Small Mid-Cap Enterprises Get SME Treatment Under the Amended EU AI Act
Buried inside the March 2026 vote that delayed the high-risk deadline to December 2027 is a structural change few headlines covered. The EU AI Act now recognises a new size category. Companies up to 750 employees and €150 million in turnover — well above the EU’s standard SME ceiling — get most of the same compliance breaks that small businesses already received.
If your organisation crossed the 250-employee threshold and braced for the full-fat regime, the amendments give you something genuinely useful.
The new category: small mid-cap enterprises
“Small mid-cap enterprise” (SMC) is not a phrase the AI Act invented. It comes from Commission Recommendation 2025/3500/EC of 21 May 2025, part of the broader EU competitiveness agenda following the Draghi report. The thresholds are:
- Fewer than 750 employees, and
- Annual turnover ≤ €150 million or balance sheet total ≤ €129 million
For comparison, here is how that sits alongside the existing EU size definitions:
| Category | Employees | Turnover or balance sheet |
|---|---|---|
| Micro | < 10 | ≤ €2M |
| Small | < 50 | ≤ €10M |
| Medium | < 250 | ≤ €50M turnover / ≤ €43M balance sheet |
| Small mid-cap (new) | < 750 | ≤ €150M turnover / ≤ €129M balance sheet |
| Large | ≥ 750 or above thresholds | — |
The gap between “medium” and “large” used to be a cliff. A company with 251 employees was suddenly subject to the same regulatory regime as Microsoft. SMCs sit in that gap, with proportionate treatment that recognises the difference between a 400-person scale-up and a 40,000-person multinational.
What the Parliament’s vote extends to SMCs
Two flexibility measures are clearly extended in the Parliament’s adopted text:
Capped enforcement penalties
Under Article 99, AI Act fines are calculated as the higher of a flat amount or a percentage of global turnover — except for SMEs and start-ups, which under Article 99(6) pay the lower of the two. The amendments extend that SME-style cap to SMCs.
In practice, that converts the worst-case penalty from “whichever is higher, up to 7% of global turnover” to “whichever is lower, up to €35 million.” For an SMC at the upper end of the threshold (€150M turnover), a 7% turnover fine for a prohibited-practice breach would be €10.5M; the lower-of rule pulls the worst case down materially in many scenarios. See how AI Act fines are calculated for the full tier breakdown.
Simplified technical documentation
SMC providers of high-risk AI systems may submit Article 11 / Annex IV technical documentation in a simplified form, using Commission-published templates. This is the same concession previously available only to micro and small enterprises.
The substantive content of the documentation — risk management, data governance, accuracy, robustness, cybersecurity — is unchanged. It is the form, not the fact, of compliance that simplifies. A 600-person scale-up still has to do the work; it just gets to record it on a leaner template.
What hasn’t been clarified
Several other SME-specific measures sit ambiguously in the amended text:
- Priority sandbox access under Articles 57–58 currently names SMEs explicitly. Whether SMCs get equivalent priority is not yet pinned down in the Parliament’s position.
- Proportional assessment fees under Article 62 reference the “size” of the provider; in principle that argument extends to SMCs, but the operative recitals still name SMEs.
- SME-tailored training and dedicated communication channels at the Member State level may or may not be extended in practice — that depends on national implementation.
If your organisation falls in the SMC band, do not assume every SME concession applies. Capped penalties and simplified documentation are the two we can be confident about; the rest will need to be confirmed in the final trilogue text and in national authority guidance.
What hasn’t changed
Compliance flexibility is not exemption. SMCs that build or deploy high-risk AI systems still need to meet:
- Article 9 risk management across the system lifecycle
- Article 10 data governance
- Article 12 event logging, built into the system rather than bolted on
- Article 14 human oversight
- Article 15 accuracy, robustness, and cybersecurity
- Article 26 deployer obligations
- Article 27 fundamental rights impact assessment, where applicable
- Article 73 serious incident reporting
The substantive engineering and governance work is the same regardless of company size. What the SMC carve-out changes is the cost of getting it wrong and the paperwork burden of documenting that you got it right.
Why this matters for scale-ups
The previous regime had a perverse effect on European scale-ups. A startup at 240 employees building a high-risk AI hiring tool got proportional fees, simplified documentation, and capped penalties. The same company six months later, having grown past 250 employees, suddenly faced the full regime — often at exactly the moment its compliance team was already stretched thin by hiring.
The Draghi report flagged this pattern across several regulations: EU rules creating a structural disincentive to grow past the SME threshold inside Europe. Extending SME flexibility up to 750 employees is a direct response, and it aligns the AI Act with similar SMC carve-outs being pushed through the Commission’s broader simplification omnibus.
For UK and US scale-ups expanding into Europe, the practical consequence is that the compliance escalation curve flattens. You can pass 250 employees without immediately re-engineering your AI Act compliance posture.
This is not yet law
The Parliament’s vote on 26 March 2026 is one step. The Council adopted its own position on 13 March 2026, and the two institutions are now in trilogue. The SMC extension is one of the items being reconciled; the Council’s text aligns broadly but differs in detail on adjacent provisions (notably the interaction with sectoral safety legislation).
Until the trilogue concludes and the amended Regulation is published in the Official Journal, the AI Act as in force still uses the standard SME definition from Commission Recommendation 2003/361/EC and contains no SMC category. Plan against the amended text, but do not yet rely on it for binding compliance positions or external commitments.
Practical next steps
- Confirm your size classification. Run the SMC test (employees, turnover, balance sheet) against your latest accounts. If you fall inside the SMC band, flag it in your compliance plan and risk register.
- Re-baseline your penalty exposure. If your risk register sized worst-case AI Act fines as a percentage of global turnover, the SMC cap may materially reduce that exposure — useful context for board reporting and any disclosures.
- Review your technical documentation plan. If you are a high-risk provider, watch for the Commission’s simplified-form templates. They have not been published yet but are due before the December 2027 application date.
- Don’t slow down. The amendments delay the deadline and ease the form, not the substance. The work that was hard in March is still hard now.
The SMC extension is genuine good news for European AI scale-ups. It is not, on its own, a reason to defer compliance work — only a reason to scope it more proportionately.
This article is part of the ComplyDrive EU AI Act Knowledge Base. ComplyDrive publishes an EU AI Act Compliance Checklist and Sample Documentation — 47 checklist items across 5 phases, with 9 complete example compliance documents. Details at complydrive.ai.