Last month I had coffee with the owner of a 30-person logistics company in Espoo. He was using AI chatbots, automated scheduling, and a couple of internal tools built on GPT. When I asked if he had looked into EU AI Act compliance, he said: "That is for big tech companies, not us."

He is wrong. And he is not alone.

The EU AI Act entered into force in August 2024. Some provisions are already active. The full regulation becomes applicable by August 2026. And it applies to every company operating in the EU that deploys or develops AI systems. Including your 15-person service company.

The AI literacy obligation under Article 4 of the EU AI Act has been in effect since February 2, 2025. It applies to all AI deployers, regardless of company size.

Wait, the AI literacy thing is already active?

Yes. Since February 2025, every company using AI in the EU must ensure that its staff has "a sufficient level of AI literacy." That is Article 4 of the regulation, and it is not optional.

In practice, this means your employees who use AI tools need to understand what they are using, what its limitations are, and how it might affect the people on the receiving end. If your customer service team uses a chatbot, they need to know how it works at a basic level. If your marketing person uses AI for content, same thing.

Nobody is going to fine you tomorrow for not having a training program. But the requirement is law, and enforcement will tighten. Getting ahead of it now costs almost nothing. Getting caught behind it later will cost significantly more.

The risk classification system (and why most SMBs are fine)

The EU AI Act sorts AI systems into four risk categories:

The honest truth: if you are a Finnish SMB using AI for customer service, email automation, scheduling, or internal operations, you are probably in the "limited risk" or "minimal risk" category. The compliance burden is manageable.

But "manageable" does not mean "ignorable."

The transparency requirement you cannot skip

If you use a chatbot on your website, your customers must know they are talking to AI. This is not buried in the fine print. It needs to be clear and upfront.

Same with AI-generated content. If you publish marketing copy, images, or videos created by AI, you need to disclose that. The specifics of how to disclose are still being finalized through technical standards, but the direction is clear: no pretending AI output is human output.

For most SMBs, this is straightforward. Put a small note on your chatbot: "You are chatting with an AI assistant." Done. But I have seen companies that actively hide the fact that their customer service is automated. That is now a compliance risk.

SMB-specific relief built into the Act

The legislators were not completely blind to the burden on small businesses. The EU AI Act includes several provisions specifically designed to ease compliance for SMBs:

Finland's Transport and Communications Agency (Traficom) is the designated national authority for AI Act supervision. They are expected to publish SMB-specific guidance in 2026. Keep an eye on their website.

Your 5-step compliance checklist

Here is what I tell every Finnish business owner who asks me about this. Five steps, no lawyer required for most of them:

  1. Inventory your AI tools. Make a simple list. Every AI tool, plugin, chatbot, and automated system your company uses. Include the free ones. Include ChatGPT subscriptions your team members use on their own. You cannot comply with regulations about systems you do not know you have.
  2. Classify the risk level. For each tool, ask: does this make decisions that significantly affect people? If yes, it might be high-risk and you need deeper assessment. If it handles customer communication, it is limited risk and needs transparency. Everything else is likely minimal risk.
  3. Handle AI literacy now. This is already required. Run a basic training session for your team. Cover what AI tools you use, how they work at a high level, what they are good at, and where they fail. Document that you did it. One afternoon is enough.
  4. Add transparency notices. Every customer-facing AI needs a disclosure. Chatbots, automated email responses, AI-generated content. Add clear labels. This is a one-hour task for most companies.
  5. Set a calendar reminder for Q1 2026. That is when you should do a deeper review. By then, Traficom will have published specific guidance, technical standards will be more defined, and you will know exactly what applies to your business.

That is it. Five steps. Most Finnish SMBs can get through steps 1 through 4 in a single afternoon.

The real risk is not the regulation

Here is what worries me more than fines. The companies I see who use "we are waiting for regulatory clarity" as a reason not to adopt AI at all. They are using compliance as an excuse for inaction.

The EU AI Act is not designed to stop businesses from using AI. It is designed to make sure AI is used responsibly. The compliance requirements for a typical SMB are a small checklist, not a full-time job.

Meanwhile, 38% of Finnish enterprises are already using AI and pulling ahead. The cost of non-compliance is real. But the cost of non-adoption is bigger.

The EU AI Act is not a reason to avoid AI. It is a reason to implement AI properly from the start.

Get your house in order. Spend an afternoon on compliance. Then get back to building a competitive business. And when you are ready to implement AI the right way, read our guide on how to choose an AI automation partner in Finland.