If you run a small or medium-sized business in Europe, compliance probably isn't your full-time job. You're building products, hiring people, and closing deals. Regulations are something you deal with when you have to.
The problem is that "when you have to" is often after something goes wrong.
Here are five compliance obligations that consistently surprise European SMBs — and what each one actually means for your business.
1. GDPR Has No SMB Exemption
This is the most common misconception. GDPR applies to every organisation that processes personal data of EU residents, regardless of size. There is no threshold — no "under 50 employees, you're fine" carve-out.
What does exist is a limited exemption from certain record-keeping requirements for companies with fewer than 250 employees. But the core obligations — lawful basis for processing, data subject rights, breach notification, data processing agreements — apply to everyone.
If you collect customer emails, store employee records, or use analytics on your website, GDPR applies to you.
2. Using ChatGPT at Work Triggers the EU AI Act
The EU AI Act enters full enforcement for high-risk AI systems on August 2, 2026. Most SMBs assume this only affects companies that build AI products. It doesn't.
If your team uses AI tools — ChatGPT, Copilot, automated screening tools, recommendation engines — in ways that affect decisions about people, you have obligations as a "deployer" under the AI Act. This includes:
- Using AI to screen job applications
- Automated customer service that makes recommendations
- AI-assisted credit or eligibility decisions
- Content generation for EU audiences
The key phrase is "decisions that affect people." If AI outputs influence those decisions, transparency and documentation obligations apply — even if you didn't build the AI system.
3. Your Cloud Provider Is Your Regulatory Problem
Under GDPR, you're the data controller. Your cloud provider, CRM, email platform, and analytics tool are data processors — and you need a Data Processing Agreement (DPA) with each one.
This isn't optional. If your SaaS vendor has a data breach and you don't have a DPA in place, the regulatory responsibility falls on you.
The EU Data Act, which began applying in September 2025, adds another layer: it gives you new rights to switch cloud providers and port your data. But it also means you need to understand what data your providers hold and how to retrieve it.
Practical step: Audit every SaaS tool your company uses. For each one that touches personal data, confirm you have a signed DPA.
4. Swiss Data Law Isn't GDPR-Lite — It's Criminal
Switzerland is not in the EU, but the Swiss Federal Act on Data Protection (FADP) has been in force since September 2023. It overlaps significantly with GDPR, but with one critical difference.
GDPR fines target companies. FADP penalties target individuals — specifically, the person responsible for the data protection violation. Fines can reach CHF 250,000 per offence.
If your company operates in Switzerland or processes data of Swiss residents, the FADP applies alongside (not instead of) GDPR.
5. NIS2 Supply Chain Requirements Can Reach SMBs
The NIS2 Directive primarily targets large organisations in critical sectors: energy, transport, healthcare, digital infrastructure. If your company has fewer than 50 employees, you're probably not directly in scope.
But NIS2 requires in-scope organisations to manage cybersecurity risks across their supply chain. That means your enterprise clients — the ones covered by NIS2 — may impose cybersecurity requirements on you as a supplier.
This is already happening. Large companies are adding cybersecurity clauses to vendor contracts, requiring security certifications, and auditing supplier practices. If you sell to enterprises in NIS2 sectors, expect these requirements to reach you.
What To Do About It
None of these obligations are insurmountable. But they do require knowing where you stand.
The first step is understanding which regulations apply to your specific situation — based on your industry, location, employee count, data practices, and technology use.
ComplyOne's free compliance health check does exactly that. It takes two minutes, requires no credit card, and gives you a prioritised action plan.