HVNHAI

AI News

EU AI Act: What Applies to SMBs From 2026

04 July 2026 · HVNH AI

In short

The EU AI Act has been in force since August 2024 and applies in stages: bans and AI literacy duties since February 2025, rules for general-purpose AI models since August 2025, most obligations from August 2, 2026. Key for SMBs: most business AI applications fall into the minimal or limited risk class — then transparency and due diligence duties suffice.

What this is about

With Regulation (EU) 2024/1689 — the AI Act — the EU has created the world's first comprehensive legal framework for artificial intelligence. The regulation entered into force on August 1, 2024, but its obligations apply in stages. For SMBs, August 2, 2026 becomes the most important date: that is when the majority of the provisions become applicable. Reason enough for a factual assessment — without alarmism.

The basic principle: four risk classes

The AI Act does not regulate "AI" as such, but specific applications — graded by risk:

  • Unacceptable risk: prohibited, e.g. social scoring or manipulative systems (already in effect since February 2025)
  • High risk: strictly regulated, e.g. AI in hiring decisions, credit scoring, or critical infrastructure — with obligations covering risk management, data quality, documentation, and human oversight
  • Limited risk: transparency obligations — chatbots must be recognizable as AI, and AI-generated content must be labeled
  • Minimal risk: no additional obligations — this is where the majority of business applications sit

The timeline at a glance

  • Since February 2, 2025: bans on unacceptable practices; in addition, companies must ensure sufficient AI literacy among their employees (Art. 4)
  • Since August 2, 2025: obligations for providers of general-purpose AI models (GPAI) plus the governance and sanctions framework
  • From August 2, 2026: the majority of the regulation becomes applicable — in particular the obligations for high-risk systems under Annex III and the transparency obligations
  • From August 2, 2027: end of the transition period for high-risk AI that is part of regulated products (such as machinery or medical devices)

What does this mean in concrete terms for SMBs?

First, the context: most AI applications in small and medium-sized businesses — text drafts, email sorting, document processing, reporting, internal assistants, or AI agents for office processes — fall into the minimal or limited risk category. They remain permitted and require no authorization. Three points matter most:

  1. Know your role: the AI Act distinguishes between providers (who develop AI systems) and deployers (who use them). SMBs are almost always deployers — with significantly leaner obligations
  2. Ensure transparency: if an AI system interacts with customers, such as a chat assistant, this must be recognizable; AI-generated or manipulated content such as deepfakes must be labeled
  3. Check for high-risk cases: things get critical mainly when AI is used in hiring decisions or in evaluating individuals — here, extended obligations apply to deployers as well from August 2026, such as human oversight and informing employees

What companies should do now

  • Take inventory: which AI systems are in use — including unofficially in individual departments?
  • Assign risk classes: check for each application whether transparency or high-risk obligations apply
  • Build AI literacy: the obligation under Art. 4 already applies — short, documented training sessions are sufficient in many cases
  • Documentation and logging: anyone who can trace what their AI systems do will meet upcoming accountability requirements far more easily — reputable providers include logging of agent operations as standard

Assessment: an obligation, yes — a barrier, no

For the vast majority of SMBs, the AI Act is not a prohibition law but a documentation and transparency task. Companies using AI agents for office and administrative processes generally operate in the minimal risk category — and are well prepared with a clean inventory, labeled customer interactions, and logged operations. Reliable details are provided by the regulation text and the official pages of the European Commission (see sources).

Frequently asked questions

Does the EU AI Act also apply to small businesses?
Yes, the AI Act has no general exemption for small businesses. However, the obligations depend on the risk class and your role: a company that only deploys AI for office processes has far fewer obligations than a developer of high-risk systems. In addition, reduced sanction rules are provided for SMEs.
When do the AI Act obligations take effect?
In stages: bans and the AI literacy obligation since February 2, 2025, rules for general-purpose AI models since August 2, 2025, and the majority of the regulation from August 2, 2026. For high-risk AI in regulated products, the transition period runs until August 2, 2027.
Are AI agents for office processes high-risk AI?
As a rule, no. Document processing, email sorting, or quote drafts typically fall under minimal risk. High risk primarily arises when AI is used in hiring decisions, credit decisions, or critical infrastructure — in those cases, extended obligations apply.
What is the AI literacy obligation under Art. 4?
Since February 2025, companies that deploy AI systems must ensure that their employees have sufficient AI literacy. In practice, documented training tailored to the systems and tasks actually in use is usually enough.
What penalties apply for violations?
The fines are tiered: up to 35 million euros or 7 percent of global annual revenue for prohibited practices, less for other violations. For SMEs, the lower of the two amounts applies in each case. Companies that classify and document their applications properly reduce the risk considerably.

Sources