Brief № 022 · Regulation

AI Act delay: what EU SMEs should still do in 2026

The AI Omnibus shifts high-risk AI timing, but SMEs still need inventories, Article 50 checks and evidence before August 2026.

By Eleanor Whitcombe 4 min read Last verified

Rows of labelled filing cabinets and indexed volumes in an archive room.
Photo: filing cabinets and indexed books - Element5 Digital, Pexels
On this page
  1. The cliff moved, not the paperwork
  2. Article 50 still belongs in the 2026 folder
  3. High-risk delay still needs a first classification
  4. The buying question changes
  5. Use the delay as evidence time

The AI Act calendar has changed shape, but it has not become optional. The political agreement on the AI Omnibus gives many high-risk systems more time, while leaving enough 2026 obligations in place to make a passive wait risky for small companies.

On 7 May 2026, the Commission said the revised sequence would put high-risk rules for areas such as biometrics, critical infrastructure, education, employment, migration and border control on a 2 December 2027 track, while systems embedded in regulated products move to 2 August 2028. The Service Desk timeline still lists 2 August 2026 as the date when the majority of AI Act rules and Article 50 transparency rules start to apply.

The cliff moved, not the paperwork

The old SME reading was simple and slightly wrong: everything serious happens on 2 August 2026. The new reading is less dramatic and more useful. Some high-risk obligations have more runway because standards and support tools are supposed to be in place first. That matters for vendors and for SMEs buying or deploying systems in regulated contexts.

It does not remove the need to know what the company is using. An SME cannot use the delay if it cannot name the system, the vendor, the business owner, the data source and the affected workflow. The calendar relief is only practical when there is an inventory to attach it to.

The minimum 2026 file is short:

QuestionEvidence to keep
What is the AI use case?Tool name, vendor, workflow and business owner
Does it affect people, content or decisions?Plain-language description of the output and audience
Is it potentially high-risk?Initial classification against Annex III and product context
Is transparency triggered?User notice, content label, human review or editorial control record
Who can stop it?Named accountable person and escalation path

Source: Regulation (EU) 2024/1689, European Commission AI Omnibus update and AI Act Service Desk timeline. Last verified 2026-06-21.

Article 50 still belongs in the 2026 folder

The part SMEs are most likely to underestimate is transparency. The Service Desk still points to 2 August 2026 for Article 50. The Commission’s AI Act page also keeps transparency support instruments on the implementation track, including marking and labelling guidance for AI-generated content.

That does not mean every AI-assisted paragraph or spreadsheet note needs a public label. The useful test is narrower: is a person interacting with an AI system without knowing it, or is AI-generated or manipulated content being presented in a context where authenticity matters? If yes, the SME needs a notice, a label, a review step or a written reason why the exception applies.

For many firms, this is not a legal memo. It is a publishing and customer-service workflow. Website copy, product images, support replies, recruitment screening, synthetic voice messages and automated document summaries all sit closer to the surface than a board paper on “AI strategy”. They are the places where a regulator, customer or employee can ask what happened.

High-risk delay still needs a first classification

The Omnibus timing is most helpful where the SME is not sure whether a system is high-risk. Employment tools, education selection, access to essential services and safety-related product functions are not ordinary software categories under the Act. They need a first classification before anyone decides the deadline is now distant.

A rough classification is enough for June 2026 if it is honest and dated. It should say whether the system touches an Annex III area, whether the SME is provider, deployer or only a buyer, and whether the system is embedded in a regulated product. The answer can be “unclear”. The missing piece then becomes a named follow-up, not a vague compliance anxiety.

This is where the delay helps. A company can stop pretending that every AI use case needs a full technical file this summer. It can also stop pretending that nothing is due. The correct middle position is an inventory, a first risk label and a small evidence trail.

The buying question changes

SMEs buying AI software should now ask vendors two different questions. The first is still functional: what does the tool do, with which data, under whose control? The second is temporal: which AI Act obligations does the vendor think apply now, in August 2026, in December 2027 and in August 2028?

Good answers will cite the product role and the legal trigger. Weak answers will say only that the tool is “AI Act ready”. The Omnibus makes that phrase less useful, not more. Readiness now depends on which article, which role and which date.

Procurement teams do not need a 40-page questionnaire. They need five written answers:

  • whether the vendor treats the tool as an AI system under the Act;
  • whether it is general-purpose, high-risk, transparency-relevant or none of those;
  • what human oversight or notice is built in;
  • what logs, documentation and exportable evidence the customer receives;
  • what will change when the 2026 and later milestones arrive.

If the vendor cannot answer those points, the SME has learned something before deployment.

Use the delay as evidence time

The worst use of the Omnibus delay is to remove AI Act work from the calendar. The best use is to make the work smaller and more concrete. By the end of summer 2026, a sensible SME should be able to show a list of AI use cases, the first classification for each one, the transparency decisions, the owner and the next review date.

That file will not solve every legal question. It will, however, make the next question answerable. When standards, guidance and national enforcement practice harden, the company will be updating known records rather than discovering its own systems for the first time.

Frequently asked questions

Does the AI Act delay mean SMEs can stop preparing?

No. The political agreement changes the timing for many high-risk AI rules, but Article 50 transparency rules still start applying on 2 August 2026 and the general AI Act framework remains in force.

What should an SME document first?

Start with an inventory: the AI system or tool, who uses it, what decision or content it affects, whether people are informed, and where the evidence is stored.

Sources

  1. Official EU agrees to simplify AI rules to boost innovation and ban nudification apps to protect citizens European Commission accessed
  2. Official AI Act European Commission accessed
  3. Official Timeline for the Implementation of the EU AI Act AI Act Service Desk accessed
  4. Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed

Image credit: Photo: filing cabinets and indexed books - Element5 Digital, Pexels

Eleanor Whitcombe covers EU AI regulation for Flint Brief.

Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).

Stay in the loop

Now and then, a concrete take on internal tools and practical AI for SMEs. No spam.