, what triggers a human review, what happens when the AI is uncertain, and how the decision can be reversed. “A human looks at it” is not a procedure. “Sarah reviews all AI-generated invoices over €5,000 every Friday morning” is a procedure.

9. Set up monitoring and incident response. AI systems fail. They hallucinate, they leak data, they produce biased outputs. You need: a way to detect failures (cost anomalies, output quality checks, user reports), a way to respond (kill switch, rollback, customer notification), and a way to report (24-hour window for serious incidents under NIS2, depending on classification). For operational AI, this is core to Agent Ops.

10. Schedule a quarterly AI Act review. Regulations evolve. Your use of AI evolves. Every 90 days, re-run the inventory, re-classify, update the documentation, and capture the changes. The Act is not a one-time project — it is an ongoing operational discipline, like DSGVO.

When to Bring in External Help

Most DACH SMEs do not have the internal bandwidth to run this end-to-end. The honest answer is that a thorough compliance pass takes 40-80 hours of focused work, and the people who can do it competently are the same people who are already stretched.

There are three paths this work typically takes:

  • In-house, with a security champion. Works if you have someone with 10-15 hours per week for a month, and they have the authority to push back on shadow AI usage. Cheapest option. Highest risk of incompleteness.

  • External compliance consultant. Works for the documentation and classification step. Expensive for the operational monitoring step, because the consultant leaves and you still need to run the monitoring yourself.

  • Ongoing operational ownership. Our vCAIO service is built for this: a part-time Chief AI Officer who handles the strategy, classification, and documentation, paired with AI Office modules that run the operational AI under proper governance. It is the only tier where compliance work and operational AI work share a single owner.

For pricing context, the services overview page shows how the tiers compose. Most SMEs land on AI Office plus a quarterly vCAIO engagement.

The Takeaway

The EU AI Act is operational, not future-tense. The 10 actions above are what a 25-person company can complete in 30 working days. Inventory, classify, document, configure oversight, monitor. Most of this is documentation discipline you already practice for DSGVO — extended to cover AI-specific risks. If you have not started, start with the inventory this week. If you have started but stalled, Agent Ops can baseline your current state in 2-3 days.

© 2026 dbrd. All rights reserved.