EU AI Act: What Your Company Needs to Know (and Do) in 2026
The EU AI Act is in force. For most European SMEs, the news should not be a cause for alarm — but it requires concrete action. Companies that use AI tools without a defined internal policy, without an inventory of systems in use, and without minimum employee training are in non-compliance. This article explains what changes, what Microsoft has already guaranteed, and what your company still needs to do.
The EU AI Act is in force: what does it mean for SMEs?
The European Artificial Intelligence Regulation — the EU AI Act — is the world’s first comprehensive AI legislation. Approved by the European Union and progressively applied since 2024, it establishes mandatory rules for any company that develops, deploys, or uses AI systems in the European Union.
The good news for SMEs: the EU AI Act takes a risk-based approach. The vast majority of productivity tools companies use day to day — Microsoft Copilot, Power Automate, Power Apps — fall into the minimal or limited risk categories, subject to far less demanding obligations than high-risk systems.
The bad news: “using low-risk tools” does not mean “having nothing to do”. There are transparency, inventory, and governance obligations that apply to any organisation using AI.
Key insight: The greatest EU AI Act exposure for SMEs does not come from the tools they officially purchased — it comes from the AI tools employees use on their own initiative (personal ChatGPT, free third-party tools) without any internal policy.
The 3 risk levels of the EU AI Act and where Microsoft tools fit
The EU AI Act classifies AI systems into four categories:
Unacceptable risk — Prohibited
Systems that subliminally manipulate human behaviour, exploit vulnerabilities of specific groups, or implement generalised social scoring. No standard Microsoft or enterprise productivity tool falls here.
High risk — Strict obligations
Systems used in critical areas: AI-driven candidate recruitment and assessment, automated credit decisions, healthcare decisions, critical infrastructure management. If your company uses AI for hiring decisions or performance assessment, these obligations apply.
What it requires: complete technical documentation, mandatory registration in the EU database, mandatory human oversight on decisions, conformity assessments.
Limited risk — Transparency obligations
Chatbots and content generation systems that interact with humans. The user must know they are interacting with AI.
What Microsoft Copilot does: Copilot always identifies itself as an AI assistant. This obligation is automatically satisfied.
Minimal risk — No specific obligations
The vast majority of productivity tools: spam filters, workflow automation, content recommendations. Power Automate, Power BI, and most Copilot features fall here.
What Microsoft guarantees: Enterprise Data Protection in M365 Copilot
Microsoft invests significantly in European regulatory compliance. For Microsoft 365 customers, the relevant guarantees are:
Data sovereignty: business customer data processed in Copilot is not used to train global AI models. This guarantee is contractually established in the enterprise service terms.
EU data residency: European companies can configure Microsoft 365 so that data resides in European datacentres, meeting GDPR and EU AI Act data sovereignty requirements.
Access control: Copilot only accesses information the user has permission to see. If an employee does not have access to a document, Copilot cannot include that document in its responses.
Transparency: Copilot always identifies the sources of the information it uses, allows response auditing, and does not take irreversible decisions autonomously without human oversight.
What Microsoft does not guarantee is what your company does internally — and that is where responsibility lies with you.
What your company still needs to do
1. Inventory of AI systems in use
The first step — and frequently the most revealing — is to take an inventory of all AI tools the company uses, including those not officially approved.
In our diagnostics with SMEs, we regularly identify between 8 and 15 AI tools in use that management was unaware of: document summarisation tools, writing assistants, meeting transcription services, image generators. Many with no European compliance guarantees whatsoever.
Concrete action: survey teams department by department. Use a simple form. Categorise each tool by risk level and decide what to keep, what to replace with compliant alternatives, and what to prohibit.
2. Acceptable use policy for AI
An AI acceptable use policy defines, in clear language, what employees can and cannot do with AI tools in a professional context.
An effective policy covers:
- Tools approved for internal use (list with version and use context)
- Data that must never be entered into external AI tools (client information, personal data, confidential financial information)
- Human review obligations for AI-generated content before external dispatch
- Transparency rules with clients and partners when AI is used in service delivery
The policy does not need to be a 30-page document. One clear page, approved by management and communicated to all employees, is sufficient to demonstrate regulatory good faith.
3. Mandatory minimum employee training
The EU AI Act establishes that organisations must ensure that people working with AI systems have a minimum level of AI literacy. This does not mean programming courses — it means employees understand:
- What AI systems are and how they work in general terms
- What kinds of errors and limitations AI systems have
- How to identify AI-generated content and when human review is required
- The company’s internal rules on AI usage
A 2-hour training session per department, documented with attendance records, is the minimum acceptable to demonstrate compliance.
How AvantIT helps with compliance: audit, policies, and secure implementation
AvantIT has developed a structured EU AI Act compliance service for SMEs, in three components:
AI audit (2 days): identification of all AI systems in use across the organisation, classification by risk level, and identification of priority compliance gaps.
Policies and documentation (1 week): drafting of the AI acceptable use policy tailored to the company’s sector and processes, and the supporting documents required (AI activity logs, risk assessments for high-risk systems, if applicable).
Secure Microsoft tools implementation (ongoing): configuration of Microsoft 365 with the security settings, data residency, and access controls that ensure compliance. Includes activation of Microsoft Purview for sensitive information management and Microsoft Defender for usage monitoring.
The goal is not to create bureaucracy — it is to create the minimum documentation needed to demonstrate compliance, protect the company from sanctions, and above all, ensure that AI tools are used in a way that protects client and company data.
EU AI Act compliance is also a competitive advantage: certified companies demonstrate digital maturity and reliability that decision-makers at large enterprises and public organisations increasingly value in their suppliers.
Schedule a free AI compliance session with our team — in 60 minutes, identify the priority gaps and receive a concrete action plan.
For more information on the Microsoft security and compliance solutions available in Microsoft 365, consult the official Microsoft documentation or speak with us about how to configure your environment securely.
Editorial Policy
At Avantit, we value authenticity and human expertise. This article was written and reviewed by our experts, ensuring technical accuracy grounded in real-world projects. We do not publish content generated exclusively by AI without validation by one of our consultants.
Share and Comment
Related Topics
Enjoyed this article?
Subscribe to our newsletter to receive more content like this or contact us to learn how we can implement these solutions in your company.