The EU AI Act for SMEs: What Really Applies to You in 2026
"Do we now have to do anything because of the EU AI Act?" – that is the question SMEs ask me most often at the moment. The honest answer: probably less than the panic headlines suggest, but not nothing. And what applies shifted once more in mid-2026.
The core principle: regulation by risk
The AI Act does not regulate "AI" wholesale, but by use case and risk. Simplified into four tiers:
- Prohibited practices (e.g. social scoring, manipulative systems) – banned.
- High-risk systems (e.g. AI in candidate selection, credit scoring, critical infrastructure) – strict obligations.
- Systems with a transparency duty (e.g. chatbots, AI-generated content) – labelling required.
- Minimal risk (the bulk of everyday AI) – essentially no special obligations.
For most SMEs the key insight is: you are usually not a provider of high-risk AI, but a deployer of standard tools such as ChatGPT and the like. The heaviest obligations therefore mostly do not fall on you – but a few light ones do.
What changed in 2026: the Digital Omnibus
The original timeline foresaw the high-risk obligations applying from 2 August 2026. In November 2025, however, the European Commission proposed a simplification package – the so-called "Digital Omnibus". The European Parliament endorsed it on 16 June 2026, and the Council of the EU gave its final green light on 29 June 2026. Publication in the EU Official Journal and entry into force follow shortly after.
The result, as of July 2026: the obligations for stand-alone high-risk systems (Annex III) are postponed to 2 December 2027, and for systems embedded in products (Annex I) to 2 August 2028. Important: postponed means deferred, not abolished.
What still applies to you in 2026
Two things apply regardless of the postponement – and they affect almost every company.
1. AI literacy (Art. 4) – already in force since February 2025
Companies that use AI systems must ensure their staff have a sufficient level of AI competence. No mandatory certificate, no exam – but a traceable minimum of training and awareness. For SMEs this practically means: a short internal briefing on what the tools in use may do, where their limits are and which data must not go into them. That kills two birds with one stone – it satisfies Art. 4 and prevents exactly the kind of situations that trigger an AI data breach in the first place.
2. Transparency obligations (Art. 50) – from 2 August 2026
This deadline is unaffected by the postponement. Anyone deploying AI that people interact with (such as a chatbot on the website) must disclose that it is AI. AI-generated or manipulated content, in particular "deepfakes", must be labelled accordingly. For most SMEs this is done with a few clear notices.
Your pragmatic roadmap
- Rule out prohibited practices. Briefly check that none of your use cases falls into the prohibited category. For normal SME usage practically never an issue, but worth a tick.
- Clarify your role. Are you anywhere a provider or operator of a high-risk system (e.g. AI in recruiting)? If so: start preparing for December 2027. If not: relax.
- Implement AI literacy. A short training, recorded in writing. This is due today, not in 2027.
- Establish transparency. Label chatbots and AI content by August 2026.
- Keep an eye on data flows. The AI Act obligations and the GDPR interlock – where your data goes remains the central question.
In short
For a typical SME the EU AI Act is not a major project, but a handful of manageable tasks – above all AI competence in the team and a bit of transparency. The big high-risk obligations are postponed to the end of 2027. Those who set up the basics cleanly now will not have to retrofit hectically later. And if something does go wrong, the AI incident response kit helps with a quick assessment.
Note: This article reflects the state of play as of July 2026 and does not replace individual legal advice.