Artificial intelligence is already part of the day-to-day operations of many businesses.

Self-employed professionals, retailers, professional firms and small and medium-sized enterprises use tools such as ChatGPT, Microsoft Copilot and other AI systems to draft documents, respond to enquiries, prepare marketing campaigns, analyse information and improve internal processes.

Using these tools is not, in itself, unlawful.

However, the professional use of artificial intelligence is not free from legal obligations. The European Union Artificial Intelligence Act establishes a system of responsibilities and penalties that may also apply to self-employed professionals and SMEs.

The key question is not simply whether a business uses artificial intelligence. It is how the technology is used, for what purpose and what consequences it may have for clients, employees, job applicants or consumers.

Can an SME be fined for using artificial intelligence?

Yes.

A self-employed professional or an SME may fall within the scope of the EU AI Act when using an AI system as part of its professional or commercial activity.

The Regulation uses the term “deployer” to describe a natural or legal person who uses an AI system under their authority, except where the system is used in the course of a personal, non-professional activity.

This means that a business does not need to have developed its own artificial intelligence system in order to assume legal responsibilities.

It may be sufficient for the business to use an AI tool to make decisions, screen job applicants, assess employees, classify customers, generate content or provide services.

Not all uses of artificial intelligence, however, carry the same level of risk.

The EU AI Act follows a risk-based approach. The most demanding obligations apply to prohibited AI practices and systems classified as high-risk.

When does the EU AI Act apply?

The Regulation is being introduced progressively.

The general provisions and prohibitions relating to certain AI practices began to apply on 2 February 2025.

The rules concerning penalties began to apply on 2 August 2025.

Most of the Regulation will become fully applicable from 2 August 2026, although some specific provisions are subject to different implementation dates.

Businesses should therefore not wait until the last moment to review how artificial intelligence is being used within their organisations.

What fines does the EU AI Act establish?

The Regulation provides for three principal levels of administrative fines.

1. Prohibited AI practices

Breaching the prohibition on certain artificial intelligence practices may lead to fines of up to:

€35 million or 7% of the company’s total worldwide annual turnover.

Prohibited practices include, in certain circumstances, AI systems that manipulate human behaviour, exploit people’s vulnerabilities, carry out certain forms of social scoring or use prohibited biometric technologies.

2. Breaches of other obligations under the Regulation

Failure to comply with other obligations applicable to providers, deployers, importers, distributors or notified bodies may lead to fines of up to:

€15 million or 3% of total worldwide annual turnover.

This category may include breaches connected with high-risk AI systems, transparency, documentation, human oversight or cooperation with the competent authorities.

3. Providing incorrect, incomplete or misleading information

Providing incorrect, incomplete or misleading information to the relevant authorities or notified bodies may lead to fines of up to:

€7.5 million or 1.5% of total worldwide annual turnover.

Do the same maximum amounts apply to SMEs?

The Regulation expressly takes account of the position of small and medium-sized enterprises, including start-ups.

Where the infringing business is an SME, the maximum fine in each category is the lower of:

• the fixed monetary amount established in the Regulation; or
• the relevant percentage of the business’s annual turnover.

For example, if a small business has an annual turnover of €500,000, the percentage-based maximums would be:

• up to €35,000 for a prohibited AI practice: 7%;
• up to €15,000 for other infringements: 3%;
• up to €7,500 for providing incorrect, incomplete or misleading information: 1.5%.

This does not mean that these amounts will automatically be imposed.

The competent authority must consider the circumstances of the individual case and ensure that any penalty is effective, proportionate and dissuasive.

Relevant factors may include:

• the nature and seriousness of the infringement;
• its duration;
• the number of people affected;
• the damage caused;
• whether the conduct was intentional or negligent;
• the measures taken to correct the infringement;
• the level of cooperation with the authorities;
• any previous infringements;
• and the financial capacity of the business.

Can the use of ChatGPT lead to a fine?

Using ChatGPT, Copilot or another generative AI tool does not, by itself, constitute an infringement.

The legal risk arises when a business uses artificial intelligence without appropriate safeguards or for purposes that may affect the rights of other people.

Examples may include:

• entering clients’ personal data or confidential information into an AI system without first assessing the risks;
• using AI to select or reject job applicants without sufficient human oversight;
• assessing employee performance or behaviour through automated systems;
• publishing AI-generated or manipulated images, videos or audio without complying with applicable transparency obligations;
• making significant decisions solely on the basis of AI-generated output;
• using tools that produce discriminatory or biased results;
• or allowing staff to use AI systems without training or internal guidance.

Other legislation may also apply alongside the EU AI Act, including the General Data Protection Regulation, employment law, consumer protection law, intellectual property law and professional duties of confidentiality.

AI literacy is also a legal obligation

The EU AI Act requires providers and deployers of AI systems to take measures to ensure that the people using those systems on their behalf have a sufficient level of AI literacy.

This does not necessarily mean turning every member of staff into a technical expert.

It means ensuring that employees understand, according to their roles:

• which AI tools they are permitted to use;
• what information they must not enter;
• the limitations of the system;
• when AI-generated output must be reviewed;
• what risks may arise;
• and when human intervention is required.

Allowing employees to use AI without any training, policy or supervision may expose a business to unnecessary legal and operational risks.

What should an SME do now?

The first step is not to prohibit artificial intelligence.

It is to understand how AI is actually being used within the organisation.

Many businesses believe that they do not use AI in any significant way, while their employees may already be using it to summarise documents, draft emails, review CVs, prepare quotations, generate images or respond to client enquiries.

An initial review should include the following measures.

1. Identify the AI tools being used

The business should know which artificial intelligence systems are used by its employees, collaborators and external service providers.

2. Determine how they are being used

Using AI to improve the wording of a document does not create the same level of risk as using it to select employees or decide whether a customer should receive a service.

3. Assess the level of risk

The business should determine whether the system falls within a prohibited practice, a high-risk system, a system subject to transparency duties or a lower-risk use.

4. Review the information entered into the system

It is important to determine whether employees are entering personal data, confidential information, trade secrets or client documents into AI tools.

5. Establish human oversight

AI-generated outputs should not be accepted automatically, particularly where they may have legal, financial or personal consequences.

6. Train employees

Staff should receive clear and proportionate guidance on the authorised use of artificial intelligence.

7. Adopt an internal AI policy

An internal policy can establish which tools are authorised, for which purposes they may be used and which safeguards must be followed.

Compliance without preventing innovation

The EU Artificial Intelligence Act is not intended to prevent businesses from using this technology.

Its purpose is to promote artificial intelligence that is safe, transparent and respectful of fundamental rights.

For self-employed professionals and SMEs, compliance does not have to become a disproportionate burden. The measures adopted should reflect the size of the business, the nature of its activity and the actual risks created by the AI systems it uses.

However, ignoring the legislation or assuming that a practice must be acceptable because “everyone is using AI” may lead to legal, reputational and financial consequences.

The best form of prevention is to review current AI use, identify the risks and establish clear internal rules before a problem arises.

How can Bennet & Rey help?

Bennet & Rey offers a legal AI compliance assessment and internal policy service for SMEs and professional firms.

The service may include:

• identifying the AI tools currently used within the business;
• analysing their purposes and legal risks;
• reviewing the use of personal data and confidential information;
• classifying AI systems according to their level of risk;
• preparing an internal AI use policy;
• establishing human oversight procedures;
• drafting clauses for employees, collaborators and suppliers;
• and recommending appropriate AI literacy and training measures.

The objective is not to prevent a business from using artificial intelligence, but to help it use AI safely, proportionately and in a way that reflects its actual activities.

Every organisation uses artificial intelligence differently. The first step should therefore be an individual assessment to determine which measures are genuinely necessary.

Does your business use artificial intelligence, and are you unsure whether it complies with the new rules?

Contact Bennet & Rey to request an AI compliance assessment.