AI Act: GPAI Obligations for SMBs by August 2026

English 6 min read
eu-ai-act compliance gpai

Pillar guide โ†’ For the full breakdown of EU AI Act obligations for SMEs and SMBs (Art. 4, 5, 26, 27, 50, fines, timeline), see our complete EU AI Act SME compliance guide.

Today is 22 April 2026. In roughly three months, on 2 August 2026, the grace period ends for every General-Purpose AI (GPAI) model that was placed on the EU market before August 2025. That means Regulation (EU) 2024/1689 โ€“ the AI Act โ€“ applies in full to the large language models that European businesses are using every single day: ChatGPT, Claude, Gemini, Mistral Large. If you deploy any of these in a work context, you are not a passive user. You are a "deployer" under the AI Act, and deployers have obligations.

The European SMB market has largely shrugged this off. In our work with clients across the EU, fewer than 15 percent have documented their deployer duties at all. Most are betting that national regulators and the European Data Protection Board (EDPB) will go after large enterprises first. That is a risky bet: the AI Act interlocks with the GDPR, and the fine ceilings (up to 35 million euros or 7 percent of global annual turnover) flow through Article 99 straight to national market-surveillance authorities.

What the AI Act requires

The core GPAI rules sit in Article 53 of the Regulation. Providers of general-purpose AI models must:

  • Maintain up-to-date technical documentation of the model (Art. 53(1)(a)) covering training data, evaluation, and energy consumption.
  • Supply information to downstream providers (Art. 53(1)(b)) so they can meet their own obligations.
  • Implement a policy for EU copyright compliance (Art. 53(1)(c)), including respect for text-and-data-mining opt-outs under Art. 4(3) of the DSM Directive.
  • Publish a sufficiently detailed summary of the training data (Art. 53(1)(d)).

For models with "systemic risk" (Art. 55) โ€“ roughly every frontier model above 10^25 FLOPs of training compute โ€“ add red-teaming, incident reporting, and cybersecurity duties. The Code of Practice introduced by Art. 56 (version 2.0 released March 2026) operationalises these.

More immediately relevant for SMBs is Article 50: anyone publishing AI-generated text, images, or audio must label them as such when they resemble "real persons, places or events" (the deepfake clause). Synthetic text output must also be machine-readably marked as AI-generated.

Provider vs deployer

The AI Act separates two roles cleanly, and which one you are determines everything:

  • Provider (Art. 3(3)) is whoever develops the AI system or places it on the market under their own name. For GPT-4, that is OpenAI. For Llama 3.3, that is Meta. In 99 percent of cases, it is not your SMB.
  • Deployer (Art. 3(4)) is whoever uses an AI system under their own authority. That is the accounting firm in Dublin drafting client letters with Claude. The Amsterdam online retailer generating product descriptions with GPT-4. That is you.

Deployer obligations are lighter than provider obligations, but they are real. And from 2 August 2026 they apply to GPAI-based applications that were already in use before August 2025.

Deployer obligations in detail

Four obligations every EU SMB using language models must implement:

  1. Transparency towards users (Art. 50(1) and (4)). Customers speaking to your AI chatbot must be told. Employees whose job applications are pre-filtered by an AI tool must be told. AI-generated text on your website needs a disclosure.
  1. Human oversight (Art. 26(2)). A competent, trained human must supervise AI output. For high-risk systems, this is a hard requirement; for GPAI deployment in lower risk tiers, it follows from general duty-of-care and labour-law frameworks.
  1. Data Protection Impact Assessment. The moment personal data flows into the model โ€“ employee names, customer records, health data โ€“ Art. 35 GDPR requires a DPIA. That is not strictly an AI Act obligation, but the EDPB and national authorities read both texts together. Skip the DPIA and you have two violations instead of one.
  1. Record-keeping (Art. 26(6)). Automatically generated logs must be retained for at least six months where the deployer controls them. With cloud APIs, you usually do not control them โ€“ OpenAI retains logs under its own policy, not yours. That gap is a compliance problem.

Why local LLMs are the simplest compliance answer

Here is where the strategic opportunity shows up. The Schrems-II ruling of the CJEU (C-311/18) made clear that transferring personal data to the United States without additional safeguards is incompatible with the GDPR. The 2023 EU-US Data Privacy Framework has formally defused the issue, but noyb and other NGOs have already filed challenges. Building today on OpenAI means placing a political bet on whether that framework survives.

Layer the AI Act on top. When you run a cloud model, you inherit dependencies on the upstream provider: their technical documentation, their training-data summary, their incident reporting. You must reference these in your own deployer records. With OpenAI: good luck.

Running a local model solves both problems in one step. Llama 3.3 (70B parameters) runs on a Mac Studio M3 Ultra with 192 GB of unified memory at 15-25 tokens per second โ€“ fast enough for production use. Qwen 2.5-72B and DeepSeek-V3 are comparable alternatives. The weights are openly available, the model cards are documented, and inference happens in your own server room. No Schrems-II question. No Microsoft Azure logs. No dependence on OpenAI's next policy update.

The saving on deployer duties is substantial: your DPIA becomes trivial (no third-country transfer), your logs sit on your own hardware, your transparency obligations can be met end-to-end. In short, you move the compliance burden from the legal side of the house to the technical side โ€“ and that is where we prefer to have it.

Implementation details live in our guide to data sovereignty.

What to do before 2 August 2026

Three months is enough if you start now. Our minimal roadmap for a typical 20-200-person European SMB:

  1. Inventory (end of April). List every AI service used in your company. Include shadow IT โ€“ your staff use ChatGPT on personal accounts, and you know it. Classify each use by risk tier under Annex III.
  1. DPIA and deployer records (May). For each use involving personal data, run a DPIA. For each deployment, write a short deployer description: purpose, data flows, accountable person, human oversight arrangements.
  1. Transparency rollout (June). Labels on the website, in the chatbot, in generated content. Staff information sheet. Training (Art. 4 AI Act requires "AI literacy"). Our training programmes cover this mandatory piece.
  1. Strategic cut (July). Decide which use cases should move in-house. A pilot with Llama 3.3 on dedicated hardware, retrieval-augmented against your knowledge base, two months of evaluation. Most professional-services firms and manufacturers we work with run 20 users comfortably on a single Mac Studio.
  1. Cut-off 2 August 2026. From that day on, the regime is live. Fines become practically relevant in the second year of enforcement.

If you cannot build this alongside day-to-day operations, that is what we are here for. Start with a pilot project โ€“ 14 days, flat fee, a clean go/no-go decision at the end.