Brief № 020 · Regulation
The AI Act calendar is now evidence work
The Commission's 2026 guidance queue gives SMEs a practical AI Act task: document systems before legal deadlines become procurement pressure.
On this page
The AI Act is starting to look less like one deadline and more like a filing system. That is not a criticism. It is the part of the regulation that smaller firms can actually use.
The Commission’s current implementation material now points in the same direction: draft classification guidance, a public consultation window, a Single Information Platform, a compliance checker, an explorer and a queue of further 2026 guidelines. For an SME, the practical question is no longer whether Brussels will publish more detail. It will. The question is whether the company can recognise its own AI systems when that detail arrives.
The guidance queue is a work plan
On 4 December 2025, the AI Office said it would develop a series of guidelines during 2026: high-risk classification, Art. 50 transparency requirements, serious-incident reporting, high-risk obligations, fundamental-rights impact assessments, value-chain responsibilities, substantial modification, post-market monitoring, simplified quality-management elements for SMEs and small mid-caps, and the interplay with other EU legislation.
Read that list as a compliance calendar. Not because every SME will need every document, but because each item names an evidence question.
If the future guidance concerns transparency, the firm will need to know where generated or manipulated content appears. If it concerns value-chain responsibility, the firm will need supplier roles and instructions. If it concerns substantial modification, the firm will need a record of what changed after deployment. If it concerns simplified quality management for SMEs, the firm will still need to show what was simplified from.
The cheap work is to start a plain register now. The expensive work is to wait until a client, auditor, insurer or procurement desk asks for proof and then discover that the system owner left six months ago.
Classification is still moving
The Commission’s draft high-risk classification guidelines were published on 19 May 2026. They are under targeted consultation, and the consultation page says the deadline has been extended to 23 July 2026 after stakeholder requests. Final guidelines are expected by the end of 2026.
The draft guidance explains two routes into high-risk status. One concerns AI systems used as products or safety components under harmonised EU product legislation. The other concerns systems that fall into areas listed in Annex III, where the use can significantly affect people’s health, safety or fundamental rights.
That sounds abstract until the system is ordinary: screening job applicants, ranking access to a service, supporting a safety judgement, triaging customers, assessing eligibility, profiling people or embedding AI into a regulated product. The classification question then depends on intended purpose, actual use, people affected, human review and the supplier’s documentation.
This is why the first SME task is not to argue about the final wording of the guidelines. It is to preserve the facts that a classification decision will need.
The Service Desk lowers the friction
The Single Information Platform is useful because it centralises a set of entry points: an AI Act Explorer, a compliance checker, resources, FAQs, national resources and a route to contact the AI Act Service Desk. The platform says it exists to help stakeholders determine whether they are subject to obligations and understand compliance steps.
That is a good development for small firms. It reduces the need to begin with a consultant’s slide deck or a general web search. It also creates a small trap: an online checker can structure the question, but it cannot know the mess of the business.
The tool will not know that the “advisory” output is copied into a rejection email without review. It will not know that an internal model is trained on old performance notes. It will not know that the supplier’s intended purpose is narrower than the sales team’s actual use. It will not know that a workflow changed after launch because someone added a spreadsheet export.
The Service Desk is an entry point. Ownership remains local.
The system card is the useful unit
For an SME, a one-page system card is more useful than a long policy that nobody updates. It should be boring enough to maintain and precise enough to survive scrutiny.
| Field | What to record | Why it matters |
|---|---|---|
| Purpose | The task the AI system is meant to support | Classification starts with intended and actual use |
| Owner | Business owner and technical owner | Someone must re-check the system when guidance changes |
| Affected people | Staff, applicants, customers, suppliers or the public | Risk turns on impact, not just technology |
| Supplier | Model, platform, integrator and contract location | Value-chain duties depend on roles |
| Data | Main input sources and sensitive categories | Weak data records create weak risk decisions |
| Human review | Who can approve, reject or override outputs | Oversight must be operational, not decorative |
| Evidence | Logs, test cases, instructions, supplier documents | Later compliance depends on records kept now |
| Review date | Next check against guidance and system changes | Draft guidance and real workflows both move |
Source: European Commission AI Act implementation pages and draft high-risk classification guidance. Last verified 2026-06-19.
The card does not decide every legal question. It makes the question answerable. Counsel can classify a system faster. A supplier can provide missing documents against named gaps. A developer can see what to log. A manager can see whether the system is still the one originally approved.
Three things to do before the next deadline
First, list the AI systems that already exist. Include paid tools, embedded AI in software, internal automations, pilots and workflows that send company data to a model. Do not limit the list to “AI projects”. The risk often sits in a feature inside a product the company already bought.
Second, separate broad productivity from decisions about people. Drafting text, summarising public documents and helping write code under review are not the same as ranking applicants, prioritising customers, assessing eligibility, steering access to services or supporting safety decisions. The distinction should be visible in the register.
Third, collect supplier artefacts while the purchase is still recent. Terms, data-processing pages, model cards, instructions for use, security notes, admin settings, retention options and audit logs are easier to collect before the tool becomes part of the furniture.
None of this requires a mature governance department. It requires a shared file, a named owner and the discipline to update the card when the system changes.
The line to hold
The AI Act will keep producing guidance through 2026. Some dates will move. Some examples will change. Some tools will improve. That uncertainty is real, but it is not a reason to wait.
The stable work is simpler. Know which AI systems are in use. Know what they do. Know who is affected. Know who reviews outputs. Know which supplier documents exist. Know when the answer must be re-checked.
An SME that can show those facts has not solved the AI Act. It has done something more useful for June 2026: it has made the regulation inspectable inside the business.
Frequently asked questions
Should an SME wait for every final AI Act guideline before acting?
No. Final guidance matters, but the low-regret work is already clear: inventory systems, record intended purpose, name owners, collect supplier documents and schedule re-checks.
Does the AI Act Service Desk decide whether a system is compliant?
No. It provides tools, information and a question route. The company still needs to make and document its own system-specific decisions.
What is the first useful AI Act document for a small firm?
A one-page system card that records purpose, users, affected people, data, supplier, human oversight, logs, risk category assumption and the date for review.
Sources
- Official Supporting the implementation of the AI Act with clear guidelines European Commission, Shaping Europe's digital future accessed
- Official Targeted consultation on the draft guidelines for the classification of high-risk artificial intelligence systems European Commission, Shaping Europe's digital future accessed
- Official Draft Commission guidelines on the classification of high-risk AI systems European Commission, Shaping Europe's digital future accessed
- Official AI Act Single Information Platform European Commission, AI Act Service Desk accessed
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
Image credit: Photo: flat lay of office supplies including documents, calendar and eyeglasses by Leeloo The First, Pexels License (Pexels)
Eleanor Whitcombe covers EU AI regulation for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).