EU AI Act fines for SMEs: what Spanish companies should understand

The EU AI Act includes significant penalties, but SMEs should not read the regulation as a reason to freeze every AI initiative. The useful response is to understand risk, avoid prohibited practices, train staff, document use cases, and choose tools with governance in mind.

What the fines are trying to prevent

The most severe penalties are aimed at prohibited AI practices and serious non-compliance. For most SMEs, the more relevant risk is not building a banned system from scratch. It is using AI without knowing where data goes, who is responsible, or whether employees understand the tool's limits.

Practical risk areas

SMEs should review AI use in:

• HR and hiring.
• Customer support.
• Credit, eligibility, or scoring workflows.
• Healthcare or safety-sensitive contexts.
• Tools processing personal data.
• Chatbots that interact with customers.
• Internal assistants connected to confidential documents.

The more sensitive the use case, the more structure is needed.

What reduces risk

Useful first steps include:

• Keep a list of approved AI tools.
• Train employees on safe AI use.
• Avoid uploading sensitive data to unapproved tools.
• Keep humans in control of important decisions.
• Document use cases and data categories.
• Prefer systems with permissions, source citations, and admin controls.

The practical conclusion

The EU AI Act should push SMEs toward disciplined AI adoption, not paralysis. Companies that know which tools they use, train their people, and control access to data will be in a better position than companies relying on informal experimentation.

Polp helps with one part of that structure: permission-aware internal knowledge, cited answers, and visibility into what the assistant can and cannot answer.

Sources:

• EU AI Act Article 99
• EU AI Act impact on SMEs - Sector3
• EU AI Act updates - LegalNodes