Pillar guide → For the full breakdown of EU AI Act obligations for SMEs and SMBs (Art. 4, 5, 26, 27, 50, fines, timeline), see our complete EU AI Act SME compliance guide.
2 August 2026 is no longer a distant date. That is when national authorities gain supervisory and enforcement powers, and the deployer obligations that already apply (AI literacy under Article 4 and transparency under Article 50) become enforceable for every company using AI systems in Europe.
Update (Digital Omnibus, May 2026): The obligations for high-risk systems (Annex III, e.g. HR or credit scoring) have been postponed to 2 December 2027, and Annex I (regulated products) to 2 August 2028. So what is enforceable in August 2026 is mainly Article 4 and Article 50, plus the authorities' supervisory powers.
This does not apply only to tech firms or AI developers. Based on our reading of the regulation, it applies to any business that uses AI internally, whether that is a cloud service like ChatGPT, a local language model, or an automated classification tool.
For most small and medium-sized businesses, this is uncharted territory. If you have been using AI without worrying about documentation, it is time to act. This article lays out the concrete steps required before August 2026 and explains how kAIra delivers the full compliance package ready to use.
Who exactly is affected?
The EU AI Act distinguishes between providers (companies that develop and distribute AI) and deployers (companies that use AI in their operations). As an SMB using a language model, an automated document tool, or a classification system, you are a deployer under the Act. This applies regardless of whether you use cloud AI or a local solution like kAIra.
Micro-enterprises are not exempt. The scope of obligations varies by the risk class of the system deployed, but no business that uses AI is entirely outside the framework.
Five key deployer obligations before August 2026
1. Ensure AI competence across your team (Art. 4)
This obligation has already applied since 2 February 2025. Staff who use AI systems must have a documented basic understanding of how those systems work, where they can fail, and what the limits are. This does not require a technical certification, but it does require a structured onboarding. The kAIra pilot project includes a dedicated key-user training day designed specifically for this requirement.
2. Determine the risk class of each AI system
Not every AI system carries the same risk. Based on our reading, the Act distinguishes three levels:
- Minimal risk: Summarisation, translation, RAG search, meeting minutes, document templates. The lightest obligations apply.
- Limited risk (Art. 50): Chatbots and AI systems that interact directly with users. Transparency labelling is mandatory.
- High risk (Annex III): AI used in HR decisions, credit scoring, biometric analysis, or safety-critical contexts. The most demanding requirements apply, including a fundamental rights assessment.
For typical kAIra tools such as WikiHub, MailForge, Textus, or the document search, the minimal risk level is appropriate in most use cases based on our reading. TalentLens for HR decisions may fall into the high-risk category depending on how it is used.
3. Designate human oversight and document it (Art. 26(2))
For every AI system in use, a responsible person must be named: someone who monitors outputs, can intervene, and can suspend operation if needed. This designation must be documented. Who monitors which system, with what authority, and under what conditions?
4. Ensure transparency to employees and end users (Art. 26(7) / Art. 50)
Employees whose work is influenced or evaluated by an AI system must be informed of that fact. Where AI-generated content goes to external recipients, it must be labelled as such. In practice, this means disclaimers on automatically generated emails, meeting minutes, or reports, clearly identifying AI involvement.
5. Log operations and report serious incidents (Art. 26(5))
Serious malfunctions that lead to harm must be reported to the relevant national market surveillance authority. This requires operational logs showing which model produced which output at which time. The documentation obligation is ongoing, not a one-time exercise.
What most SMBs underestimate: the documentation burden
The regulation does not just define what to do. It requires that compliance is demonstrably documented. Large companies have legal and compliance departments to handle this. For a business with 20 or 50 employees, starting from scratch is a significant workload.
That is the practical problem: the obligations are clear, but meeting them takes expertise and time that is rarely available internally.
The kAIra compliance package: pre-filled and ready to use
As part of the kAIra pilot project, Freshlab creates a complete DOCX documentation package for every customer. It covers all mandatory documents for EU AI Act-compliant operators. The package includes:
- Overview: EU AI Act introduction, timeline, role distribution (Provider / Deployer)
- Risk Classification: Checklist for prohibited practices (Art. 5), high-risk (Annex III), and limited risk (Art. 50)
- Model Datasheets: Gemma 4, Nomic Embeddings, Whisper with licence information and kAIra-specific usage notes
- Deployer Obligations: Checklist per risk class covering AI competence, logging, human oversight, and fundamental rights
- Operations Manual: Deployment, data flow, model inference, logging, incident response
- Transparency Notices: Template disclaimers for users (Art. 50), AI content labelling
- Pilot Contract: Hardware, duration, responsibilities
- Data Processing Agreement (DPA): GDPR Art. 28, Freshlab as processor, customer as controller
Fields such as company name, AI officer, data protection officer, risk class, model names, and deployment URL are auto-filled from the customer profile. What remains is a single pass to enter company-specific details.
The risk class is set once in the Config Manager and applied automatically to all documents. For most SMB use cases, the minimal or limited risk level is appropriate, which substantially reduces the overall compliance burden.
Why local AI simplifies compliance
Cloud AI and local AI differ not only on privacy, but also on compliance complexity. When you use a cloud service such as ChatGPT Enterprise or Google Vertex AI, you must create all deployer documentation yourself, since the cloud provider only supplies model details. The entire documentation obligation rests with you.
With a local open-source model (Gemma 4, Llama 3.3, Mistral), provider obligations remain with the model developer. You use the model as-is and do not need to conduct your own conformity assessments. The pre-filled package from Freshlab removes the need for extensive internal research.
Three steps to take before summer
Regardless of whether you already use kAIra or are still evaluating options, three things should happen before the deadline.
First: take an inventory of your AI systems. Which applications are you using today that rely on a language model? That includes AI embedded in existing software.
Second: assess the risk class for each. Does the system process personal data? Does it influence decisions? Does its output go to external recipients?
Third: assign internal ownership. Who is the AI officer? Who takes responsibility for human oversight of each system?
If you are not yet running an AI system in production, you have the opportunity to start compliant from day one. The Freshlab pilot project covers the full setup, training, and compliance package, so you can go live in two weeks and meet the regulatory requirements simultaneously.
Get in touch before the August deadline becomes too close for comfort: Request the pilot project.
This article is for informational purposes only and does not constitute legal advice. For binding guidance on EU AI Act compliance, we recommend consulting a qualified legal adviser.