The EU AI Act applies from 2 August 2026: what your SME should do now

If you run a smaller company and you have been putting off the EU AI Act, this is the moment to give it an afternoon of attention. From 2 August 2026, the next set of obligations applies, including the transparency rules in article 50. That is about two months away.

The good news: for most SMEs the to-do list is short and practical. You almost certainly do not need a compliance department. You need an inventory, an owner, and a few sensible habits. Here is what actually matters, in plain operational terms.

You are probably a deployer, not a provider

The AI Act treats the company that builds an AI system (the provider) very differently from the company that simply uses one (the deployer). If you use a customer-service chatbot, an automated CV filter, a lead-scoring tool, or any feature built on a language model, you are a deployer. That is the lighter category, and it is where most KMO’s sit.

Deployer obligations are reasonable: be transparent when people interact with AI, keep humans in the loop for decisions that affect people, and make sure your staff understand the tools they use. None of that should stop you from using AI. It mostly asks you to use it deliberately.

A short, practical checklist

Make an inventory. List every place AI touches your business, including the quiet ones hidden inside tools you already pay for. You cannot govern what you have not written down.

Give someone ownership. One named person who keeps the list current and answers the question “are we still fine?” This does not need to be a lawyer. It needs to be someone who pays attention.

Train your team. The AI literacy obligation in article 4 has applied since February 2025. In practice this means your people should understand, at a basic level, what your AI tools do, where they are reliable, and where a human needs to check. A short internal session is usually enough.

Be transparent. Tell customers when they are talking to a bot, and label AI-generated content where it could mislead. This builds trust as much as it satisfies the rule.

Keep a one-page register. For each AI use: what it does, what data it touches, who owns it, and whether a human reviews its output. One page is genuinely enough for most SMEs, and it is the document that makes an audit boring instead of frightening.

What the Digital Omnibus recently changed

The timeline moved in a few helpful ways. The simplified regime for smaller companies has been widened, so more mid-sized firms qualify for lighter documentation and reduced fines. Some deadlines shifted too: the rules for high-risk systems in Annex III now run later, and content-labelling obligations were rebalanced. The headline date for the transparency obligations, though, is still 2 August 2026. The direction of travel is “simpler for small companies, stricter where the risk is real”, which is exactly the right instinct.

This is manageable, not a reason to stop

The mistake I see is companies treating the AI Act as a reason to freeze. They pause useful, low-risk automation out of vague worry, and lose the time savings while gaining no real protection. The opposite approach works better: keep using AI where it earns its place, and put a light layer of governance around it so you can prove you are in control.

If you want help turning that checklist into something concrete for your situation, an AI impact assessment is the focused way to do it. We map where you use AI, flag anything that needs attention under the AI Act and GDPR, and leave you with a short register and a clear set of next steps. Two months is plenty of time to get there calmly. It is much less pleasant to start in August.