By Hakan Akcan · Reepa Solutions
More than half of German SMEs are using AI tools in some form in 2026 — from Copilot licence rollouts to productive forecasting models in manufacturing and sales. Organisations without a formally documented strategy framework are managing the topic reactively: licence costs grow unchecked, departments procure shadow AI, confidential data ends up in public cloud models, and at the end of the financial year no one can quantify what the investments have returned. This guide explains how an SME develops a robust AI strategy — from the vision through use-case discovery and the build-vs-buy decision to a KPI framework and a concrete 90-day roadmap. For the broader context see our AI Guide for SMEs.
Why an AI Strategy Is Non-Negotiable in 2026
Three developments make a written AI strategy a board-level task in 2026. First, the regulatory situation: the EU AI Act has been in force since August 2024; prohibited practices have applied since February 2025; obligations for general-purpose AI models since August 2025; and the full high-risk regulation takes effect in August 2027. Organisations running high-risk applications without documented risk classification, conformity assessment, and technical documentation face fines of up to 35 million euros or 7 percent of global annual turnover — the highest penalty rates currently in EU law. More detail in the EU AI Act cluster.
Second, cost trends. AI licences became significantly more expensive in 2025 and 2026, with Microsoft, Google, and Anthropic repeatedly raising per-seat prices. Without a strategy, costs grow unchecked — in audits we regularly see companies with 200 to 400 employees spending between 80,000 and 220,000 euros per year across three business units on partially overlapping AI licences, with no way to quantify the actual business value. A strategy creates cost transparency and negotiating leverage with vendors.
Third, competition. SMEs that introduce AI in a structured way recapture between 8 and 22 percent of processing time in sales and service, depending on the business model. That time flows into acquisition, consulting, and margin improvement. Organisations that fall two to three years behind on this front can barely close the competitive gap operationally. A strategy is therefore not an innovation luxury but a competitive prerequisite.
A strategy does not mean "a PowerPoint deck for the supervisory board". A robust AI strategy is a 15- to 30-page document with five concrete building blocks, a prioritised use-case pipeline, a three-year investment framework, a governance structure, and a 90-day roadmap for the first implementation wave. It is approved by the board or management and reviewed at least every six months.
The Five Building Blocks of an SME AI Strategy
From more than 30 strategy engagements over the past two years we have distilled five building blocks that every viable SME AI strategy must contain. Leave out any one of them and you are building on sand.
- Vision and ambition levelA clear statement of what AI should and should not achieve in the organisation. Example: "We use AI to automate recurring administrative tasks and to support sales, not for autonomous decisions in HR or credit matters." This delineation steers later use-case selection and rules out regulatory risk areas from the outset.
- Prioritised use-case pipelineAn ordered list of 8 to 15 use cases with effort, expected benefit, data availability, and risk classification under the EU AI Act. The pipeline is reviewed quarterly. Without a pipeline, shadow initiatives emerge in every department.
- Data foundationAn honest assessment of data maturity: which data exists in structured form, which is locked in PDFs and emails, which may actually be used for AI from a privacy and confidentiality perspective. Without this assessment, every use case that goes beyond pure chatbot wrappers will fail.
- Tooling architectureA decision on the tool landscape: which standard platforms (Microsoft Copilot, Google Workspace with Gemini, ChatGPT Enterprise, Claude for Work), which specialist tools per department, which custom development. Including an answer to the question of where models run physically — EU region, on-premises, or hyperscaler.
- Governance and responsibilitiesWho decides on new use cases, who classifies risks, who maintains the model inventory, who trains staff, who audits. In SMEs this is typically a four- to six-person AI steering committee comprising management, IT leadership, the data protection officer, a departmental representative, and a technical AI owner.
These five building blocks must build on one another. A vision without use cases is marketing; use cases without a data foundation are PowerPoint dreams; tooling without governance produces shadow IT; governance without a vision becomes a brake.
Use-Case Discovery — Finding the Right Pilot Projects
The most common question in the first strategy session is: "Where do we start?" Wrong answers are "We'll build a chatbot" and "We'll extract data from invoices" — both are examples cited at conferences without anyone having analysed the specific problems of their own organisation. The right answers emerge from a structured discovery process.
In practice we use a three-stage approach. In a first survey we collect use-case ideas through structured interviews with all department heads — typically 40 to 80 ideas in an SME. In a scoring round the ideas are evaluated on three axes: business value per year in euros, effort to productive deployment in person-months, data availability, and risk classification. In a prioritisation round the AI steering committee selects the 8 to 15 strongest candidates and places them on a 24-month roadmap.
Experience shows that the most valuable use cases in SMEs are almost never the spectacular ones but the mundane ones: automated responses to recurring service requests, semantic search in internal knowledge bases, preparation of sales calls based on publicly available information, code assistance in the development department, transcription and summarisation of meetings, risk classification of incoming contracts. Each of these use cases typically saves between 20,000 and 200,000 euros per year in an SME, carries manageable risk, and can be in production within three to six months.
Build vs Buy vs Hybrid
One of the most expensive decisions in the strategy is the choice between build, buy, and hybrid. Most SMEs choose the wrong option because they either overestimate build ("We'll train our own model") or underestimate buy ("We'll just use the standard tool"). The table below maps out the three models.
| Model | When it makes sense | Risks | Typical cost/year |
|---|---|---|---|
| Buy — standard platform | Generic use cases without competitive differentiation, high time-to-value, low data sensitivity | Vendor lock-in, price increases, data leakage to provider | 30 – 80 € per employee per month |
| Build — custom solution | Competitively differentiating use case, confidential training data, existing MLOps expertise | High initial investment, ongoing operational overhead, skills risk with staff turnover | 120,000 – 600,000 € initial investment plus operations |
| Hybrid — standard plus custom layer | Standard model as a base, proprietary business logic, retrieval-augmented generation on own data | Architectural complexity, update risk on model change | 40,000 – 180,000 € per year plus licence costs |
For 80 to 90 percent of use cases in SMEs, the hybrid model is the economically correct answer. Standard models from Anthropic, OpenAI, or Mistral are connected via API, proprietary data is integrated via a retrieval layer, and the business logic remains in-house. Training a custom model is practically only worthwhile in two cases: with very large, highly specific datasets that offer competitive differentiation, or for applications that must run in a closed environment without cloud connectivity.
KPI Framework: How We Measure AI Success
Without measurement, AI strategy becomes a matter of faith. We recommend a three-layer KPI model that captures the business, adoption, and governance levels together.
| Level | KPI | Direction | Reporting frequency |
|---|---|---|---|
| Business | Business value per use case in euros | Use-case-specific — revenue, margin, processing time | Quarterly |
| Business | Total return on investment for AI portfolio | Positive balance after 18 months | Semi-annually |
| Adoption | Share of active users per tool | Over 50% of licensed seats after 6 months | Monthly |
| Adoption | Number of productive use cases | Plus 3 to 5 per year after launch phase | Quarterly |
| Governance | Risk classification of all systems | 100% of productive systems classified | Quarterly |
| Governance | Response time to AI incidents | Under 24 hours acknowledgement, under 5 days resolution | Ongoing |
Business KPIs must be defined per use case before implementation begins. Organisations that roll out an AI tool without first defining what success looks like cannot justify renewal or decommissioning twelve months later. From practical experience: three hard business-value metrics per use case are sufficient; more dilutes the evaluation.
Common Strategy Mistakes
Before going deeper into our own approach, it is worth examining the most frequent mistakes. We encounter them in every second audit engagement.
Hype-driven rather than problem-driven. A strategy starts with the solution ("We're doing chatbots") rather than the problem ("Our service team is overwhelmed with standard enquiries, response time over 48 hours"). Hype-driven strategies can be identified by the fact that the use-case list reads like a conference programme. The remedy: every use case is documented with a clear problem statement and a measurable current state.
Top-down without a departmental anchor. Management and IT define use cases in an ivory tower; the department only learns about the rollout at the training session. This constellation produces tools that no one uses. The remedy: every use-case idea needs a departmental sponsor with budget responsibility who personally quantifies the expected benefit.
Vendor lock-in without an exit path. A strategic commitment to a single provider without abstraction of model calls and without a plan for switching. If the provider doubles its prices or discontinues a central feature, the organisation is stuck. The remedy: an abstraction layer between the application and the model provider, a documented second option per use case, and contractual exit clauses.
No data-maturity check. The strategy promises forecasting models, but the data sits in Excel spreadsheets on network drives or in PDF attachments. The remedy: before every data-intensive use case, an honest assessment of data availability and data quality, and if necessary a preliminary data-consolidation effort.
Governance and Compliance: EU AI Act, GDPR, Internal Policies
Governance is the building block where SME strategies are most often thin. That is understandable — governance generates no visible business value; it prevents damage. It is nonetheless non-negotiable, because the EU AI Act, GDPR, supplier audits, and cyber insurance policies all demand demonstrable governance in 2026.
The mandatory programme comprises six elements. First, a written AI policy for all employees that clarifies which tools are permitted, what data may be entered, and where the boundaries lie. Second, a model inventory that documents all AI systems in productive use with provider, use case, risk classification, and responsible person. Third, a classification process for new use cases that assesses the EU AI Act risk before development begins. Fourth, a data protection impact assessment for every use case involving personal data in accordance with Article 35 GDPR.
Fifth, a training concept: the EU AI Act has required since February 2025 that all operators of AI systems ensure their employees have sufficient AI literacy — this Article 4 is frequently overlooked but carries financial penalties. Sixth, incident management with a defined escalation chain for model errors, data breaches, and hallucination-related harm.
In practice, these six elements fit into a 20-page governance handbook approved by the AI steering committee and revised at least annually. Organisations that build a 200-page document produce paper that no one reads.
90-Day Roadmap
A strategy is worthless unless it is translated into concrete weekly packages. The roadmap below shows a typical 90-day plan for the first strategy implementation. It is intended as a guide; every organisation adapts it to its sector, size, and maturity level. For more depth see our cluster AI Roadmap 90 Days.
| Period | Work package | Output |
|---|---|---|
| Weeks 1–2 | Convene AI steering committee, approve vision and ambition level, onboard external advisors | Vision statement and steering charter |
| Weeks 3–5 | Use-case survey across all departments, structured interviews with department heads | 40–80 use-case ideas with initial scoring |
| Weeks 5–7 | Data-maturity check, tooling inventory, shadow AI audit | Data and tooling maturity report |
| Weeks 6–8 | EU AI Act classification of all top ideas, GDPR pre-screening | Risk-classified use-case list |
| Weeks 8–10 | Prioritisation in steering committee, selection of 2 to 3 pilots, budget approval | Approved 24-month roadmap |
| Weeks 9–11 | Draft governance handbook, formulate AI policy for staff | Governance handbook version 1 |
| Weeks 10–12 | Launch pilot projects, roll out training concept, sign vendor contracts | First pilots in execution, training plan in roll-out |
| Weeks 12–13 | First success measurement, communicate to staff and supervisory board, adjust roadmap | 90-day steering report, approved next steps |
Three to five people from the AI steering committee work at 20 to 40 percent capacity during these 90 days. External consultants typically contribute 20 to 40 advisory days over the quarter. In terms of investment, most SMEs land in the range of 60,000 to 180,000 euros for the 90-day strategy including pilot licences — depending on size and depth of advisory support. An honest roadmap calculates these figures upfront, not in hindsight.
Evaluate your AI strategy at no obligation
Considering building an AI strategy or hardening an existing one? We offer a complimentary 45-minute initial consultation — we assess your current AI maturity, sort out existing initiatives, and propose a fitting 90-day path.
Request a free strategy conversationHow Reepa Solutions Supports SMEs with AI Strategy
Reepa Solutions has been guiding SMEs through AI strategies since 2023. Our approach differs from traditional consulting firms in three ways. First, we are technology-neutral — we do not resell vendor licences and have no incentive to push any particular tool. Second, we work hands-on — we typically help build the first pilot ourselves rather than producing slide decks alone. Third, our deep knowledge of the regulatory landscape from our own cybersecurity business feeds directly into the governance building blocks.
A typical strategy engagement with us runs 10 to 14 weeks. It begins with a two-day diagnostic phase in which we speak with management and department heads, map existing initiatives, and deliver a maturity report. This is followed by 8 to 10 weeks of guided strategy development with weekly steering sessions. The engagement concludes with an approved strategy document, a 24-month roadmap, a governance handbook, and at least one pilot project in execution. Investment for such an engagement typically ranges from 35,000 to 90,000 euros in consulting fees for SMEs, depending on size and complexity. Tool licence and pilot implementation costs are additional. For a detailed breakdown see Calculating AI Costs and ROI.
Frequently Asked Questions
How long does it take to develop an AI strategy for an SME?
For an SME with between 50 and 1,000 employees, the initial development of a robust AI strategy typically takes 8 to 14 weeks — provided that management, the IT director, and at least two department heads are actively involved. The time-critical factor is not the conceptual work but the use-case validation using real departmental data. Strategies drafted on a whiteboard in four weeks almost always fail during implementation.
Do we need our own AI platform, or are external tools like Microsoft Copilot and ChatGPT Enterprise sufficient?
For most SMEs, external tools are entirely sufficient for the first 12 to 18 months. Building a proprietary platform only makes sense when three conditions are met: first, confidential training data that must not be sent to external providers; second, at least three productive use cases with measurable business value; third, in-house data and MLOps expertise to ensure ongoing operations. Organisations that do not meet these conditions will pay more for a proprietary platform than the business value justifies.
What role does the EU AI Act play in strategy development?
The EU AI Act has been in force since August 2024 and will become binding in stages through 2027. For strategy this means: every planned application must be classified before implementation begins — prohibited practice, high-risk system, limited risk, or minimal risk. High-risk applications such as applicant screening, creditworthiness assessment, or critical infrastructure control trigger extensive documentation, testing, and audit obligations. SMEs should embed a classification workflow into the strategy phase before use cases are prioritised.
How do we measure the success of an AI strategy?
The success of an AI strategy is measured at three levels. First, at the business level via hard KPIs such as revenue, margin, processing time, or error rate per use case. Second, at the adoption level via active usage of the tools introduced — if an AI tool is rolled out and fewer than 30 percent of users are active after three months, that is an adoption problem, not a technology problem. Third, at the governance level via audit cleanliness, risk classification of all productive systems, and incident response time. A strategy that optimises only for adoption figures overlooks risks; a strategy that measures only business KPIs overlooks the human factor.
What is the most common mistake in AI strategies for SMEs?
By far the most common mistake is a hype-driven strategy without a departmental anchor. Management reads about a use case at a large corporation in the business press and assumes the company must do the same — usually chatbots or document extraction without a clear problem statement. Departments are only brought in after vendor selection, find the use case irrelevant, and do not use the tool. The second major source of error is vendor lock-in: a strategic commitment to a single provider without modelling exit paths. Both mistakes are avoidable with a disciplined process, but cost six to seven figures when they occur.
Ready to build your AI strategy?
Let's talk for 45 minutes at no obligation. We assess your AI maturity, sort out existing initiatives, clarify the EU AI Act situation, and deliver a realistic 90-day path with a budget framework and steering setup.
Schedule a 45-minute conversation
IT security and cloud architect with over ten years of experience. Guides SMEs through AI strategies, EU AI Act compliance, and governance development. Writes regularly on AI for SMEs, NIS2, GDPR compliance, and security awareness.
Reviewed: 22 May 2026 · More about Hakan