profile

Ask Maria Kelly

Is Your Business AI Compliant?

Published about 1 month ago • 6 min read

Good Morning Reader it's Maria,

Most people I speak to have never heard of the EU AI Act. And the ones who have, they've mostly hidden it under the "something to deal with later" pile.

I get it! I did too.

To be honest, before I started researching it for this newsletter, I didn't fully understand the implications and urgency around it.

It sounds like boring bureaucracy, something for big companies with legal teams that doesn't apply to you yet.

But it does, and August 2026, which is when it becomes fully enforceable, is closer than it feels.

If podcasts are more your speed, I've got you covered; there's a discussion about this topic available now here.

THE BIG IDEA

The EU AI Act is the world's first comprehensive law governing AI.

Think GDPR (the EU's data privacy law that every business had to comply with a few years ago), but for artificial intelligence. And just like GDPR, a lot of businesses are going to wake up to it very late, scramble, and wish they'd started earlier.

I've been researching it over the past few weeks, partly for my own education and partly because it directly affects my clients. And the first thing I've noticed is that most small business owners don't even know it's already live.

The first wave of bans came into effect in February 2025. Rules covering the tools most of us use every day, like Claude, ChatGPT, Gemini, and CoPilot, became applicable in August 2025.

The full law goes into effect in August 2026.

And before you say this doesn't apply to you because you're based in the UK or Switzerland... it does. If you are doing business with EU clients, selling to EU customers, or your AI outputs affect people in the EU in any way, this applies to you.

I know. Not what you wanted to read on a Saturday morning, sorry!

So what does it actually mean for you?

The Act works on a risk framework of four categories:

Prohibited

It's the banned category. These are AI uses that are illegal in the EU, full stop.

Emotion recognition in workplaces, social scoring systems, and tools that manipulate people without their knowledge.

If you're running a standard small business, you're almost certainly not here. But it's worth knowing what's off limits.

High-risk

Is where things get more serious. This is AI being used to make decisions that affect people's rights or livelihoods.

A recruitment tool that screens CVs automatically. A fintech platform making credit decisions or AI used in healthcare or legal services.

If you're using AI to hire, lend, assess, or score people in any meaningful way, this category likely applies to you, and it comes with real documentation, human oversight, and compliance obligations.

Limited-risk

Covers most customer-facing AI. If you have a chatbot on your website, use a notetaker on your calls, or if you're using AI to generate marketing content or images, you sit here.

The main obligation is transparency: users need to know they're interacting with AI. That's it. Not complicated, but it needs to be done.

Minimal-risk

This is where the majority of small businesses sit.

Using ChatGPT to draft emails. Canva AI for social graphics. Grammarly. Notion AI. The AI features are baked into the tools you already use.

No major legal obligations under the Act, though GDPR still applies as it always has.

Good news: most of you reading this are probably here. Bad news: it comes with homework

You still need to document what you're using and why, and you still need an internal AI policy and a governance structure.

Are you a provider or a deployer?

Another important distinction is between providers and deployers.

A provider builds AI.

A deployer, which is what most businesses are, uses it.

And deployers are still subject to the law. Even if you're simply using a third-party tool, you have obligations around how you use it, what you communicate to customers, and how you document it.

A few things most businesses miss

First, do you actually know what AI your team is using?

Shadow AI, employees using their own tools without telling you, is more common than most business owners realise ( I can guarantee that most of your employees have already been using their own AI accounts for work, and not the secure ones). And if something goes wrong, you are responsible, regardless of whether you approved it or not.

Then there are your vendors and suppliers.

If you're outsourcing work, you need to know whether the people doing that work are using AI, how, and whether they're doing so responsibly.

Your contracts with clients and suppliers need to reflect this too. AI use should be acknowledged, and responsibilities should be clearly assigned.

There is one more obligation that most businesses have completely overlooked: The EU AI Act requires that both providers and deployers ensure their staff have a sufficient level of AI literacy. That means the people in your business who work with AI tools need to understand what they are using, how it works, and what the risks are.

This is not optional, and it has been in force since February 2025. What counts as sufficient will depend on the roles involved and the context, but the obligation is real. And if you are not sure where your team stands, that is exactly what I can help you with.

And across all of this, regardless of which risk category you sit in, you need governance.

A basic internal policy. Clear rules on who can use which tools and for what purpose. Documentation of your AI use that you can point to if you're ever asked.

AI regulation is moving fast. The rules that apply today are not necessarily the rules that will apply in two years.

The businesses that are already documenting their AI use and already know who in their team is using what and for what purpose will be in a much stronger position when the goalposts shift.

Getting ahead of it now will cost far less than catching up later.

What will happen if you don't do it?

Now for the number that tends to get people's attention: Violations of prohibited practices can reach €35 million or 7% of your global turnover.

For smaller businesses, fines are calculated proportionally.

It's not a reason to panic, but it is a reason to take 20 minutes and actually check where you stand.

This is the AI version of GDPR, and if you remember the scramble businesses went through to get compliant with that, you'll know exactly why starting early matters.

Don't wait! 😉

Once you know where you stand, the next step is building your own compliance roadmap. What you need to do, in what order, by when, and who is responsible for what. That is where most businesses get stuck and where I can help.

Book a free consultation and let's chat!

THE ACTION STEP

Do an AI inventory today. It takes less than 20 minutes, and it's the single most important first step.

Open a document and work through these four questions:

What AI tools is my business currently using?

List everything, including tools you use personally for work and AI features built into platforms you already subscribe to.

What am I using each one for?

Be specific.

Am I a provider or a deployer?

In most cases, if you're a small business using tools built by someone else, you're a deployer.

Are any of my uses potentially high-risk?

Think about whether AI is involved in decisions that affect people. Hiring, lending, health, legal, anything in that territory.

That list is your starting point. It's not compliance, but it's the foundation without which you can't build anything.

A resource worth bookmarking: The European Commission's official page: digital-strategy.ec.europa.eu

Have you just signed up? See all previous newsletters here.

AI MADE SIMPLE

To make this easier, I've put together a free guide you can download right now. It has three parts:

  • A full breakdown of all four risk categories with real business examples
  • A seven-question self-assessment to help you work out where your business sits
  • A prioritised action checklist so you know exactly what to tackle first.

Find your EU AI Act Small Business Guide here

Once you've done your inventory, you can also use AI itself to help you understand your exposure. Paste your list of tools and uses into Claude or ChatGPT with this prompt:

"I'm a small business owner based in the EU. Here are the AI tools I use and what I use them for: [paste your list]. Based on the EU AI Act's risk categories, help me understand which of these uses might fall into high-risk, limited-risk, or minimal-risk categories, and what that might mean for me as a deployer."

You'll get a useful starting point in seconds. It won't replace a proper review, but it will help you understand the shape of the problem.

And if what comes back raises more questions than it answers, that's a sign you need a proper conversation, and you know where to find me. 😉

That's all for today Reader

Have a great weekend!👋🏼

Take Care

Maria

PS: If you want to explore what working together looks like, book a free call

PPS: If you enjoy these emails and want to do something nice, you can buy me a coffee 😉

Ask Maria Kelly

Practical strategy and AI for experienced professionals.

Hi, I'm Maria 👋 Irish-Swiss business strategist and AI integration specialist, based in Barcelona. I spent over twenty years at Sotheby's, leading global teams across New York, London, and Geneva. Now I share what I learned on strategy, AI, and how to make better decisions faster so you don't have to figure it all out alone. Twice a month, straight to your inbox. Written for people who have no time to waste.

Read more from Ask Maria Kelly
A car seat buckle with the words "buckle up AI" written across it

Good Morning Reader it's Maria, I came across a post this week that stopped me mid-scroll. Sol Rashidi, the world's first Chief AI Officer back in 2016 (and a woman), was speaking at the AI Congress about something that should concern all: We are deploying one of the most powerful technologies in human history, without any security around it, not even the equivalent of seatbelts. I think about this a lot. I am genuinely for AI. I have built my work around it, and I do believe it is going to...

3 days ago • 4 min read
A long corporate boardroom table, empty chairs, a presentation screen at the far end showing a graph going up. On the table, a single cardboard box with a few personal belongings in it. No people.

Good Morning Reader it's Maria, I've been watching this play out for years: A company hits a rough patch, or just wants to look lean for the shareholders. They announce a sweeping new strategy, headlines follow, share prices go up, and then, people start losing their jobs. The official reason changes depending on the decade: market conditions, offshoring, automation...today, the reason is AI. But here's what the data is finally telling us: it isn't working. If podcasts are more your speed,...

17 days ago • 6 min read
Employees leaving a building with boxes with their personal belongings in them, as they've just been fired

Good Morning Reader it's Maria, Something happened at the end of last month that I haven't been able to stop thinking about. On the 31st of March (just before Easter), thousands of Oracle employees woke up to an email. It arrived at 6 am and was signed "Oracle Leadership." No manager, no phone call... just a message telling them their access had been revoked and today was their last working day. Some of those people had been there for decades, and one woman was 30 weeks pregnant. That email...

about 1 month ago • 3 min read