Login Get Started Free

EU AI Act Compliance for SMEs

Deployer obligations took effect August 2025. Penalties up to €15M or 3% of global turnover. Here's how to comply without an enterprise budget.

90% compliance out of the box

The EU AI Act sounds intimidating. Penalties of €15 million. Complex requirements. Enterprise-level compliance expectations.

Here's the thing: the actual requirements are practical, not theoretical. The regulation asks for visibility, documentation, and human control. These are things that operational governance tools provide automatically.

We built Vireo Sentinel specifically to close this gap. A 20-person company can achieve 90% EU AI Act compliance for under $3,500 AUD annually. A 50-person company for under $8,000 AUD. Five-minute setup, no compliance consultants required.

90%
EU AI Act coverage out of the box
5 min
Setup time per employee
$75
Starting monthly cost (Starter tier, AUD)

What the EU AI Act actually requires

Strip away the legal language, and deployers need to demonstrate eight core capabilities.

AI Literacy

Your team understands what AI tools they're using and associated risks.

Excellent Coverage

Transparency

You can show what AI systems are in use and how.

Excellent Coverage

Usage Documentation

Complete logs of AI interactions for audit purposes.

Excellent Coverage

Input Data Control

Awareness of what data enters AI systems.

Strong Coverage

Human Oversight

Humans remain in control of AI-assisted decisions.

Excellent Coverage

Risk Assessment

You identify and monitor risks in AI usage.

Excellent Coverage

Compliance Monitoring

Ongoing tracking of AI governance effectiveness.

Strong Coverage

Incident Reporting

Process for flagging and documenting serious incidents.

Manual Process

Notice what's missing? No requirement for an AI ethics committee. No mandate for theoretical frameworks. No expectation of perfection. The regulation asks for practical governance: visibility, documentation, and human control.

How Vireo Sentinel delivers compliance

Compliance evidence generated automatically as a byproduct of protecting your business.

Usage Documentation (Article 12)

Complete interaction logs with timestamps, platforms, models, and risk scores. Every AI interaction documented automatically.

Transparency Reporting

Dashboard showing which AI tools your organisation uses, usage patterns by team, and trends over time. Real data, not theoretical policies.

Human Oversight

Every intervention logged with user decision. Four options (Cancel, Redact, Edit, Override) keep humans in control while documenting choices.

Risk Assessment

Real-time detection across 50+ risk patterns. Scores from 0-100 with severity levels. Risk distribution tracked over time.

Input Data Control

Sensitive data detected before it reaches AI platforms. PII, credentials, financial data, healthcare information. All caught and flagged in real-time.

Compliance Monitoring

Automated analytics showing compliance rates, intervention patterns, and governance effectiveness. Continuous monitoring, not periodic audits.

What auditors actually assess

Operational evidence beats policy documents every time.

They don't ask

  • "Do you have a 47-page AI ethics policy?"
  • "Have you completed AI literacy training modules?"
  • "Do you have theoretical frameworks documented?"

They ask

  • "Show me what happened when an employee tried to share sensitive data with AI last week."
  • "How do you prevent accidental data exposure in day-to-day AI usage?"
  • "Can you demonstrate your AI governance actually works?"

Your dashboard showing 2,847 AI interactions, 23 risk events, and 18 successful interventions this month is more compelling than a 200-page framework that's never been tested.

The one gap (and why it doesn't matter yet)

Full disclosure: Vireo Sentinel achieves 90% EU AI Act compliance, not 100%. The gap is incident reporting: specifically, automated workflows for escalating serious incidents to regulatory authorities.

This matters less than you'd think for three reasons:

Manual processes work

Vireo flags potential incidents in the dashboard. You can document them manually and report if required. It's compliant, just not fully automated.

Incident reporting triggers rarely

"Serious incidents" under the EU AI Act involve significant harm or rights violations. Most SME AI usage (drafting documents, analysing data, researching topics) doesn't trigger reporting thresholds.

Risk priority

Real-time risk prevention (the 90% Vireo provides today) matters daily. Incident reporting (the gap) matters rarely. Which would you rather have operational immediately?

Ready for EU AI Act compliance?

90% coverage out of the box. Five-minute setup. No compliance consultants required.

Get Started Free Read Full Article