EU AI Act: What Changes for Your SME in August 2026 (Less Than a Month Away)

·9 min read

August 2, 2026 - 25 days from now - is when the EU AI Act enters its most concrete phase for businesses that use artificial intelligence daily.

If you run a small or medium company and you use ChatGPT to reply to customers, Copilot to code, or an AI-powered HR tool to screen CVs, this applies to you. Not the eye-watering maximum fines - penalties are proportional to company size - but common-sense obligations you can sort out in a morning.

This article covers what changes on August 2, what doesn't, and what you should do this month to stay compliant without burning budget.

Why August 2026 Matters

The AI Act (Regulation EU 2024/1689) entered into force on August 1, 2024, but obligations are being phased in. Here's where we stand:

  • February 2025: prohibited AI practices banned + AI literacy requirement (Article 4)
  • August 2025: penalty regime applicable
  • August 2, 2026: obligations for deployers of high-risk AI systems + transparency rules for limited-risk systems (chatbots, deepfakes)

This last deadline is the one that matters to you. It's the first time obligations directly target companies that use AI - not just companies that build it.

On a positive note, a political agreement on AI Act simplification was reached on May 7, 2026 (the "AI Omnibus" package). Its aim: reduce administrative burden for SMEs. Final details are being published, but the direction is clearly toward proportionality.

The Four Risk Categories: Where Your SME Stands

The AI Act classifies AI usage into four risk levels. Good news: most SMEs fall into the least restrictive categories.

Minimal Risk (unregulated)

This is where the vast majority of SME AI usage sits: ChatGPT for drafting emails, Claude for document analysis, Copilot for coding, spam filters, and basic productivity tools.

Obligation: none. Keep using them as before.

Limited Risk (transparency)

If you run a chatbot on your website (even a simple one built with n8n + OpenAI), or generate AI content without disclosure, you're in this category.

Obligation: inform users they're interacting with an AI system. A banner on your chatbot - "You are chatting with an AI assistant" - or a note on AI-generated content is enough.

Cost: €0 to €500 - updating your terms of service and adding a banner. If you have a website chatbot, this is a 30-minute job.

High Risk (full obligations)

Your company enters this category if you use AI for:

  • Recruitment: automated CV screening, AI candidate evaluation
  • Credit decisions: client scoring, creditworthiness assessment
  • Access to education or professional training
  • Automated employee performance evaluation

If you use an HR SaaS that screens CVs by AI, your provider must be compliant - but as the deployer, so must you.

Practical obligations:

  • Human oversight of AI decisions
  • Documentation of training data
  • Transparency on decision criteria
  • Proportionate risk management system

Cost: €5,000 to €15,000 for initial compliance, potentially including legal support.

Unacceptable Risk (banned since February 2025)

Behavioral manipulation, social scoring, real-time facial recognition in public spaces - all already prohibited. No normal SME is affected.

AI Literacy (Article 4): The Quiet Obligation Already in Force

Since February 2025, Article 4 requires businesses to ensure their teams have a sufficient level of AI literacy.

For a company of 10 people, this doesn't mean a full-time AI officer. It means:

  • Training staff who use AI on basic risks (hallucinations, bias, confidentiality)
  • Establishing an internal AI usage policy
  • Keeping training records

How to do it:

  1. Run a 1-2 hour internal session covering: what AI is, its limits, what not to feed it (client data, confidential information)
  2. Write a 2-page policy listing approved tools and usage rules
  3. Keep a list of attendees and training materials

Estimated cost: €0 to €500 for a micro-enterprise using free EU resources (AI literacy guide, training program database).

Penalties: Yes, They Can Hurt

The headline numbers - 7% of global annual turnover - apply to the most serious violations by the largest companies.

For SMEs, the scale is capped:

Violation type Maximum fine (SME)
Prohibited practices (Article 5) €35M or 7% of turnover - capped at the lower of the two for SMEs
High-risk AI non-compliance €15M or 3% of turnover
Incorrect info to authorities €7.5M or 1.5% of turnover

The real risk isn't the maximum fine - it's an audit or complaint. A client complaint, a candidate who wasn't told an AI screened their CV, or a sector-wide inspection, and you must demonstrate compliance.

In practice, an SME that can show proportionate measures (training, transparency, documentation) has nothing to fear. Regulators' approach toward small players is clearly educational, not punitive.

4 Things to Do THIS Month (Before August 2)

Here's your compliance checklist. Budget half a day.

1. Audit your AI usage (30 min)

List every AI tool your company uses: ChatGPT, Copilot, website chatbots, HR software, accounting tools with AI features.

Ask for each tool:

  • Does it interact with a customer or prospect? → limited risk (transparency)
  • Does it make a decision affecting someone (hiring, credit, evaluation)? → high risk
  • Is it just an internal productivity tool? → minimal risk, nothing to do

2. Update your legal notices (30 min)

Add a clause to your terms of service and privacy policy covering:

  • Which AI tools you use
  • Their purpose
  • How data is processed

If you have a website chatbot, add a visible banner: "You are chatting with an AI assistant."

3. Train your team (1-2 hours)

Run a short awareness session covering:

  • What AI can and can't do reliably
  • Data you must never put in a public AI tool (client data, confidential info)
  • How to verify AI output (fighting hallucinations)
  • "Human in the loop" best practices

Keep records: invitation, materials, sign-in sheet.

4. Document your compliance (30 min)

Create a folder (a Google Doc is fine) containing:

  • Your AI usage inventory with risk classification
  • Your internal AI usage policy
  • Training materials and attendee list
  • Updated terms of service

This folder is your proof in case of an audit. If you have this, you're compliant for a standard SME.

What If You Do Nothing?

Honestly? Nothing will probably happen on August 3, 2026. Regulators don't have the capacity to inspect thousands of SMEs the day after a deadline.

The real risks are elsewhere:

  • A client or candidate files a complaint because they weren't told they were interacting with AI
  • A sector-wide audit triggered by an incident
  • A compliance clause in a client or supplier contract demanding proof of AI Act compliance (increasingly common)

In those scenarios, having no documentation turns an easy fix into a potential fine. Two hours of work today avoids that.

The AI Act Is Not a Technical Problem - It's an Organizational One

If you remember one thing from this article: the AI Act doesn't require you to stop using AI. It requires you to know what you're using, why, and that your team has the basics to use it properly.

For an SME, this is a question of organization, not budget. Estimated compliance cost: €0 to €3,000 depending on your situation. And the official resources - Commission's SME guide, AI Act Compliance Checker, national authority recommendations - are all free.

If this still feels unclear or you want to make sure nothing slips before August 2, I build these compliance diagnostics for French SMEs. A 30-minute call, and you walk away with your personalized checklist.

Also available: Read in French