The EU AI Act in Plain Language: What Luxembourg SMEs Actually Need to Know
Compliance4 min read

The EU AI Act in Plain Language: What Luxembourg SMEs Actually Need to Know

Most small business AI use cases fall in the minimal-risk band. Here is what the EU AI Act risk tiers mean in practice, what to document, and why your hosting choice matters.

The EU AI Act is now in force, and the official text reads like it was designed to be unread. This is not legal advice. It is orientation: what risk tier you are likely in, what to document, and why your hosting choice matters.

The Risk Tiers, Simply

The Act organizes AI systems into four risk bands. The higher the band, the heavier the obligations.

  • Unacceptable risk: banned entirely. Real-time facial recognition in public spaces, social scoring, subliminal manipulation. Luxembourg SMEs are not building these.
  • High risk: AI used in hiring decisions, credit scoring, medical diagnosis, critical infrastructure, law enforcement. Significant documentation and conformity assessment apply. Some SMEs touch this band if they use AI to screen job applicants or assess creditworthiness.
  • Limited risk: transparency obligations, mainly. If your AI interacts with customers (a chatbot, a WhatsApp assistant), you must disclose that users are talking to a system, not a person.
  • Minimal risk: everything else. Spam filters, AI-assisted drafting, document summarization, internal report generation, scheduling automation. No obligations beyond normal GDPR compliance.

Most SME use cases sit in the minimal or limited band. Drafting an email, summarizing a PDF, automating an invoice workflow: none of these trigger high-risk obligations.

What You Should Document Anyway

Even at minimal risk, light documentation is worth doing. Not because the regulation demands it, but because it forces clarity and protects you if a question ever arises.

Write down, in plain language: what the system does, what data it processes, who reviews its outputs before they affect a decision, and how you would correct a mistake. One internal document is enough. You do not need a compliance department. You need a clear description of reality.

The firms that will struggle with AI regulation are not the ones who built something complex. They are the ones who could not explain what they built or where the data went.

If you run a customer-facing chatbot, add one more item: confirm that your interface or terms of service make clear the user is talking to an automated system. That covers the transparency obligation for limited risk.

Why Hosting and Data Handling Matter

EU-hosted infrastructure is not a marketing point. When your data stays on EU servers and never routes through a third-country provider without adequate safeguards, your GDPR exposure shrinks and your AI Act compliance story becomes cleaner. You can point to where the data lives, who has access, and under what legal basis it is processed.

If your AI workflow sends client data to a US-based API without a Data Processing Agreement and a valid transfer mechanism, you have a problem that predates the AI Act. The Act just adds another layer on top of an already shaky foundation.

At Focus AI, every system we build runs on EU infrastructure, uses self-hosted databases where data residency matters, and is handed off with documentation the client can actually use. Not to tick a box, but because that is what it takes for the system to survive in a regulated environment.

The Practical Takeaway

If you are automating internal workflows, summarizing documents, or running a customer-facing assistant, you are almost certainly in the minimal or limited band. Document it simply, disclose the bot where required, keep data in the EU. That is the checklist for most Luxembourg SMEs. Do not build high-risk applications without proper legal counsel.

[ related ]

More from the blog

Engineering deep-dives, product notes, and what we learn shipping AI.

View all posts