EU AI Act: what does your SMB need to sort before 2 August?
EU AI Act: what does your SMB need to sort before 2 August?
A practical checklist for SMBs. What you really need to handle before the 2 August 2026 AI Act deadline, and what you can safely leave alone.
The 2 August 2026 deadline is getting close, and part of the AI Act starts to apply from then. Good news up front: for most SMBs the list is a lot shorter than the internet wants you to believe. This piece is purely about action. No explainer of the law, just what you concretely pick up over the next few weeks.
One thing first. Part of the heaviest rules moved to December 2027 with the recent Digital Omnibus. So you don't need the high-risk obligations sorted by 2 August. What does kick in is transparency, plus enforcement of AI literacy. That's what this checklist focuses on.
And to be clear: this is general information, not legal advice. If you have a doubt about your situation, run it past a lawyer.
1. Inventory the AI tools you use
You can't assess what you can't see. So start with a list. Which tools with AI are in your business? Think of a chatbot on your site, the AI features in your CRM, a tool that transcribes meetings, image generation for your marketing, or the assistant in your mail app.
Do this this week: put them in a simple overview. Per tool, note what it does, who uses it, and whether customer or personal data flows through it. You don't need more yet. This little list is the foundation under every step that follows.
2. Check whether your use falls in a risk category
Go down your list and mark roughly where each tool sits. The law works with four levels, from banned to minimal risk. Most office tools sit in that lowest group, with no obligations. High risk is about sensitive decisions, for example AI that helps decide who you hire or who gets credit. If you're there, that's good to know, though those obligations just moved to late 2027.
The category that matters now is limited risk. That covers your chatbot and AI content, and it asks for openness. Want to read the levels through calmly? We explain what the AI Act actually covers in our overview.
Do this this week: write one word behind each tool: minimal, limited, or high. The fine-tuning comes later.
3. Put someone in charge
Not because the law demands an official AI officer for ordinary users, because it doesn't. But because "everyone" tends to mean "no one" in practice. Pick one person who guards the overview: which tools we use, what's changing, where people go with questions. In a small team that might be you. Fine.
Do this this week: write down a name. Give that person half an hour a month to keep the list current.
4. Document your AI use toward customers
This is the part that genuinely kicks in on 2 August. If a visitor talks to a chatbot, they need to know it's AI and not a colleague. If you put AI-generated text or images out into the world, be open about it. It's about honesty, not a thick compliance file.
Do this this week: check that your chatbot has a clear notice. Add a short line to your privacy or AI statement about where you use AI. For labeling the AI content itself you have a bit more time, that part only starts in December. The openness you handle now.
5. Check your supplier contracts
You use most AI through someone else: a SaaS tool, an external API, a platform. That makes you the user and them the provider. Ask your suppliers what they handle for you. Do they deliver the documentation and the transparency information you need? Is it written down anywhere?
Watch out with custom work. If you have an AI solution built to your specification, you might be the provider yourself, even if someone else does the building. That changes your role and your obligations.
Do this this week: email your most important AI supplier with that one question, and ask for the answer in writing.
6. Sort out AI literacy for your team
This one has been in the law longer, since February 2025, and from 3 August 2026 it can be enforced too. The core is simple: everyone who works with AI understands in broad strokes what the tool does and where it goes wrong. No expensive course needed. A short internal session and a few agreements on paper already get you far.
It's how we keep AI in check ourselves too. We wrote about that in how we use AI responsibly.
Do this this week: schedule half an hour with your team. Put on a single page how you use AI and what you deliberately don't use it for.
7. What you do NOT need to do
Let's hit the brakes, because a lot of nonsense is going around. You don't need to do this right now:
- Set up a compliance department. For ordinary, low-risk use that's overkill.
- Ban ChatGPT, Copilot, or your other tools. Keep using them, just be open where the output goes public.
- Have the high-risk obligations finished by 2 August. Those moved to December 2027 with the Digital Omnibus.
- Worry about ordinary software without AI. Your website or your bookkeeping simply falls outside the law.
- Lose sleep over those huge fine figures. Those are maximums for serious violations, and for SMBs the law scales with your size.
Stick to the core: be open about where you use AI, and make sure your team understands what they're working with.
Stuck?
Not sure where your AI use lands, or want to spar before 2 August arrives? Feel free to run it by us. Book a call, and we'll go through your list together and see what actually applies to you.
One more time, just to be safe: this is general information and not legal advice. For your specific situation, a lawyer remains the right place to go.
Frequently asked questions
Does my SMB need everything sorted by 2 August 2026?
No. What kicks in then is mainly transparency, and enforcement of AI literacy begins. The heavy high-risk obligations moved to December 2027 with the Digital Omnibus. For most businesses with ordinary, low-risk tools the list is short.
Do ChatGPT, Copilot, and similar tools fall under the law?
Yes, but you usually use them as a user, not as a maker. You don't need to drop them. Be open where customers see AI output, and make sure your team understands how the tools work and where they get it wrong.
Will I be fined right away if I've done nothing yet?
The fines are meant for the serious violations and scale with the size of your business. For ordinary, low-risk use that chance is small. The biggest practical risk is simply forgetting to be open about your AI use. Fix that first.
What if I have AI custom-built?
Then you might be the provider yourself, with more obligations than an ordinary user. Discuss that with your builder beforehand, so you know which role you're in before anything goes live.