EU AI Act 2026: What Companies Need to Know Now
The EU's AI Regulation is rolling out in stages — and it doesn't just affect Big Tech. If you run a chatbot, do CV screening, or use lead scoring at your SMB, you need to know the 2026 obligations. Here's the pragmatic overview.
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive piece of AI legislation. In force since August 2024, it applies in phases. The first prohibitions went live in February 2025. In 2026, the next big wave arrives — bringing obligations that may affect any company using or providing AI.
The good news: contrary to common narrative, the AI Act is not a bureaucratic monster that turns every chatbot into a compliance nightmare. Most SMB use cases fall under "minimal risk" and need virtually no extra documentation. But: there are clear obligations for high-risk systems and transparency duties covering many everyday AI applications. Ignoring them can lead to substantial fines.
This article gives you a sober overview: which 2026 deadlines matter, which risk category your use case falls into, what you need to document — and the five concrete steps you should be taking right now.
Key 2026 Deadlines (in chronological order)
The AI Act doesn't take effect all at once — it phases in. Here are the key dates:
| Date | What becomes binding | Who's affected |
|---|---|---|
| 02 Feb 2025 | Ban on AI with "unacceptable risk" (social scoring, manipulative AI, real-time biometric identification) | All companies |
| 02 Aug 2025 | Obligations for General Purpose AI (GPAI) — primarily affects model providers like OpenAI, Anthropic, Google | AI model providers; indirectly all users |
| 02 Aug 2026 | Main application: transparency duties, high-risk obligations, AI literacy requirement (Art. 4) | All companies using AI |
| 02 Aug 2027 | High-risk requirements for products with embedded AI (e.g. medical devices, machinery) | Manufacturers of regulated products |
For you as an SMB, 2 August 2026 is the date that really matters. From this point on, transparency duties and high-risk requirements apply in full. The AI literacy obligation under Art. 4 also becomes enforceable from then — employees using AI must have a "sufficient level of AI literacy."
The 4 Risk Categories — what each means for your use case
The AI Act follows a risk-based approach. The greater the potential harm to fundamental rights, health or safety, the stricter the rules. Here are the four categories you need to know:
1. Unacceptable Risk (prohibited)
These AI applications have been completely banned in the EU since February 2025 — regardless of purpose:
- Social scoring by public authorities (rating people based on behavior)
- Manipulative AI that subliminally influences behavior and causes harm
- Emotion recognition in the workplace and educational institutions
- Real-time biometric remote identification in public spaces (with narrow law-enforcement exceptions)
- Predictive policing based solely on profiling
2. High Risk (strictly regulated)
These systems are allowed but come with extensive obligations: conformity assessment, risk management, data quality, transparency, human oversight, logging. Common SMB examples:
- CV screening and automated candidate selection
- Employee evaluation, promotion or termination decisions
- Creditworthiness assessment for individuals
- Access to education or social services
- Critical infrastructure (energy, water, transport)
3. Limited Risk (transparency duty)
The rule here: users must know they're interacting with AI. In practice:
- Chatbots must identify themselves as AI
- Deepfakes and AI-generated content must be labeled
- Emotion recognition systems (outside prohibited contexts) require disclosure
- Biometric categorization must be disclosed
4. Minimal Risk (no specific duties)
The vast majority of AI applications fall here. Examples: spam filters, product recommendations, translation, spell-checking, code assistants for internal developers. No AI-Act-specific obligations — but GDPR and sector-specific rules still apply, of course.
Concrete SMB Scenarios — what's allowed, what's not?
To make this less abstract, here are five typical scenarios from mid-sized businesses:
Scenario 1: Customer service chatbot on your website
Risk category: Limited Risk. What you need to do: Place a visible notice that the chatbot is an AI — not only when asked. A line like "Hi, I'm Cleo, the AI assistant from Cogswell IT" usually does the trick. Plus: GDPR-compliant handling of conversation data.
Scenario 2: AI-driven CV screening
Risk category: High Risk (Annex III, item 4). What you need to do: Substantial obligations — risk management system, data quality evidence, logging, human oversight (a person must actually be able to review AI decisions, not just rubber-stamp them), technical documentation, candidate information. Without proper compliance: stay away.
Scenario 3: Lead scoring in B2B sales
Risk category: Typically Minimal Risk, since it evaluates companies. What you need to do: Nothing AI-Act-specific, but mind GDPR as soon as personal data of contacts is processed.
Scenario 4: Voice agent for phone orders
Risk category: Limited Risk. What you need to do: At the start of every call, disclose that this is an AI agent ("Hello, I'm the digital assistant from Restaurant X"). Handle recordings and data processing in line with GDPR as before.
Scenario 5: Automated decision on contract renewal
Risk category: Depends on context. With consumers and material impact (e.g. insurance, credit, housing): High Risk. Standard B2B contracts are usually Minimal Risk. What you need to do: When in doubt, treat as High Risk or let a human make the final call.
Documentation Duties — what do you need to prove?
The AI Act distinguishes between providers (who develops or markets an AI system under their own name) and deployers (who uses the AI system). Obligations differ — most SMBs are deployers.
As a deployer (you use AI):
- Demonstrate AI literacy (Art. 4) — employees operating AI must be trained. A short internal training with documentation usually suffices.
- For high-risk systems: Follow provider instructions, retain logging data for 6 months, inform affected persons, run a data protection impact assessment.
- Transparency: Place visible AI notices for Limited-Risk systems.
- Appoint a responsible person: Someone internal should own AI topics.
As a provider (you build and sell AI):
- Technical documentation per Annex IV (for high-risk systems): system description, data management, testing procedures, risk assessment.
- Conformity assessment and CE marking for high-risk systems.
- Post-market monitoring: Document issues; report serious incidents within 15 days.
- Set up a quality management system.
Penalties and Risks — how high are the fines?
AI Act fines are tiered GDPR-style — and in places significantly higher:
| Violation | Maximum fine |
|---|---|
| Use of prohibited AI practices (Art. 5) | up to €35M or 7% of global annual turnover |
| Breach of high-risk AI obligations | up to €15M or 3% of global annual turnover |
| Providing false information to authorities | up to €7.5M or 1% of global annual turnover |
For SMBs, the lower of the two amounts is always applied (Art. 99(6)). That softens the blow compared to large corporations, but six-figure fines can still threaten a small business's existence. Add reputational risk and potential civil claims if defective AI causes harm.
5 concrete steps to take RIGHT NOW
- Build an AI inventory. List every AI system in use in your company — including AI baked into standard tools (Microsoft Copilot, Salesforce Einstein, HubSpot AI, etc.). Without this inventory, you can't manage compliance.
- Classify by risk category. Go through the list and classify each use case. When uncertain, default to the higher tier — it saves arguments later.
- Build AI literacy. Plan a short internal training by August 2026. Goal: employees understand what AI can and cannot do, how to spot hallucinations, and how to handle data responsibly. Document the training.
- Implement transparency notices. Chatbots, voice agents, AI-generated content — wherever Limited-Risk duties apply, check your notices. A single sentence is often enough, but it must be visible.
- Assign responsibility and define a process. One person as "AI Officer" or at least a point of contact. Plus a simple process to vet new AI tools before deployment. This doesn't have to be a bureaucratic beast — a one-page checklist is fine.
FAQ
Am I affected if I only use ChatGPT for writing?
Yes, but only minimally. As a deployer you fall under the AI literacy requirement (Art. 4) — employees should have a basic understanding of how the tool works and where the risks lie. If ChatGPT outputs need to be visibly AI-generated for end customers (e.g. images, deepfakes), transparency applies. Purely internal writing remains uncritical.
What if our AI provider is outside the EU (e.g. OpenAI, Anthropic)?
The AI Act applies extraterritorially — any provider whose system is used in the EU is covered. The major providers have appointed EU representatives and are adjusting their products. As a deployer you remain responsible for your specific use. Look for compliance assurances when signing contracts.
Do I need an "AI Officer" like a data protection officer?
There is no formal obligation comparable to the DPO. But: a named responsible person is best practice and makes interactions with authorities easier. For high-risk systems, human oversight must be organized anyway — and that includes clear accountability.
What about open-source AI?
Freely available open-source models are largely exempt from provider obligations — unless they're high-risk applications or General Purpose AI with systemic risk. If you embed open-source models in your product, you take on responsibility for the specific use case as deployer or integrating provider.
Not sure whether your AI setup is AI-Act compliant?
30 min intro call. We walk you through which use cases fall into which risk category.
Request a compliance check →