EU AI Act Readiness: Why Most Companies Are Underprepared (And What It Will Cost Them)

Among the organisations that have completed Turbotic's EU AI Act readiness assessment, 89% are SMEs with fewer than 250 employees, and 11% are larger companies with 1,000–5,000 employees. Enterprise organisations above 5,000 employees represent 0% of completed assessments so far.

This is an early dataset — only 9 out of 32 completed assessments currently include company size data — but the distribution already indicates where the preparedness gap is likely to be most acute: among smaller and mid-sized businesses. Despite rapidly increasing AI adoption, very few organisations appear to have established clear governance structures, risk classification processes, transparency routines, or documentation standards for their AI usage. In practice, many companies are implementing AI tools without fully understanding the compliance obligations that may follow.

For many businesses, the largest cost will not come from the regulation itself — but from reacting too late. August 2, 2026 is the binding enforcement date for high-risk AI system obligations under the EU AI Act, covering requirements for providers and deployers of AI used in employment, credit decisions, education, and similar regulated contexts.

Organisations that lack visibility into how AI is being used internally may later face expensive remediation projects, legal reviews, rushed compliance initiatives, vendor replacements, and operational slowdowns once regulators, customers, or procurement teams begin demanding proof of compliance.

The financial exposure is real. Non-compliance with high-risk AI system obligations can result in fines of up to €15 million or 3% of global annual turnover — whichever is higher. Violations of the Act's prohibited AI practices carry penalties of up to €35 million or 7% of global turnover. For SMEs, even the lower thresholds represent a meaningful financial risk relative to revenue.

The challenge is particularly significant for SMEs. Unlike large enterprises, they often lack dedicated compliance teams, AI governance frameworks, or in-house legal expertise. Yet they are increasingly integrating AI into customer support, automation, analytics, HR, and decision-making processes — sometimes without realising that these use cases may fall into regulated categories under the AI Act.

An AWS survey found that more than two-thirds of European companies struggle to understand their responsibilities under the AI Act, with common questions including: Does my AI tool count as high-risk? Am I a provider or a deployer? How do I prove compliance?

The EU has introduced some SME-specific relief measures — including reduced conformity assessment fees, priority access to regulatory sandboxes, and simplified technical documentation requirements — but these measures do not remove the underlying compliance obligations. They reduce the cost of compliance; they do not eliminate the requirement to comply.

Most organisations that struggle with EU AI Act readiness are not failing because of technical limitations. They are failing because AI governance has not been assigned as an organisational responsibility. There is no inventory of AI systems in use. There is no process for classifying new AI tools before deployment. There is no documentation standard for AI-assisted decisions. And there is no ownership of the compliance question at leadership level.

This is exactly the kind of gap that regulators, enterprise procurement teams, and enterprise customers will start probing as enforcement approaches. The companies that begin preparing now — even with a basic AI system inventory and a preliminary risk classification exercise — will be in a fundamentally different position in twelve months than those that continue to defer the question.

EU AI Act readiness does not require a six-month compliance programme to get started. The first step is inventory: map every AI system in use or under development, including third-party tools where your organisation is a deployer rather than a provider.

The second step is classification: for each system, assess whether it falls into the Act's prohibited, high-risk, limited-risk, or minimal-risk tiers. The third step is gap analysis: for high-risk systems, identify which of the Act's requirements — technical documentation, conformity assessment, human oversight, incident reporting — are not yet in place.

Even a preliminary pass through these three steps creates an organisational foundation that would take weeks to build under deadline pressure. The companies that will face the smallest compliance burden in 2026 are not the largest companies — they are the ones that started earliest.

The EU AI Act website provides a free EU AI Act Compliance Checker specifically designed for SMEs to assess their obligations. For a more structured intake of your AI footprint, see Turbotic's EU AI Act readiness assessment.