What the EU AI Act means for small teams building with agents

The EU AI Act became fully applicable in August 2024. Since then, most of the coverage has focused on foundation model providers and large deployers — companies with compliance teams, legal counsel, and the resources to spend months on documentation. That coverage is not wrong, but it leaves a gap.

A significant number of small EU companies are now deploying AI agents internally — for lead qualification, document processing, customer follow-up, scheduling. They are not foundation model providers. They are not deploying in high-risk contexts. But they are still subject to the regulation, and most of them have not thought through what that means.

I want to be clear upfront: this is not legal advice. If you are deploying AI systems in sensitive contexts — healthcare, hiring, credit, law enforcement — you need to talk to a lawyer. The notes below are about the more common case: internal operational automation at a small EU company.

The risk classification question

The Act classifies AI systems by risk level. Most of the compliance burden falls on high-risk systems. The high-risk categories are defined in Annex III of the regulation and they are quite specific: AI used in recruitment to sort CVs, AI used in creditworthiness assessment, AI used in access to essential services, AI systems that influence decisions about people's safety.

An agent that automatically drafts follow-up emails for your sales team, or routes incoming support tickets, or summarizes contract PDFs for internal review — none of those are high-risk under the Act. The operational automations that most small companies are actually deploying are not in the high-risk category.

This matters because the high-risk classification triggers extensive requirements: conformity assessments, human oversight obligations, registration in EU databases. If you are not in that category, those requirements do not apply to you.

What does apply

There are baseline requirements that apply to all AI systems, regardless of risk level. These are not onerous but they are real:

Transparency to users. If a person is interacting with an AI system and might reasonably think they are interacting with a human, you have to make clear they are not. This applies to chatbot-style agents deployed externally. It does not apply to purely internal automation that no human interacts with directly.

Prohibited practices. There are things you cannot do regardless of anything else: social scoring of citizens, real-time biometric surveillance in public spaces, subliminal manipulation. If you are running an operations automation agent, you are almost certainly nowhere near these.

GPAI model obligations if you are building on top of general-purpose AI. This is where it gets slightly more relevant for small teams: if your agent is built on top of a general-purpose model (GPT-4, Claude, Gemini, etc.), those providers have their own obligations under the Act. As the deployer, you have lighter obligations — primarily around proper use and respecting the provider's terms — rather than the full burden that falls on the provider.

Record-keeping and documentation

Even for low-risk deployments, it is sensible practice to maintain some documentation: what the system does, what data it accesses, who is responsible for it, when it was last reviewed. This is not a legal requirement for low-risk systems, but it is useful when questions come up internally, and it is the foundation you need if your use case ever evolves toward higher-risk applications.

We include a documentation template in every agent deployment we do. It covers the basics: system purpose, data flows, oversight owner, review schedule. One page. Not compliance theater — just enough that a new operations manager can understand what is running without asking six people.

The honest answer about uncertainty

The EU AI Act is new and the interpretation of various provisions is still being worked out through guidance documents and, eventually, enforcement. Some questions about how it applies to specific edge cases do not have clear answers yet.

For small teams doing internal operational automation, the practical approach is: understand the risk classification and confirm you are not in the high-risk category; follow basic transparency practices; document what you are running; and check in with the guidance as it develops. That is a reasonable posture for the current moment without requiring a full compliance program.

If you are in France specifically, the CNIL has been active in publishing guidance on AI and data protection. Their resources are worth reviewing alongside the Act itself.

And again — if you are in a regulated sector or your agent touches decisions that significantly affect people, get actual legal advice. This note is not that.