Flint Brief

Brief № 003 · Regulation

EU AI Act for SMEs: the August 2026 cliff edge

Most EU AI Act obligations enter application on 2 August 2026. What EU SMEs must do, what waits till 2027, and what most can ignore.

By Eleanor Whitcombe Last verified

Wide interior view of the European Parliament plenary chamber in Brussels with members of parliament seated in concentric tiers around the speaker's podium.
Photo: European Parliament plenary, Brussels — Wikimedia Commons, CC BY-SA 4.0

Why the August 2026 date matters

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 with a staggered application calendar. Most SME decision-makers we speak to in early 2026 believe they have until August 2027 to act. They are wrong.

The real cliff edge for the majority of obligations falls on 2 August 2026. From that date:

  • All substantive requirements on high-risk AI systems (Article 6 and Annex III) become enforceable.
  • Transparency obligations on AI-generated content (Article 50) apply.
  • The General-Purpose AI (GPAI) provider regime is fully in force (Article 51 onwards).
  • National competent authorities have full enforcement powers.

Penalties are not theoretical. Article 99 sets maximum fines at €35 million or 7% of worldwide annual turnover for prohibited practices, €15 million or 3% for non-compliance with high-risk system obligations, and €7.5 million or 1% for incorrect information to authorities. SMEs benefit from lower caps under Article 99(6), but “lower” is still painful at the scale of a typical Mittelstand or PME budget.

The three categories of SME exposure

Most EU SMEs fall into one of three categories regarding the AI Act. Identify yours before doing anything else.

Category A: SMEs that only use general-purpose AI (ChatGPT, Copilot, Claude, etc.)

By far the largest category. Roughly 80% of EU SMEs that use AI in 2026 fall here. Your obligations on 2 August 2026 are limited but not zero:

  • Article 4 (AI literacy) — already in force since 2 February 2025. You must ensure staff using AI systems have adequate competence. Practical translation: written internal policy, mandatory short training, signed acknowledgement.
  • Article 50 (transparency) — applies from 2 August 2026 if you publish AI-generated content to the public (marketing copy, blog posts, synthetic images or voice, chatbots facing customers).

Estimated compliance cost for a 50-person SME: €1,500 to €5,000 for the literacy programme; €500 to €2,000 for the transparency labelling work. Total well under €10,000.

Category B: SMEs that build AI products or significantly customise AI systems

You become a “provider” in the AI Act’s language. Your obligations depend on whether the system is high risk. For most B2B SaaS products in productivity, marketing, finance back-office, the answer is no — but read Annex III carefully before concluding.

If your system is not high risk: Article 50 transparency, Article 4 literacy, and the post-market monitoring duties under Article 16. Manageable.

If your system is high risk (recruitment scoring, credit decisioning, biometric ID, education access, critical infrastructure, etc.): a substantial compliance programme is required. Cost for an SME: €30,000 to €120,000 for an initial Quality Management System, conformity assessment, technical documentation, post-market monitoring, plus ongoing maintenance. Many SMEs in this category will need external legal and technical help.

Category C: SMEs that deploy high-risk AI systems built by others

You become a “deployer” under the Act. Lighter obligations than providers but real ones:

  • Carry out a fundamental rights impact assessment if the system affects natural persons in specified ways (Article 27).
  • Inform staff and worker representatives before deploying a high-risk system in the workplace (Article 26(7)).
  • Cooperate with national authorities (Article 26(12)).
  • Keep logs (Article 26(6)).

Estimated cost: €5,000 to €20,000 for the impact assessment and policy work for a typical deployment.

The article-by-article checklist for Category A (most SMEs)

ArticleWhat it saysWhat you doDone by
Art. 4Staff using AI must be competentWritten policy + 1-2h training + attendance recordsAlready due since 2 Feb 2025
Art. 5Prohibited practices (social scoring, manipulation, biometric categorisation in untargeted ways, etc.)Confirm you don’t do any of these, document itAlready due since 2 Feb 2025
Art. 50Transparency on AI-generated or modified content shown to the publicAdd visible disclosure labels on relevant pages and outputs2 August 2026

That is the whole picture for most SMEs. The rest of the Act simply does not apply.

What about GDPR overlap

The AI Act does not replace GDPR. If your AI system processes personal data, GDPR still applies in full. The good news: a properly done Data Protection Impact Assessment (DPIA) covers a meaningful chunk of the documentation an AI Act conformity assessment would require for high-risk systems.

The bad news: an SME without an existing DPIA practice is accumulating two regulatory debts at once. Doing both at the same time is more efficient than sequencing them.

Common SME misunderstandings we hear

“We don’t have AI, so the Act does not concern us.”

Wrong if any staff member uses ChatGPT, Copilot, or any other generative AI tool for work tasks. Article 4 applies as soon as AI is used, regardless of who built it.

“This is for big tech, not for us.”

Wrong. The Act applies to providers and deployers, regardless of size. SMEs benefit from some derogations and a lighter “sandbox” regime under Article 57-58, but the core obligations stand.

“We will wait for our trade body to tell us what to do.”

Trade bodies are publishing guidance throughout 2026, but they cannot legally substitute for your own assessment. Wait too long and you discover at the last minute that your specific situation needs custom work no template covers.

“We will buy a SaaS compliance tool to handle it.”

The market is flooded with “AI Act compliance platforms” charging €5,000 to €30,000 per year. Most are wrappers around document templates. For Category A SMEs, you don’t need any of them. For Category B and C, a tool can help but does not replace human judgement and legal review.

Who can help in Europe (briefly)

IT lawyers with AI Act practice: Bird & Bird (multi-country), Loyens & Loeff (BE/NL), Osborne Clarke (UK/EU), Hogan Lovells (EU), various national specialists. For SMEs, mid-tier firms are more cost-appropriate than the magic circle.

Technical compliance consultancies: Faculty AI (UK, enterprise scale), Hypatos (DE, document AI angle), various boutique firms in NL, Nordics, BE. SME-focused boutiques typically partner with named law firms for the legal qualification step.

DPOs who upskilled on the AI Act: many national DPO associations have run training programmes since 2024. For a Category A SME, an existing DPO with AI Act training is often the right person to lead the work, with light external technical support.

A realistic 90-day plan for a 30-person SME

Days 1-15 — Map AI usage. Who uses what, for which task. Spreadsheet, not theatre.

Days 15-30 — Draft AI usage policy (2-3 pages). Take an existing template, adapt to your reality. Have your DPO and legal counsel review.

Days 30-45 — Run staff training. 90 minutes per group, max 15 people per session. Capture attendance.

Days 45-60 — Audit any public-facing AI-generated content. Add transparency labels where needed.

Days 60-90 — Assemble the compliance file: policy, training records, content audit log, any DPIAs already done. Ready to show in case of authority request.

Total cost for a 30-person SME if done internally with light external help: €4,000 to €8,000.

Frequently asked questions

Our company only uses ChatGPT and Copilot — does the AI Act apply to us?

Yes. Article 4 on AI literacy applies as soon as any staff member uses an AI system at work, regardless of who built it. You need a written policy, short training, and attendance records. Compliance cost for a 50-person SME: €1,500-€5,000.

What is the deadline for SMEs to comply?

Article 4 (literacy) has been in force since 2 February 2025. Article 50 (transparency labels on AI-generated content shown to the public) applies from 2 August 2026. High-risk system obligations also apply from 2 August 2026, with grandfathering until August 2027 for systems already on the market.

A consultancy quoted us €50,000 for AI Act compliance. Is that normal?

For a Category A SME using general-purpose AI tools, that is significantly overpriced. Realistic budget for an internal compliance programme with light external support: €4,000-€8,000. The €50k figure is only justified if you deploy a genuine high-risk AI system under Annex III.

Lawyer or tech consultant — which do we need?

Both, depending on scope. The IT lawyer qualifies the risk level and drafts the policy framework. The technical consultant builds the operational documentation, logging, and monitoring. For high-risk systems, a paired engagement is recommended.

Sources

  1. Primary Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act) EUR-Lex accessed
  2. Official AI Act — implementation timeline and obligations entering into application European Commission, DG CONNECT accessed
  3. Official EDPB — guidelines, recommendations and best practices (informs Annex III risk reading) European Data Protection Board accessed
  4. Primary Annex III to Regulation (EU) 2024/1689 — high-risk AI systems EUR-Lex accessed

Image credit: Photo: European Parliament plenary, Brussels — Wikimedia Commons, CC BY-SA 4.0

Eleanor Whitcombe covers EU AI regulation for Flint Brief.

Spotted an error or want a right of reply? [email protected] (subject [Right of reply]).