The EU AI Act: The August 2026 Deadline for SMBs

The EU AI Act is the European regulation governing the use of artificial intelligence, and a new wave of obligations becomes applicable on August 2, 2026: transparency, general-purpose model governance, and the first requirements on high-risk systems. If you use AI in your business — even just ChatGPT to draft emails — you’re in scope. The good news: for a typical SMB, 5 to 10 days of work before the summer is enough to be compliant. Here’s exactly what to do, and in what order.

What Actually Changes on August 2, 2026

The AI Act has been phasing in since 2024. Three milestones matter:

1. February 2025: ban on “unacceptable-risk” uses (social scoring, manipulation, unauthorized biometric surveillance). Already in force.
2. August 2025: obligations on general-purpose AI models (GPAI) — providers like OpenAI, Anthropic, Google. Already in force on the vendor side.
3. August 2, 2026: this is the milestone that concerns you as a professional user (deployer). Reinforced transparency obligations, governance of high-risk systems, designated points of contact, traceability.

In short: until now, the pressure was mostly on model providers. From August 2026, it’s you, the business using AI, who must demonstrate a framework.

Are You Actually in Scope? The 3-Question Test

Many leaders assume the AI Act only targets big tech. Wrong. Ask yourself these 3 questions:

• Do you use an AI tool in the EU? (ChatGPT, Copilot, a chatbot, a CV-screening tool…) → you’re a “deployer.”
• Does AI touch decisions about people? (hiring, credit, evaluation, access to a service) → you may be entering “high-risk” territory.
• Does AI interact directly with your customers? (chatbot, content generation, voice) → transparency obligation.

If you answer yes to at least one, you have obligations from August 2026. For 80% of SMBs, these are light obligations (transparency + documented common sense). For those doing HR, scoring, or credit, it’s more serious.

Note: the AI Act applies to any organization placing on the market or using AI in the EU — even a US or UK company serving European customers is in scope.

The 4 Risk Classes of the AI Act

The AI Act sorts AI systems into four tiers. Knowing where you sit drives everything else.

Risk class	Examples	Your obligations
Unacceptable risk	Social scoring, manipulation	Banned, full stop.
High risk	CV screening, credit scoring, HR AI, biometrics	Heavy: documentation, human oversight, logs, assessment
Limited risk	Chatbots, content generation, deepfakes	Transparency: tell users they’re dealing with AI
Minimal risk	Spam filters, suggestions, drafts	No specific obligation

The vast majority of SMB use cases fall into limited or minimal risk. The trap is HR: a candidate-screening tool flips into high risk, with much heavier obligations.

The Checklist: What an SMB Must Have Done Before Summer

Here are the 7 actions to close out before August 2, 2026, ranked by priority.

1. Inventory Your AI Use Cases (1-2 days)

List every AI tool used in the company, including employees’ “shadow” usage. For each: who, what for, with which data, what risk class. This is the foundation: without an inventory, you can’t prove anything. We detail the method in our article on AI governance for SMBs.

2. Classify Each Use by Risk Level (1 day)

For each tool in the inventory, assign one of the 4 classes. Most importantly, flag the high-risk uses (HR, credit, biometrics) that need special handling.

3. Turn On Customer Transparency (1-2 days)

Any AI system that talks to a customer or generates content must disclose it. A note on chatbots (“I’m an AI assistant”), disclosure in automated emails, marking of generated content. It’s the most visible obligation and the easiest to forget.

4. Put Human Oversight on Impactful Decisions (1 day)

No HR, financial, or legal decision should be made by AI alone. Define who validates what. For high-risk uses it’s a legal requirement; for the rest it’s common sense that protects you.

5. Document an AI Usage Policy (2-3 days)

A 2-4 page charter: authorized tools, data forbidden to paste, review rules, disclosure. This is the document you’ll present in case of a review, to a demanding B2B client, or to your cyber insurer.

6. Train Your Teams (AI Literacy) (ongoing)

Since February 2025, the AI Act requires a sufficient level of “AI literacy” among users (art. 4). In practice: a half-day awareness session is enough for an SMB. It’s rarely done — and yet explicitly required.

7. Designate an AI Lead (managerial decision)

No dedicated role needed. One person (often IT or the executive team) owns the inventory, regulatory monitoring, and arbitration. It’s the single internal point of contact.

What It Costs — and What Doing Nothing Costs

Three numbers to keep in mind:

• SMB compliance: 5 to 10 person-days for a “limited-risk” use, i.e. $3,500 to $9,000 internally or with external support.
• Maximum AI Act fine: up to €35M or 7% of global revenue for prohibited uses; up to €15M or 3% for other serious breaches.
• Real risk for an SMB: beyond the fine (unlikely for a small structure acting in good faith), the real risk is losing a B2B contract when the buyer demands compliance, or a cyber-insurance denial. Observed cost: $33-220K per incident.

At PIWA, we already see it: on 2026 B2B tenders, AI Act compliance is becoming a pass/fail checkbox. It’s no longer an abstract legal topic — it’s a commercial one.

The Recommended Timeline Before August 2

• May-June: actions 1, 2, 3 (inventory, classification, transparency). The visible base.
• June-July: actions 4, 5, 6 (oversight, charter, training). The internal framework.
• July: action 7 (lead) + final review. You’re ready before the deadline, no last-minute scramble.

Starting now gives you over two months of comfortable margin. Wait until September and you’re already late.

FAQ

Does the AI Act apply to SMBs or only large companies?

The AI Act applies to any organization that develops or uses an AI system in the European Union, regardless of size. Obligations are proportional to risk, not company size. An SMB using a simple chatbot has light obligations; an SMB doing automated CV screening has heavy ones.

What concretely happens on August 2, 2026?

It’s the date obligations kick in for deployers (professional users) and governance rules for high-risk systems. Earlier milestones (February 2025, August 2025) mainly targeted prohibited uses and model providers. August 2026 is the milestone that directly concerns the majority of business users.

If I only use ChatGPT, am I in scope?

Yes, but lightly. You’re a “deployer” of a minimal- or limited-risk system. Your main obligations: transparency (flagging generated content or AI interactions with customers), basic AI literacy training for your teams, and a documented usage policy. Count a few days of work, not a heavy compliance project.

What’s the maximum fine under the AI Act?

Up to €35 million or 7% of annual global revenue for unacceptable-risk uses. Up to €15 million or 3% for other serious breaches (a non-compliant high-risk system, for example). For a good-faith SMB, the real risk sits more on the commercial and insurance side than on direct fines.

Where do I start if I’ve done nothing?

With the inventory of your AI use cases (action 1 of the checklist). It’s fast, free, and immediately reveals your risk zones. From there, 80% of SMBs discover they’re almost compliant and only missing transparency and documentation. See also our checklist of 10 AI governance guardrails.

Next Step: An Express AI Act Audit Before Summer

Not sure where you stand against the August deadline? That’s exactly what a PIWA AI audit covers. We start from your real use cases, classify them by risk level, identify the 3 priority actions to close before August 2, and price the effort.

Book an AI Act compliance audit — 30 minutes to assess your AI Act exposure and leave with a dated action plan before the August 2026 deadline.