The EU AI Act has been law since August 2024 — but its most demanding obligations for operators of high-risk AI systems are now shifting. Regulatory observers on X report that EU lawmakers have reached agreement on delaying key obligations for high-risk AI systems, with the revised timeline extending to 2027–2028. The cited reasons include the complexity of implementation and the absence of finalized technical standards that operators and conformity assessment bodies need to act on.
For SMBs, this means more runway. Strategically, however, the question is how to use that time — not whether to use it.
What Has Already Entered Force — and What Is Shifting
Based on our reading of the current legislative landscape, the following obligations remain fully in effect:
- Prohibited practices (Art. 5, since February 2025): Bans on real-time biometric surveillance in public spaces, social scoring, and certain manipulative AI techniques remain in force and are not affected by any delay.
- GPAI obligations (since August 2025): Transparency and documentation requirements for providers of general-purpose AI models are live, as confirmed by the EU Commission's published guidelines. These primarily affect model developers — large AI labs — not SMBs as operators.
- High-risk system operator obligations (Annex III): These were originally set for August 2026 for most categories. According to reports from regulatory practitioners, this timeline is now sliding to 2027–2028.
The practical takeaway: organizations that have been preparing for an August 2026 deadline gain breathing room. Organizations that haven't started should not interpret the delay as permission to continue waiting — conformity assessments, risk management systems, and technical documentation require substantial lead time.
Which SMBs Are Exposed to High-Risk Obligations
Many SMB leaders assume high-risk AI is a concern only for large enterprises. That assumption deserves scrutiny. Annex III of the EU AI Act lists categories that appear regularly in SMB operations:
- Recruitment and HR AI — automated CV screening, AI-powered candidate ranking or scoring tools
- Credit and financial assessment — creditworthiness tools, including SaaS products used by smaller lenders and fintechs
- Critical infrastructure management — AI systems managing energy distribution, water supply, or transport networks (relevant for municipal operators and utility providers)
- Education and vocational training — automated exam assessment, AI-driven admissions decisions
An SMB using a SaaS recruiting tool that filters or ranks job applicants is likely operating a high-risk AI system under this framework. When Annex III obligations eventually apply, that SMB will need documented risk management systems, technical documentation, human oversight processes, and completed conformity assessments.
By contrast, an SMB running a local LLM for internal knowledge retrieval, document summarization, or communication drafting typically sits outside Annex III scope — provided no automated decisions with significant individual impact are being made. No automated administrative decision, no meaningful effect on a natural person: in most cases, no high-risk classification. This is a structural regulatory advantage of local AI infrastructure, independent of the data protection case.
Learn more about what local AI systems can do for your business: /local-ai.html.
The Digital Omnibus: What's Moving in Parallel in Brussels
While the AI Act timeline shifts, a second legislative package is progressing through EU institutions: the Digital Omnibus. Commentators with EU regulatory expertise note on X that this package is advancing toward formal approval, and that it was originally designed to create more flexibility for AI development within the GDPR framework — including more accommodating rules for training data processing. Based on our reading, the initial proposals were significantly watered down during the legislative process.
The practical takeaway for SMBs: do not count on GDPR relief for AI use cases. Data protection remains the hardest constraint regardless of what the Omnibus package ultimately contains.
Why Cloud AI Remains Structurally Exposed
The AI Act delay doesn't touch GDPR. Cloud LLMs hosted outside the EU — regardless of contractual arrangements — remain subject to the laws of their home jurisdictions, which in some cases allow government authorities access to stored data. EU adequacy decisions can be politically revoked; standard contractual clauses do not provide protection against extraterritorial access demands.
Local LLMs, running on your own hardware within your own network, eliminate these risks structurally: no data transfer, no third-party processing, no exposure to shifts in bilateral data protection agreements. For a deeper look at what data sovereignty means in practice: /data-sovereignty.html.
Four Things SMBs Should Do With the Extra Time
A revised deadline is an opportunity. Here is how to use it:
1. Build an AI inventory
Which AI systems are you running? Which decisions do they make, and with what impact on individuals — employees, applicants, customers, or end users? An honest inventory is the foundation of any compliance posture and surfaces risk regardless of regulatory deadlines.
2. Screen for Annex III applicability
Does any system in your inventory fall into a high-risk category? If yes: conformity assessments and risk management systems require preparation time measured in months, not days. Starting now means arriving at 2027 ready rather than scrambling.
3. Shift workloads to local infrastructure
Operators of local AI systems have structural advantages when it comes to fulfilling operator obligations: full control over system configuration, logging, audit trails, and data flows. Cloud dependencies make documentation and human oversight requirements significantly harder and more expensive to fulfill.
4. Start documenting today
Even for non-high-risk AI use cases: document which model runs where, for what purpose, with what data. In eighteen months, reconstructing that information will cost far more than creating it today. Good AI governance documentation is a durable asset.
Freshlab helps SMBs build local LLM infrastructure that is both regulatorily robust and operationally scalable. Our pilot project delivers a working local AI environment in six weeks — no cloud, no vendor lock-in, full audit capability from day one.
The Bottom Line
The delay of EU AI Act high-risk obligations to 2027–2028 gives SMBs more time. It doesn't change GDPR, and it doesn't change the strategic case for building local, sovereign AI infrastructure. Organizations that use this window to build inventory, screen for high-risk exposure, and shift to local infrastructure will be significantly better positioned than those who treat the delay as permission to wait.
Ready to understand what the EU AI Act means for your business? Get in touch — we'll help you assess your exposure and identify next steps.