The classic trap
Article 63 looks like a gift for microenterprises, and that is exactly where the trap closes. Many managers read derogation and conclude that a small company escapes most of the Regulation. Wrong: paragraph 2 locks everything down. The simplification covers ONLY certain elements of the quality management system in Article 17, and NEVER the substantive requirements of Articles 9 to 15 (risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy and cybersecurity), nor post-market monitoring (Article 72) and serious incident reporting (Article 73). The EU AI Office, which supervises general-purpose AI systems, and the market surveillance authority to be designated in Luxembourg, will sanction a microenterprise that believed it could self-exempt beyond the real scope of the derogation.
The real conditions and limits of the derogation
- The derogation targets microenterprises only within the meaning of Recommendation 2003/361/EC (fewer than 10 staff and annual turnover or balance sheet not exceeding 2 M EUR).
- It falls away as soon as the enterprise has partner or linked enterprises: a microenterprise that is a subsidiary of a group, or owned more than 25 percent by a larger company, loses the benefit.
- The simplification applies only to certain elements of Article 17 (quality management system), not to all of Article 17.
- No exemption on Articles 9, 10, 11, 12, 13, 14, 15: risk management, data, documentation, logs, transparency, human oversight, robustness.
- No exemption on Articles 72 and 73: post-market monitoring and serious incident reporting.
- The Commission guidelines will define the exact simplified scope: departing from it without documented basis is a direct risk.
How Luxgap automates this risk
Our Luxgap Microenterprise Eligibility Guard makes the scope error impossible: it continuously calculates your real microenterprise status and delineates, line by line, what you can actually simplify from what you must fully comply with. The tool cross-references your RCS register, your ownership structure, your headcount (Sage BOB 50, Workday LU) and your annual accounts to determine whether the presence of partner or linked enterprises tips your obligation, then projects that analysis onto Articles 9 to 15, 72 and 73.
- Automatically calculates your microenterprise eligibility under Recommendation 2003/361/EC by aggregating headcount, turnover and capital links from the RCS and your accounting.
- Detects in real time any acquisition or new linked enterprise that would forfeit the benefit of the derogation, with an instant Teams alert.
- Distinguishes, element by element, what falls under the simplifiable quality management system (Article 17) and what remains fully required (Articles 9 to 15, 72, 73).
- Generates a compliance map per high-risk AI system, aligned with the Commission guidelines once published.
- Produces a timestamped PDF report, enforceable before the AI market surveillance authority and the EU AI Office, demonstrating the exact scope of the derogation invoked.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real structure, with a free blank audit within 48h to measure your exposure before any commitment.