Skip to main content
Back to the guide
AI & compliance9 min read

The EU AI Act for SMEs: what applies from 2026

The EU AI Act is here and applies in phases. The good news for SMEs: if you only use AI rather than build it, your obligations are manageable. But they are not zero. Here are the deadlines that actually matter, including the postponements from the June 2026 Digital Omnibus, and what you should do in practice.

Published on June 25, 2026 · Updated on July 12, 2026 · Daniel Gläser

What the EU AI Act is

The EU AI Act is Regulation (EU) 2024/1689, the EU's first comprehensive AI law. It was published on 12 July 2024 and entered into force on 1 August 2024. It follows a risk-based approach with four tiers: unacceptable (prohibited) risk, high risk, limited risk with transparency obligations, and minimal risk.

In force is not the same as applicable

The regulation entered into force on 1 August 2024, but its obligations take effect in stages at different dates. This is often confused.

The timeline: what applies when

  • 1 August 2024: the regulation enters into force.
  • 2 February 2025: the prohibited AI practices (Art. 5) and the AI literacy obligation (Art. 4) apply.
  • 2 August 2025: obligations for general-purpose AI models (GPAI) and the governance rules apply.
  • 2 August 2026: the transparency obligations under Art. 50 (chatbots, AI-generated content) and the remaining general rules apply.
  • 2 December 2026: the labelling obligations also cover systems placed on the market before 2 August 2026.
  • 2 December 2027: the high-risk obligations for standalone systems under Annex III apply (postponed by the Digital Omnibus, originally 2 August 2026).
  • 2 August 2028: the rules for high-risk AI as a safety component of regulated products (Annex I) apply (originally 2 August 2027).

Beware of outdated articles

The Digital Omnibus postponed the high-risk deadlines in June 2026: Annex III to 2 December 2027, Annex I to 2 August 2028. Many texts online still cite the old dates. Unchanged: Art. 50 transparency from 2 August 2026 and the GPAI obligations, which have applied since 2 August 2025.

Digital Omnibus: what changed in 2026

The EU softened the AI Act before its strictest obligations even took effect. On 7 May 2026 the Council and Parliament reached a political agreement on the Digital Omnibus simplification package, on 16 June 2026 Parliament approved it, and on 29 June 2026 the Council adopted it. The core change: the high-risk obligations arrive considerably later, everything else stays on schedule.

  • Standalone high-risk systems under Annex III (for example certain HR or credit applications): obligations apply from 2 December 2027 instead of 2 August 2026.
  • AI as a safety component of regulated products under Annex I: from 2 August 2028 instead of 2 August 2027.
  • Not postponed: the transparency obligations under Art. 50. They apply as planned from 2 August 2026; for existing systems the labelling duties take effect from 2 December 2026.

Little changes for pure AI users

The prohibitions, the AI literacy obligation and the chatbot and labelling rules remain unchanged. If you only use AI, you mainly gain time where a high-risk use case is on the table.

What it means for SMEs that only use AI

Most small and medium businesses are deployers, not providers. They use finished AI tools rather than developing and placing their own AI systems on the market. That reduces obligations considerably, but it does not exempt you from everything.

  • AI literacy (Art. 4): deployers too must ensure a sufficient level of AI literacy among their staff. This has applied since 2 February 2025.
  • Prohibited practices (Art. 5): certain uses are banned outright, such as manipulative or certain biometric approaches.
  • Transparency (Art. 50): anyone using chatbots or generative AI has labelling duties (see below).
  • High-risk use: if you use an AI system in a high-risk area (for example certain HR applications under Annex III), the deployer obligations under Art. 26 apply (following the Digital Omnibus, applicable from 2 December 2027): use in line with the intended purpose, human oversight, control of input data, keeping logs and informing affected employees.

When you turn from user into provider

Careful: under Art. 25 you can become a provider with broader obligations if you place an AI system on the market under your own name or brand or substantially modify it. Anyone offering an AI product under their own label should check this early.

Transparency: labelling chatbots and AI content (Art. 50)

  • Chatbots: users must be informed that they are interacting with an AI system (Art. 50(1)). Exception: it is obvious anyway to a reasonably informed person.
  • Generated content: AI-generated or manipulated audio, image, video or text must be marked as artificial in a machine-readable format (Art. 50(2)).
  • Deepfakes: anyone creating or manipulating deepfakes with AI must disclose that the content is artificially generated or altered (Art. 50(4)). Adjusted rules apply to art, satire or fiction.
  • The information must be provided clearly, distinguishably and accessibly at the latest at the first interaction (Art. 50(5)).

Not every notice has to be intrusive

Art. 50 does not demand a warning sign at any cost. For chatbots the notice can be omitted where the AI nature is obvious. It is about clear, fair information, not deterrence.

The second lever: the GDPR

The AI Act does not replace the GDPR, both apply in parallel. As soon as your AI processes personal data, data protection comes into play. Three points matter most in practice:

  • Automated decisions (Art. 22 GDPR): a person has the right not to be subject to a solely automated decision with legal or similarly significant effect. This is generally understood as a prohibition, with exceptions (contract, legal authorisation, explicit consent) and safeguards such as the right to human intervention. In practice: for consequential decisions, a human stays in the loop.
  • Processing on behalf (Art. 28 GDPR): if an external service (such as an LLM provider) processes personal data on your instructions, you need a data processing agreement with the legally required minimum content.
  • Third-country transfers (Art. 44 ff. GDPR): if data goes to the US, you need a legal basis. For US providers certified under the EU-US Data Privacy Framework there has been an adequacy decision since 10 July 2023; for non-certified providers EU standard contractual clauses plus supplementary measures are usually required.

The Data Privacy Framework is not guaranteed forever

A challenge to the adequacy decision (Latombe, case T-553/23) was dismissed on 3 September 2025, but an appeal to the Court of Justice remains possible. Anyone processing critical data is on safer ground with EU hosting or local models.

How to implement this GDPR homework in practice, from tier choice via the DPA to the team AI policy, is shown step by step in the guide Using ChatGPT and co. GDPR-compliantly.

Practical steps for SMEs

  • Get an overview of which AI is actually in use at your company, including hidden inside existing tools.
  • Build AI literacy in your team. It is mandatory and pays off anyway.
  • Label chatbots and AI-generated content in good time before 2 August 2026.
  • Sign a data processing agreement with AI service providers wherever personal data is involved.
  • For sensitive data, choose EU hosting or locally operated models.
  • Keep a human in the loop for decisions with consequences.

This is exactly where I come in: I integrate AI so that it delivers concrete value while staying compliant with the GDPR and the EU AI Act. Language models EU-hosted or local, answers from your own knowledge base instead of made-up information, and you at the decision points.

Sources

This article is carefully researched guidance, not legal or tax advice. For binding information, please consult your tax advisor or lawyer.

Frequently asked questions

Does the EU AI Act already apply?+

Yes, but in stages. Since 2 February 2025 the prohibitions and the AI literacy obligation apply, since 2 August 2025 the GPAI and governance rules, and from 2 August 2026 the transparency duties under Art. 50. The high-risk obligations were postponed by the Digital Omnibus: to 2 December 2027 for Annex III systems and 2 August 2028 for AI in regulated products.

What does the Digital Omnibus change in the EU AI Act?+

The package adopted in June 2026 postpones the high-risk obligations: Annex III from 2 August 2026 to 2 December 2027, Annex I from 2 August 2027 to 2 August 2028. The prohibitions, the AI literacy obligation and the transparency duties under Art. 50 stay on the original schedule.

Does my chatbot have to be labelled as AI?+

In principle yes, under Art. 50 from 2 August 2026. Users must know they are talking to an AI. An exception applies where this is obvious anyway to a reasonably informed person.

Can I use ChatGPT or another US model in a GDPR-compliant way?+

It is possible if the data protection basics are in place: a data processing agreement when personal data is processed and a valid transfer mechanism (Data Privacy Framework for certified providers, otherwise standard contractual clauses). For sensitive data, EU hosting or a local model is the safer route.

Am I a provider or a deployer?+

Most SMEs are deployers because they only use AI. You become a provider with more obligations if, among other things, you place an AI system on the market under your own name or brand or substantially modify it (Art. 25).

Can an AI decide about people on its own?+

For decisions with legal or similarly significant effect, Art. 22 GDPR generally prohibits solely automated decisions, with narrow exceptions and safeguards. In practice this means a human makes or confirms the consequential decision.

Adopt AI without the legal risk

I work with you to find the cases where AI genuinely saves time and implement them in a GDPR- and EU-AI-Act-compliant way. EU-hosted or local, with you at the decision points. From Chemnitz for SMEs in Saxony and across Germany.

Daniel Gläser

Daniel Gläser

Owner of Gläser IT-Solutions, Chemnitz

I build software and run IT infrastructure for small and medium businesses, from the first analysis to day-to-day operations. Everything here comes from real projects and is backed by sources.

More articles