After careful analysis of the articles and annexes from the EU AI Act, the following information may be helpful in understanding the requirements, provisions or carve outs for Small and Medium-sized Enterprises (SME):
Providers of high-risk AI systems shall keep the logs automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period of at least 6 months. The retention period shall be in accordance with industry standards and appropriate to the intended purpose of high-risk AI system. (Article 20)
Based on this passage, SMEs that are.providers of high-risk AI systems are obligated to manage and store logs that their systems generate automatically. The storage period for these logs is a minimum of six months, which aligns with industry standards. This regulation applies across the board and does not include any specific carve out for SMEs.
Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to withdraw it, to disable it or to recall it, as appropriate. (Article 21)
This article suggests that SMEs, like all providers of high-risk AI, must take necessary corrective actions if the high-risk AI system they offer is non-compliant with the regulation. The onus of ensuring compliance and applying corrective measures in case of violations falls on all AI system providers, regardless of their size.
Additionally, upon reviewing Annex II which enumerates Union harmonisation legislation related to the Act, there does not appear to be any specific provisions or exemptions tailored toward SMEs. All enterprises, including SMEs, seem to be subject to the same legislative obligations.
The findings presented provide a general understanding of the requirements set forth by the AI Act pertaining to SMEs. However, for a comprehensive understanding of any potential carve-outs in the AI Act for SMEs, you may wish to consult with a legal expert in EU legislation or consider a thorough review of the entire AI Act.
This Regulation should preserve the values of the Union facilitating the distribution of artificial intelligence benefits across society, protecting individuals, companies, democracy and rule of law and the environment from risks while boosting innovation and employment and making the Union a leader in the field. (Recital 1a)
This recital provides a broad overview of the EU AI Act’s goals. It aims to ensure all companies can benefit from advances in AI while protecting them from associated risks. This suggests that the EU understands the importance of AI for SMEs and seeks to ensure these benefits are accessible across all sizes of business.
This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or deployer of an AI system. (Recital 12)
While this recital doesn’t explicitly mention SMEs, it confirms that the regulations apply universally so SMEs must meet the same requirements as larger organizations and public institutions. It’s a clear indication that the Act does not provide any explicit carve-outs for SMEs.
After careful analysis, there seem to be no specific requirements, carve-outs, or provisions for SMEs in the AI Act as per the reviewed articles and Annex IV. The recitals suggest an inclusive approach that seeks to ensure the benefits of AI are accessible to all businesses. However, the regulations of the Act are intended to be applied uniformly to all entities developing, operating, or using AI Systems, regardless of their size. Future amendments to the AI Act might add more explicit provisions for SMEs.
Member States shall undertake the following actions:\n(a) provide SMEs and start-ups, established in the Union, with priority access to the AI regulatory sandboxes, to the extent that they fulfil the eligibility conditions;\n(b) organise specific awareness raising and enhanced digital skills development activities on the application of this Regulation tailored to the needs of SMEs, start-ups and users;\n(c) utilise existing dedicated channels and where appropriate, establish new dedicated channels for communication with SMEs, start-ups, users and other innovators to provide guidance and respond to queries about the implementation of this Regulation;\n(ca) foster the participation of SMEs and other relevant stakeholders in the standardisation development process. (Article 55)
In Article 55, the regulation outlines specific measures to support Small and Medium-sized Enterprises (SMEs) and start-ups. These measures include providing these entities with priority access to AI regulatory sandboxes, tailoring awareness raising and digital skills development activities to their needs, and setting up dedicated communication channels for queries and guidance. Another key point is enhancing the participation of SMEs in the standardisation development process.
The specific interests and needs of the SMEs, start-ups and users shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to development stage, their size, market size and market demand. The Commission shall regularly assess the certification and compliance costs for SMEs and start-ups, including through transparent consultations with SMEs, start-ups and users and shall work with Member States to lower such costs where possible. (Article 55)
Continuing in Article 55, the regulation asserts that the specific needs and interests of SMEs and start-ups must be considered when setting fees for conformity assessments. Fees should be reduced in accordance with several factors including SME/start-ups’ development stage, their size, market size, and market demand. The Commission is tasked with regularly assessing the certification and compliance costs for these entities and collaborates with Member States to minimize these costs if possible. This underscores the commitment to support SMEs and start-ups in effectively implementing the regulation.
This Regulation should also apply to Union institutions, offices, bodies and agencies when acting as a provider or deployer of an AI system. AI systems exclusively developed or used for military purposes should be excluded from the scope of this Regulation where that use falls under the exclusive remit of the Common Foreign and Security Policy regulated under Title V of the Treaty on the European Union (TEU). This Regulation should be without prejudice to the provisions regarding the liability of intermediary service providers set out in Directive 2000/31/EC of the European Parliament and of the Council [as amended by the Digital Services Act]. (Recital 12)
Recital 12 does not include any specific requirements, provisions, or carve outs for SMEs. It is concerned with the scope of the regulation, the application of the regulation to Union institutions, and the exception for AI systems developed or used solely for military purposes. It does not refer specifically to SMEs.
Despite the lack of SME-specific considerations in ANNEX IV of the AI Act, SMEs must comply with the general standards and requirements outlined. These standards aim to ensure the safety, reliability, and transparency of AI systems across all types of enterprises, regardless of their size.
I’ll dive into the specific requirements, provisions or carve outs for Small and medium-sized enterprises (SMEs) within the EU AI Act.
Member States shall establish at least one AI regulatory sandbox at national level, which shall be operational at the latest on the day of the entry into application of this Regulation This sandbox can also be established jointly with one or several other Member States. (Article 53)
AI regulatory sandboxes are established for entities to test their AI-based solutions in a compliance-controlled environment. Though SMEs are not explicitly mentioned, it’s implied that these sandboxes are open for SMEs among other contributors.
- Member States shall undertake the following actions: (a) provide SMEs and start-ups, established in the Union, with priority access to the AI regulatory sandboxes, to the extent that they fulfil the eligibility conditions; (b) organise specific awareness raising and enhanced digital skills development activities on the application of this Regulation tailored to the needs of SMEs, start-ups and users; (c) utilise existing dedicated channels and where appropriate, establish new dedicated channels for communication with SMEs, start-ups, users and other innovators to provide guidance and respond to queries about the implementation of this Regulation; (ca) foster the participation of SMEs and other relevant stakeholders in the standardisation development process.
- The specific interests and needs of the SMEs, start-ups and users shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to development stage, their size, market size and market demand. (Article 55)
In Article 55 of the AI Act, it clearly provides SMEs with priority access to AI regulatory sandboxes, tailored awareness programs, communication channels, and even encouraging participation in the standardisation process. Further provisions to protect SMEs include considering their unique interests, size and development stage when setting conformity assessment fees.
Where a high-risk AI system that is a safety component of a product which is covered by a relevant New Legislative Framework sectorial legislation is not placed on the market or put into service independently from the product, the manufacturer of the final product as defined under the relevant New Legislative Framework legislation should comply with the obligations of the provider established in this Regulation and notably ensure that the AI system embedded in the final product complies with the requirements of this Regulation. (Recital 55)
Under Recital 55, SMEs involved in the operation of high-risk AI systems should ensure that the AI system embedded in the final product complies with the AI Act’s requirements.
The development of AI systems other than high-risk AI systems in accordance with the requirements of this Regulation may lead to a larger uptake of trustworthy artificial intelligence in the Union. Providers of non-high-risk AI systems should be encouraged to create codes of conduct intended to foster the voluntary application of the mandatory requirements applicable to high-risk AI systems. Providers should also be encouraged to apply on a voluntary basis additional requirements related, for example, to environmental sustainability, accessibility to persons with disability, stakeholders’ participation in the design and development of AI systems, and diversity of the development teams. The Commission may develop initiatives, including of a sectorial nature, to facilitate the lowering of technical barriers hindering cross-border exchange of data for AI development, including on data access infrastructure, semantic and technical interoperability of different types of data. (Recital 81)
Under Recital 81, providers, potentially inclusive of SMEs, are encouraged to create codes of conduct even for non-high-risk AI systems and to voluntarily meet the mandatory requirements for high-risk AI systems - reflecting a broader trend to encourage all providers of AI systems to meet as high a standard as possible.
In summary, the EU AI Act, while not having explicitly unique requirements for SMEs, offers resources, support and considerations for SMEs and their unique positions. For SMEs engaged in the creation and deployment of high-risk and non-high-risk AI systems, the Act encourages meeting the highest standards possible, potentially enabling SMEs to compete on a more level playing field.