flowful.ai
Contact Us
FR
Back to Blog
EU AI ActComplianceBelgiumRegulation2026 Trends

EU AI Act Compliance for Belgian SMEs: What You Actually Need to Do

A practical guide to the EU AI Act for Belgian small and medium businesses. Risk categories, compliance checklist, key deadlines, and how to prepare without overcomplicating things.

Published
EU AI Act Compliance for Belgian SMEs: What You Actually Need to Do

The EU AI Act is already in force and enforcement deadlines are approaching fast. If you’re a Belgian SME using AI for customer support, email automation, or internal workflows, you need to know where you stand. The good news: most small business AI use cases fall into low-risk categories.

This post gives you a plain-language walkthrough of the regulation, a practical compliance checklist, and specific resources for Belgian companies. We build AI-powered automation for SMEs every day at Flowful, and we design our systems with compliance in mind from day one. Here’s what we’ve learned.

Disclaimer. Flowful builds AI automation, we are not lawyers or compliance consultants. This post shares what we learned compiling our own AI Act posture, so SMEs can ask informed questions of their legal counsel. The AI Act landscape is still moving (Digital Omnibus deal pending). Verify with a specialist before acting on any specific obligation.

EU AI ACT — RISK CLASSIFICATION MINIMAL RISK Email automation · Spam filters · Workflow tools Doc processing · Recommendations · Forecasting LIMITED RISK Customer chatbots · Voice agents AI-generated content · Deepfakes HIGH RISK Hiring · Credit · Insurance Education · Biometrics UNACCEPTABLE — BANNED In force since 2 Feb 2025. Social scoring, emotion AI at work, untargeted face scraping. FULL COMPLIANCE Annex III obligations by 2 Dec 2027. Conformity assessment + EU registration. TRANSPARENCY (Article 50) Disclose AI use. Offer a route to a human. Label deepfakes and public-interest text. NO SPECIFIC OBLIGATIONS Documentation & monitoring as good practice. AI literacy (Art. 4) still applies to staff. Most Small Businesses

What Is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive AI law. Published in the Official Journal on 12 July 2024, in force since 1 August 2024. It classifies AI systems by risk: higher risk, stricter rules. The full Commission policy page is here.

Key dates, including the postponements agreed in the Digital Omnibus on AI (political deal of 7 May 2026, pending formal Council and Parliament adoption):

  • 2 Feb 2025: Prohibited practices banned. AI literacy (Article 4) applies.
  • 2 Aug 2025: GPAI rules take effect. Code of Practice published 10 July 2025.
  • 2 Aug 2026: Governance, penalties, GPAI enforcement and AI literacy enforcement all kick in.
  • 2 Dec 2027 (new): Annex III high-risk obligations apply (postponed from August 2026).
  • 2 Aug 2028 (new): Annex I high-risk obligations apply (postponed from August 2027).

For Belgian SMEs, the immediately relevant dates are February 2025 (verify you are not running any prohibited practice) and August 2026 (literacy enforcement and the penalty regime). High-risk obligations now land late 2027, but do not wait.

The Four Risk Categories

The AI Act sorts systems into four tiers, shown in the pyramid above. The higher up, the stricter the rules. Below, what each tier means for an SME.

Unacceptable Risk (Banned)

Social scoring, subliminal manipulation, real-time biometric identification in public spaces (with narrow law-enforcement exceptions), emotion recognition at work or school, untargeted facial-image scraping. For SMEs: very unlikely you are doing any of this. But verify any tool that claims emotion detection, trustworthiness scoring or facial recognition, and get legal advice if it does.

High Risk (Heavy Obligations)

Listed in Annex III: HR/recruitment screening, credit scoring, life or health insurance risk and pricing, education access, essential public services, law enforcement, migration, non-real-time biometrics. Plus AI safety components in regulated products under Annex I (medical devices, vehicles, machinery). For SMEs: if you screen job applicants, assess loan eligibility, or take consequential decisions about individuals, you are likely here. Chapter III obligations (risk management, data governance, technical docs, human oversight, conformity assessment, EU database registration) apply by 2 Dec 2027 for Annex III and 2 Aug 2028 for Annex I.

Limited Risk (Transparency Obligations)

Customer-facing chatbots, virtual assistants, deepfakes and certain AI-generated text on matters of public interest, plus emotion recognition or biometric categorisation where not banned. For SMEs: disclose to users that they are talking to AI, and label deepfakes or AI-generated text published to inform the public. Article 50 obligation, straightforward to implement.

Minimal Risk (No Specific Obligations)

Spam filters, AI-assisted email drafting, workflow automation, product recommendations, inventory forecasting, document classification, AI-assisted translation. For SMEs: almost everything you use daily. No mandatory steps. Document what you run and why.

A Separate Track: General-Purpose AI (ChatGPT, Claude, Gemini)

General-purpose AI models (GPAI) sit alongside the four risk tiers under their own regime, applicable since 2 August 2025. Providers of these models must publish a summary of training data, respect EU copyright (notably the Article 4(3) text-and-data-mining opt-out), and supply technical documentation to downstream users. The largest models (above 10²⁵ FLOPs of training compute) face additional systemic-risk obligations. For SME deployers using ChatGPT, Claude or Gemini in a workflow: the practical impact is light. Keep using them, apply the Article 50 transparency rules (label AI-generated content, disclose AI to users), and record which model handles what in your AI inventory.

What This Means for Belgian SMEs

If you use AI chatbots for support, email automation, workflow tools or document processing, your use cases are almost certainly minimal or limited risk. You are probably fine. But “probably” is not a strategy. Four reasons to still pay attention:

  1. You might be high-risk without realising it. HR screening CVs, sales scoring leads feeding into credit decisions, anything consequential about individuals: the classification depends on the use case, not the technology.

  2. Provider or deployer, the role decides the obligations. The AI Act splits responsibility between providers (who develop or place an AI system on the market) and deployers (who use it under their own authority in a professional context). Most SMEs are deployers, sometimes both at once. Providers carry the bulk of high-risk and GPAI obligations; deployers must follow the provider’s instructions for use, monitor operation, keep logs, and in high-risk contexts run a fundamental-rights impact assessment under Article 27. Deploy a general-purpose tool in a high-risk context and the burden lands on you.

  3. Belgian enforcement is coming. BIPT is the main market surveillance authority, SPF Economie coordinates implementation, and the CSA is one of twenty-one Article 77 fundamental-rights bodies (audiovisual media in the French-speaking community). Belgium missed the August 2025 governance deadline; enforcement starts 2 August 2026. Fines under Article 99: up to 35M EUR or 7% of global turnover (prohibited), 15M / 3% (high-risk), 7.5M / 1% (false information). SMEs and start-ups pay the lower of the two figures, still significant.

  4. Clients will start asking. B2B buyers, especially larger companies and public sector, will ask about your AI compliance posture. Being prepared is an edge.

A Practical Compliance Checklist

Seven steps you can start today. These are baseline good practices we follow ourselves, not a substitute for a formal conformity assessment. No law firm on retainer required.

  1. Inventory your AI systems. List every tool you run, including third-party SaaS. Note what it does, what data it processes, who is affected, and who provides it. You cannot assess risk on what you do not know.
  2. Classify each system. Three questions: does it influence consequential decisions about people, does it interact with users who may not know they are dealing with AI, can it manipulate or exploit vulnerabilities? Three “no” puts you in minimal or limited risk. One “yes”, check Annex III and dig deeper.
  3. Implement transparency. Disclose AI to users (chatbots, voice agents). Label deepfakes and AI-generated text published to inform the public. Offer a route to a human. Article 50 obligation for limited-risk systems. Illustrative or marketing visuals do not need labelling.
  4. Keep humans in the loop. Review AI output before it is sent or used for decisions. Build escalation paths. Let employees override. Mandatory and technical for high-risk; good practice everywhere else. For the engineering side of making AI outputs trustworthy enough to act on, see our note on building reliable AI systems.
  5. Document everything. Inventory, risk classification, justification, transparency and oversight measures, incidents, GDPR data-processing records. Documentation is the backbone of compliance. The Future of Life Institute compliance checker is a useful free starting point.
  6. Review vendor contracts. Does the provider classify their system’s risk level? Do they provide the AI Act technical documentation? Who owns the conformity assessment? What happens to your data? Where is it processed? A vendor that cannot answer is a red flag.
  7. Train your team. The Article 4 AI literacy obligation has applied since 2 Feb 2025. Staff must understand what AI they use, how it works at a basic level, its limits, and your internal policy. PhD-level not required.

GDPR and the EU AI Act Work Together

If you are already GDPR-compliant, most of the analytical work maps over: DPIAs ≈ AI Act risk assessments. Data minimisation and purpose limitation ≈ AI Act data governance. Article 22 ≈ AI Act transparency obligations. GDPR right to human intervention ≈ AI Act human oversight.

Where the AI Act goes further: technical standards on the system itself (accuracy, robustness, cybersecurity, technical documentation). GDPR governs data; the AI Act governs the system. Do not run two parallel projects. Integrate AI Act work into your existing GDPR framework, same team, same docs.

How Flowful Approaches AI Compliance

At Flowful, we build web and internal chatbots, AI phone receptionists, and email automation for SMEs in Belgium and France (an AI-first helpdesk, TicketFlow, and AI-ready booking, Flowcal, are shipping next). We design our systems with compliance in mind from day one. We are not a law firm. What follows describes how we build, not legal advice.

  • EU-first hosting. Workflow infrastructure runs on Hetzner (Germany). AI inference, voice, and transactional email route through a small set of carefully selected sub-processors under DPAs with appropriate transfer safeguards (SCCs or technical controls such as no-training, no-retention). On request, we restrict processing to EU-only providers or run open-source models on dedicated infrastructure. The current sub-processor list is in our DPA.
  • No training on your data. Every sub-processor is configured to disable training on customer data; per-vendor settings are documented in our DPA.
  • Human-in-the-loop where it matters. Email Automation can be configured with human approval before sending, and we recommend it for outbound or higher-stakes flows. Voice agents escalate to a person when out of scope.
  • AI Act tier by package. Our Web Chatbot, AI Phone Receptionist and Internal Chatbot sit in Limited Risk: each conversation opens with a clear AI disclosure and offers a route to a human, which is what Article 50 actually asks for. Our Email Automation sits in Minimal Risk. We can add human approval before sending depending on the use case. We do not build Annex III high-risk systems (hiring, credit scoring, insurance pricing, education access) without a formal compliance plan.
  • DPA available on request. Covers GDPR and AI-specific obligations including the no-training clause and the sub-processor list. Get in touch.

Belgian-Specific Resources

Regulatory and Government

  • BIPT (IBPT): Belgium’s main market surveillance authority for the AI Act. This is where enforcement will happen for most providers and deployers, including a single point of contact for high-risk system operators.
  • SPF Economie (FPS Economy): Coordinates Belgium’s implementation of the AI Act. The dedicated AI Act section has guidance for entrepreneurs, plus an SME-oriented campaign and a downloadable guide.
  • Data Protection Authority (APD/GBA): Belgium’s GDPR supervisor. As AI compliance and data protection overlap significantly, the APD remains relevant for AI-related data processing questions.
  • AI4Belgium Coalition: A multi-stakeholder initiative that published Belgium’s AI strategy. Their resources include practical guidelines and sectoral recommendations.

Regional Innovation Support

  • Innoviris (Brussels): Brussels’ innovation funding body. Offers AI-specific vouchers and funding programs. If you’re a Brussels-based SME exploring AI, they can help fund a compliant implementation from the start.
  • Digital Wallonia (Wallonia): Wallonia’s digital strategy hub. Runs the Start IA and Tremplin IA programs, and publishes practical AI adoption guides.
  • VLAIO (Flanders): Flanders’ innovation and entrepreneurship agency. Offers R&D grants and SME support programs applicable to AI projects.

Practical Tools

We’ve also published a guide to funding AI projects in Belgium, which covers subsidies and grants that can help offset the cost of building AI solutions that are compliant from the start.

What to Do Next

A realistic timeline for a Belgian SME:

  • Now: inventory, verify no prohibited practice, start AI literacy training, review vendor contracts.
  • By June 2026: finish risk classification, start high-risk remediation if applicable, update GDPR docs, so you’re ready when literacy enforcement and the penalty regime kick in on 2 August 2026.
  • Ongoing: monitor delegated acts, implementing acts, and Belgian guidance. Keep documentation current.

For most Belgian SMEs running standard business automation, the workload is manageable. Start now, classify honestly, build the documentation habit.

This post is a primer, not a compliance assessment. For a formal conformity check, work with a legal or compliance specialist. If you are planning AI-powered automation and want it built with these obligations baked in from day one, get in touch.

Ready to transform your business with AI?

Let's discuss how we can help you achieve your goals.

Get in Touch