Regulation EU 2024/1689 路 May 2026 update

EU AI Act SME Compliance (2026): a complete guide

The EU AI Act (Regulation 2024/1689) affects every SME and SMB that deploys, markets or uses AI systems, even those just using ChatGPT, Copilot or Gemini. This guide summarises the five applicable obligations, the calendar through 2027, the fine regime and the practical steps to comply. Updated for the Digital Omnibus political agreement of 7 May 2026.

Applies to every SME and SMB All sectors Active enforcement from 2 August 2026 Fines up to EUR 35 million or 7 % worldwide turnover GDPR applies in parallel
Talk to an expert See the 5 obligations
Regulation (EU) 2024/1689 路 AI Act 路 In force since 1 August 2024

What the EU AI Act is and why it affects your SME

The EU Artificial Intelligence Act, formally Regulation (EU) 2024/1689, is the world's first horizontal regulation of AI. It entered into force on 1 August 2024 and applies directly in every EU Member State without any need for national transposition. Each Member State designates a national competent authority for enforcement (for example AESIA in Spain, with similar bodies being established in Germany, France, Italy, Denmark and the Nordics). The Regulation classifies AI systems by risk level (prohibited, high, limited, minimal) and sets distinct obligations for providers (those who develop or market the system) and deployers (those who use it professionally). The vast majority of SMEs and SMBs are deployers. The Digital Omnibus political agreement of 7 May 2026 (formal adoption pending) simplified some obligations and postponed the high-risk deadlines: Annex III stand-alone systems to 2 December 2027 and Annex I systems embedded in regulated products to 2 August 2028.

The five obligations

What the AI Act requires from an SME, article by article

Every SME should review these five blocks. The exact scope depends on the role (provider or deployer) and the type of AI systems used. Most SMEs and SMBs are deployers of general-purpose cloud assistants or of vertical high-risk systems (HR, credit scoring, healthcare).

Art. 4 路 AI literacy

Promote AI literacy among your staff

Any business that uses or deploys AI systems must take measures so that its staff and persons acting on its behalf have a sufficient level of AI literacy.

  • Documented training programme with own or third-party material
  • Coverage of the legal framework, risks and GDPR applied to AI
  • Per-person auditable evidence for an enforcement inspection
  • Obligation of means after the Omnibus, not an obligation of result; the duty remains
Applicable since2 February 2025 路 Active enforcement from 2 August 2026
Art. 5 路 Prohibitions

Do not use prohibited AI systems

Article 5 directly prohibits, including for SMEs, a closed list of uses considered incompatible with fundamental rights.

  • Social scoring of natural persons
  • Emotion recognition in the workplace or education
  • Biometric categorisation to infer race, ideology, sexual orientation, religion
  • Real-time remote biometric identification in publicly accessible spaces
  • Subliminal techniques or exploitation of vulnerabilities
Applicable since2 February 2025 路 Fines up to EUR 35 million or 7 % worldwide turnover
Art. 26 路 Deployer

Obligations of the deployer

If your SME professionally deploys a high-risk AI system (HR, credit scoring, insurance, education, critical infrastructure), it takes on the role of deployer and must comply with Article 26.

  • Follow the provider's instructions for use
  • Assign human oversight to persons with the necessary competence and authority
  • Control the relevance of input data when applicable
  • Retain generated logs for at least six months
  • Report serious incidents to the provider and the market surveillance authority
  • Inform workers' representatives before putting the system into service
Applicable fromAnnex III: 2 December 2027 路 Annex I: 2 August 2028
Art. 27 路 FRIA

Fundamental rights impact assessment

Certain deployers (public bodies, providers of public services, banks, insurers) must evaluate the impact on fundamental rights before deploying a high-risk system.

  • Description of the processes in which the system will be used
  • Expected period and frequency of use
  • Categories of persons concerned
  • Specific risks to fundamental rights
  • Human-oversight and mitigation measures
  • Notification of the outcome to the market surveillance authority
Applicable from2 December 2027 (Annex III, covered sectors)
Art. 50 路 Transparency

Inform users that AI is involved

Article 50 sets transparency duties towards natural persons interacting with AI systems or with AI-generated content.

  • Clear notice that the user is talking to a chatbot
  • Machine-readable labelling of synthetic content (image, audio, video, text)
  • Explicit labelling of deepfakes and manipulated content
  • Information to natural persons exposed to permitted emotion recognition or biometric categorisation
Applicable from2 August 2026 路 Fines up to EUR 15 million or 3 % worldwide turnover
GDPR

GDPR keeps applying in parallel

The AI Act does not replace the GDPR. Any AI system that processes personal data must additionally comply with Regulation (EU) 2016/679 and national data protection laws.

  • Legal basis for processing (Art. 6 GDPR)
  • Information to data subjects (Art. 13 and 14)
  • Data protection impact assessment (DPIA, Art. 35) where applicable
  • Verification of international transfers for cloud assistants
  • Data minimisation in line with national supervisory authority guidelines
SupervisorNational data protection authority 路 Fines up to EUR 20 million or 4 % worldwide turnover

Calendar

When each obligation applies

The Regulation enters into force in phases. Six dates are relevant for an EU SME.

1 Aug 2024
Entry into force.The AI Act becomes EU law. The application calendar starts running.
2 Feb 2025
Prohibited practices (Art. 5) and AI literacy (Art. 4) applicable.Any SME using software with workplace emotion analysis or social scoring must phase it out. Documented AI literacy training is already required.
2 Aug 2025
GPAI obligations applicable.Apply to providers of general-purpose AI models (OpenAI, Anthropic, Google, Mistral). SME deployers do not take on these obligations, but should be aware of them.
2 Aug 2026
Enforcement powers and GPAI in force.The national competent authorities gain their supervision and enforcement powers, including over Article 4, and Article 50 transparency duties apply. This is not the start of the high-risk obligations.
2 Dec 2027
Annex III high-risk systems applicable.Stand-alone high-risk systems (HR, scoring, education, critical infrastructure) come under the AI Act. Postponed by the Digital Omnibus (formal adoption pending). Articles 26 (deployer) and 27 (FRIA) apply from this date.
2 Aug 2028
Annex I high-risk systems applicable.AI systems embedded in products under sectoral regulation (toys, medical devices, vehicles, lifts) come fully under the AI Act. Postponed by the Digital Omnibus (formal adoption pending).

Penalty regime

What non-compliance can cost (Article 99)

Article 99 sets three tiers depending on the severity of the breach. For SMEs, SMBs and startups, Article 99(6) requires calibration by size and turnover. National competent authorities (designated per Member State) enforce.

EUR 35 m or 7 % of worldwide annual turnover from the preceding financial year, whichever is higher Prohibited practices (Art. 5)
EUR 15 m or 3 % of worldwide annual turnover, whichever is higher Provider and deployer obligations (Art. 16, 26, 50)
EUR 7.5 m or 1 % of worldwide annual turnover, whichever is higher Incorrect information to an authority
SME Article 99(6) requires authorities to calibrate fines by size and turnover for SMEs, SMBs and startups Proportionality clause

Compliance steps

How to comply with the AI Act, step by step

An SME starting from zero can cover the bulk of the Regulation in six to twelve weeks, alongside normal operations.

Step 1

Inventory of AI systems

List every AI system in use, including the implicit ones: ChatGPT in the browser, Copilot in Office 365, automatic translators, HR assistants, supplier scoring, web chatbots.

Step 2

Risk classification

For each system, identify whether it is prohibited (Art. 5), high-risk (Annex III), limited-risk (chatbot, content generation) or minimal. This determines the applicable obligations.

Step 3

Documented staff training

Roll out the Article 4 training programme with per-person auditable evidence. It is the earliest obligation (since February 2025) and the foundation for the rest of compliance.

Step 4

Internal AI directive

Approve a short document (two to four pages) defining which tools are authorised, which data can be entered, who supervises and how shadow AI is handled. Communicate it formally.

Step 5

Customer-facing transparency

If the SME uses chatbots or publishes AI-generated content, prepare the Article 50 notices and labelling before 2 August 2026.

Step 6

FRIA and logs where applicable

Only if the SME is a public body, a provider of public services, a bank or an insurer, and deploys high-risk systems. Document the FRIA and retain logs for at least six months.

FAQ

Common questions about the AI Act and SMEs

What is the EU AI Act and how does it affect SMEs?
The 芦EU AI Act禄 is Regulation (EU) 2024/1689. It applies directly in every EU Member State since 1 August 2024, with phased entry into force: prohibited practices (Art. 5) and AI literacy (Art. 4) from 2 February 2025, GPAI obligations from 2 August 2025, and the national competent authorities gain their enforcement powers on 2 August 2026. After the Digital Omnibus agreement of May 2026 (formal adoption pending), the obligations for high-risk systems are postponed and apply from 2 December 2027 (Annex III, stand-alone systems) and 2 August 2028 (Annex I, AI embedded in regulated products). It affects any SME or SMB that deploys, markets or uses AI systems, regardless of sector.
What are the EU AI Act obligations for an SME?
An SME has five groups of obligations depending on its role and the AI systems it uses. Art. 4: promote AI literacy among staff. Art. 5: do not use prohibited AI systems. Art. 26: comply with provider instructions when deploying high-risk systems, keep records, ensure human oversight. Art. 50: inform users when interacting with chatbots, label AI-generated content. Art. 27: carry out a FRIA when deploying high-risk systems in sensitive sectors.
My SME only uses ChatGPT, is the AI Act still relevant?
Yes. Using general-purpose cloud AI assistants (ChatGPT, Copilot, Gemini, Claude) triggers at least two obligations: the obligation of means to support AI literacy among staff (Art. 4) and, where chatbots interact with customers, the duty to inform users and label AI-generated content (Art. 50). GDPR also applies: data entered into a public cloud assistant may amount to an international transfer, which requires verifying the legal basis and the provider's contract.
What fines does the EU AI Act provide for?
Article 99 sets three tiers: up to EUR 35 million or 7 % of worldwide annual turnover for breaches of Article 5 prohibitions; up to EUR 15 million or 3 % for breaches of certain provider and deployer obligations (Articles 16, 26 and 50, among others); up to EUR 7.5 million or 1 % for supplying incorrect information to an authority. The AI Act sets no specific fine for Article 4 (AI literacy): its sanctions are left to each Member State. For SMEs, SMBs and startups, Article 99(6) requires that fines be calibrated by size and turnover. Each Member State designates its own enforcement authority.
When does active enforcement really start?
Prohibited practices and AI literacy are enforceable since 2 February 2025. GPAI obligations since 2 August 2025. On 2 August 2026 the national competent authorities gain their supervision and enforcement powers, including over Article 4. After the Digital Omnibus of 7 May 2026 (formal adoption pending), the high-risk obligations are postponed: Annex III stand-alone systems to 2 December 2027 and Annex I systems embedded in regulated products to 2 August 2028.
What is AI literacy under Article 4 and how do you comply?
Article 4 requires providers and deployers to take measures to support a sufficient level of AI literacy among staff. Following the Digital Omnibus of 7 May 2026 it is framed as an obligation of means, not an obligation of result, but the duty remains. It is satisfied with a documented training programme covering the legal framework, usage risks, GDPR applied to AI, transparency and prohibited practices. Freshlab provides a turnkey training service at EUR 20 per participant with named certificates and a cryptographically signed audit dossier. More at Art. 4 AI Act Training.
Which AI practices are prohibited for an SME (Article 5)?
Article 5 prohibits, including for SMEs: social scoring of natural persons, emotion recognition in the workplace and education (except for medical or safety reasons), biometric categorisation to infer race, ideology, sexual orientation, religion, systems that exploit vulnerabilities, subliminal techniques, and real-time remote biometric identification in publicly accessible spaces. An SME using HR software with video or voice emotion analysis has been in breach of Article 5 since 2 February 2025.
What obligations does a deployer have under Article 26?
When deploying a high-risk AI system (HR, credit scoring, insurance, education, critical infrastructure, justice), Article 26 requires: following provider instructions, assigning human oversight to persons with the necessary competence and authority, controlling input data, retaining logs for at least six months, reporting serious incidents, and notifying natural persons affected by AI-based decisions. In employment contexts, you must also inform workers' representatives before putting the system into service.
When is a FRIA mandatory?
Article 27 requires deployers that are public-law bodies, providers of public services or operators in sensitive sectors (banking, insurance) to carry out a FRIA before putting a high-risk AI system into service. The FRIA covers deployment processes, period of use, categories of persons concerned, specific fundamental-rights risks and oversight measures. The outcome is notified to the market surveillance authority. An SME serving a public administration or a bank may need to support its client's FRIA.
What are the transparency obligations under Article 50?
Article 50 sets four requirements from 2 August 2026. Chatbots interacting with natural persons must clearly disclose the AI. AI-generated content (image, audio, video, significant text) must be machine-readable labelled and, where appropriate, disclosed to the user. Deepfakes must be explicitly labelled. When using permitted emotion recognition or biometric categorisation, exposed persons must be informed.
How does local AI (without cloud) fit AI Act compliance?
Local AI infrastructure (on-premise LLM) does not exempt you from the Regulation, but simplifies several blocks. GDPR: no international data transfer to justify. Art. 4: training is the same. Art. 50: still applies to chatbots. The real AI Act benefits of local AI are full traceability of input data, complete logs under your control, no shadow AI with sensitive data, and compatibility with national data protection rules for specially protected data. More at Local AI & Localized AI.
What about GPAI models that my SME uses?
The GPAI obligations under Articles 53 and following (technical documentation, copyright compliance policy, training-data summary) fall on the model provider, not on the SME using it. As a deployer of a GPAI-based tool (ChatGPT, Copilot, Mistral), your SME's responsibility is the same as any deployer's: Art. 4, Art. 50 and GDPR. If your SME integrates a GPAI model into a product it markets, it then takes on provider obligations for that product.

Next steps

Resources to comply with the AI Act in your SME

Turnkey solutions for the most urgent blocks of the Regulation.

Art. 4 AI Act training

Online platform with named certificates and signed dossier. EUR 20 per participant, no minimum commitment.

Local AI in your company

On-premise LLM. Full traceability, no international transfers, GDPR by design.

AI pilot project

Local AI infrastructure deployed in four to six weeks, with internal AI directive included.

Public funding

Programmes that can co-finance part of AI Act compliance in your SME.

Freshlab Blog

Up-to-date analysis of the Regulation, the Digital Omnibus and SME case studies.

Free consultation

30 minutes with an AI Act compliance expert, tailored to your SME's profile.

Start with the most urgent duty: Article 4 AI literacy training

It has been enforceable since February 2025, has the shortest deadline and is at the same time the documentary foundation for the rest of compliance. A documented training programme with a signed dossier covers the obligation of means before the competent authority and reduces civil liability risk from improper AI use.

See the Art. 4 AI Act training Talk to an expert