EU AI Act compliance for SMEs: the 2026 guide

What the EU AI Act actually requires from small and mid-sized businesses after the Digital Omnibus — deadlines, risk tiers, penalties, and a quarter-one action plan.

George Tsimpilis·augmented by AI·

If you run a small or mid-sized company anywhere in the EU and your team uses AI — a chatbot on the site, generated marketing content, an assistant drafting documents — the EU AI Act applies to you. Not eventually. Parts of it since February 2025. This guide lays out what's actually required, what changed with the June 2026 "Digital Omnibus," and what to do about it, in plain business language. One framing note before we start: this is technical and operational readiness, not legal advice — the interpretation of law belongs with your counsel, a line we keep on our own AI governance engagements too.

Does the EU AI Act apply to my small business?

Almost certainly yes — the question is only which parts. The regulation doesn't have a small-company exemption; obligations follow what you do with AI, not how big you are.

The role you play matters most. A provider builds or sells AI systems under its own name; a deployer uses AI systems in its operations. Most SMEs are deployers, and deployers carry the lighter set of duties: use systems according to their instructions, keep the required transparency toward people interacting with them, ensure staff competence, and — where a use is high-risk — human oversight and logging. If you fine-tune or resell AI under your own brand, you can cross into provider territory, where documentation and conformity duties are heavier. Knowing which side of that line each of your AI uses sits on is the first genuinely useful compliance step.

What's the timeline after the 2026 Digital Omnibus?

The omnibus — politically agreed in May 2026, approved by Parliament June 16, final Council sign-off June 29, Official Journal publication expected during July — moved some dates and left others exactly where they were. The calendar that matters now:

  • Since February 2, 2025 — in force: the prohibited practices (social scoring, manipulative systems, emotion recognition at work and school) and the Article 4 AI-literacy duty — staff using AI must be trained for it.
  • Since August 2, 2025 — in force: obligations for general-purpose AI model providers (transparency, copyright policy, training-data summaries). If you just use those models, this tier is mostly not your problem.
  • August 2, 2026 — unchanged: the Article 50 transparency obligations — chatbots must disclose they're AI; deepfakes and other synthetic content must be labelled. The Commission's fining powers for general-purpose model providers also begin.
  • December 2, 2026: the end of the transition for machine-readable marking of AI-generated content for systems already on the market before August 2, 2026 (newer systems must comply from day one). Also the start of the new prohibition on systems generating non-consensual intimate imagery or CSAM.
  • December 2, 2027 — moved from August 2026: obligations for Annex III high-risk systems — recruitment and employee evaluation, credit scoring, education, critical infrastructure, and similar standalone uses.
  • August 2, 2028 — moved from 2027: obligations for high-risk AI embedded in regulated products (machinery, medical devices, toys).

Read that list again and notice the shape: everything that was delayed is the heavy, standards-dependent machinery. Everything already in force or landing this August is the everyday layer — disclosure, labelling, staff competence. The omnibus did not give SMEs a year off; it changed which homework is due first.

Which risk tier are my AI uses in?

The Act sorts uses — not technologies — into four tiers. The same model can sit in different tiers depending on the job you give it.

Prohibited. Social scoring, manipulation exploiting vulnerabilities, emotion recognition of employees, untargeted facial-image scraping. If any workflow smells like these, it stops — this tier has been enforceable since February 2025 and carries the top fine bracket.

High-risk. The Annex III list is where SMEs get surprised. Screening CVs with AI, ranking candidates, scoring creditworthiness, evaluating employees — all high-risk uses, even at a 20-person company. These now come due December 2, 2027, with obligations like risk management, human oversight, logging, and conformity assessment. If you use AI in hiring today, 2027 sounds far away; the vendor-selection, documentation, and process work it implies is not.

Transparency-tier. Chatbots, AI-generated content, deepfakes — the August 2, 2026 set. Not heavy, but visible: this is the tier your customers will literally see.

Minimal risk. Most everyday uses: internal drafting, summarization, research assistance, code assistance. No specific obligations beyond the horizontal ones (literacy, and any sector rules you already carry) — which is precisely why a written policy that says "these uses are fine, go" is as valuable as one that says "these need review."

What do the transparency rules require by August 2?

Three things, concretely:

  1. Chatbot disclosure. Anyone interacting with an AI system must be told they're dealing with AI, unless it's obvious from context. A visible line in the chat interface does the job. (Ours discloses — check the widget on this site.)
  2. Labelling synthetic content. Deepfakes and AI-generated or manipulated images, audio, and video need labels; AI-generated text published to inform the public needs disclosure unless it went through human editorial review with responsibility taken.
  3. Machine-readable marking. Providers of generative systems must mark outputs so they're detectable as AI-generated. Systems on the market before August 2, 2026 have until December 2, 2026 to implement this; newer ones must ship with it.

The Commission published a voluntary Code of Practice on the transparency of AI-generated content on June 10, 2026 — signing it is a recognized way to demonstrate compliance, though it doesn't grant a formal presumption of conformity. For an SME, the practical translation: audit every customer-facing surface where AI talks or publishes, and fix the disclosures now — it's mostly interface copy and metadata, the cheapest compliance you'll ever buy.

What does the AI-literacy duty actually mean?

Article 4 has applied since February 2025 and says providers and deployers must ensure their staff have a sufficient grasp of the AI systems they work with. The omnibus softened the wording — you must now "take measures to support" AI literacy rather than guarantee a level — but the duty stands, and it's the one obligation that's also plainly good business: teams that understand the tools' failure modes produce better work with fewer incidents.

In practice, this means documented training matched to how people actually use AI, plus usage guidance they can find. It doesn't mean a university course. Our AI fluency training exists for exactly this duty — but honestly, even a well-run internal workshop with written guidelines clears the bar most SMEs need.

What relief did SMEs actually get?

More than headlines suggested, and it's worth using:

  • Fines cap at the lower amount. For SMEs and startups, every penalty tier applies as the lower of the fixed sum or the turnover percentage. Large companies get the higher-of rule. The omnibus extended a version of this (the two lower tiers) to "small mid-caps" — companies under 750 employees with turnover up to €150M.
  • Simplified technical documentation. SMEs (and now small mid-caps) may use a simplified documentation form for high-risk systems; the Commission is mandated to publish it, and notified bodies must accept it.
  • Regulatory sandboxes. Every member state must run an AI sandbox — controlled testing with supervisory support and protection from fines while participating. The deadline moved to August 2027, and SMEs and startups get priority access. In Greece, the national implementing bill establishes one — we've covered the Greek framework in detail.
  • Less registration data. The omnibus trimmed what must be filed in the EU database for high-risk systems.

What happens if we get it wrong?

The ceilings: up to €35M or 7% of worldwide turnover for prohibited practices; up to €15M or 3% for breaching most operator obligations — including the transparency rules; up to €7.5M or 1% for supplying misleading information to authorities. With the SME lower-of rule, a small company's realistic exposure is the fixed amounts' lower counterpart — still enough to hurt, which is the point.

Enforcement is national: each member state designates market-surveillance authorities with these powers. Who that is depends on where you operate — in Greece, the bill before Parliament makes the data-protection authority the central supervisor. And a quieter enforcement channel matters just as much for SMEs: due diligence. Buyers, investors, and enterprise customers increasingly ask for your AI inventory and policy during procurement. A missing governance layer now costs deals before it ever costs fines.

What should we do this quarter?

Six steps, in order, sized for a company without a compliance department:

  1. Inventory. List every AI system and tool in use, who uses it, and for what. Half a day with the right people in the room.
  2. Classify. Map each use to a tier. Expect mostly minimal-risk, a transparency-tier cluster around anything customer-facing, and — check carefully — possible high-risk hits in HR and finance workflows.
  3. Fix Article 50 surfaces before August 2. Chatbot disclosures, labels on synthetic content, a marking plan with your vendors.
  4. Run the literacy training. Documented, role-matched, short. Keep the attendance list — that's your Article 4 evidence.
  5. Write the usage policy. Sanctioned tools, forbidden data flows, human-review points, an owner. One honest page beats a binder.
  6. Calendar the high-risk track. If step 2 found hiring, scoring, or evaluation uses: start the vendor conversations and documentation now with December 2027 as the deadline — it's a program, not a task.

If you want the technical half of this done with you — inventory, classification, policy, oversight and audit trails — that's our AI governance service, built to work alongside your counsel rather than replace it. Not sure where you stand at all? The free AI readiness self-check scores your governance posture in three minutes, and it's one of the four dimensions we measure.

The AI Act's reputation as a compliance monster mostly comes from reading the high-risk chapters as if they applied to everyone. They don't. For a typical SME, the real 2026 checklist is an inventory, some interface copy, a training session, and a page of policy — a solid quarter's side project that doubles as the trust story you'll be telling customers anyway.

Related signals