What the EU AI Act actually means for SMBs in 2026

Most SMB owners I talk to have heard “the EU AI Act”and assumed two things: that it’s an enterprise problem, and that it doesn’t apply to them because they aren’t in the EU. Both assumptions are wrong often enough that it’s worth a proper 12-minute read before you make the next AI-tool purchase.

The Act entered into force on 1 August 2024. The prohibitions on unacceptable-risk AI bit on 2 February 2025. The general-purpose AI (GPAI) obligations took effect on 2 August 2025. The high-risk-system obligations phase in through 2 August 2026, with the longer Annex III high-risk tail running to 2 August 2027. We are currently between the GPAI bite-date and the high-risk bite-date. That window is what this post is about.

If you sell into the EU, deploy AI to anyone in the EU, or process EU residents’ data with AI — the Act applies. Headquarters location is irrelevant.

Does it apply to you? Three tests

The Act has extraterritorial reach modelled on GDPR. You can trip into scope without ever opening an office in the EU. Run these three tests honestly:

1. Do you put AI output into the EU market? If your software, agent, or AI-powered service is used by anyone in the EU — including B2B customers — you’re a provider or deployer in EU terms.
2. Do you process data of EU residents with AI? Even if you’re a US firm running Copilot agents over a dataset that includes EU employees, contractors, or customers, the deployer obligations apply to that processing.
3. Do you sell to EU-headquartered enterprises? The big EU companies are now writing AI-Act-compliance clauses into vendor contracts. Even if the Act doesn’t reach you directly, your customer’s procurement team will.

Two of three is enough for most SMBs in our portfolio to need a documented response. One of three is enough to need a tracking decision.

The four risk tiers, plain-English

The Act sorts AI systems into four buckets. Almost everything an SMB deploys lands in the bottom two; almost nothing lands in the top one. Knowing which bucket your use case is in tells you which obligations bite.

1. Unacceptable risk — banned

Social scoring, real-time biometric ID in public spaces (with narrow law-enforcement exemptions), emotion recognition in workplaces or schools, manipulative subliminal techniques. Banned outright since February 2025. If you’re building any of these, you have a bigger problem than this post can solve. For normal SMB AI work — Copilot, agents, document automation — this tier does not apply.

2. High risk — heavy obligations

Annex III lists the high-risk use cases. The ones that catch SMBs by surprise are: AI used in HR / recruitment (CV screening, interview scoring), AI used in credit scoring or insurance pricing, AI used in critical infrastructure, AI used in education access (admissions, exam grading), and AI used in law enforcement, migration, or justice.

High-risk obligations include: a risk-management system, data-governance documentation, technical documentation, an EU-database registration, transparency to deployers, human oversight, accuracy/robustness/cybersecurity evidence, a conformity assessment, and a CE-marking equivalent. This is substantial — budget six figures for compliance work if you ship in this tier. Most SMBs we work with explicitly stay out of this tier.

3. Limited risk — transparency only

This is where most SMB AI deployments land. Chatbots, generated content, AI-summarised material. Obligations are disclosure-only: tell the user they’re interacting with AI, label AI-generated images / audio / video as such, mark deep-fakes clearly. If you turn on a Copilot Studio agent for customer service, you need a one-line disclosure: “You’re chatting with an AI assistant. A human can take over on request.”That’s the substance of the obligation here.

4. Minimal risk — no obligations

Spam filters, recommendation systems, basic productivity AI used inside the firm without external-facing decisions. No obligations. Most internal Copilot usage in a 100-person SMB lives here.

GPAI obligations — what already kicked in

On 2 August 2025the obligations on general-purpose AI model providers (OpenAI, Anthropic, Google, Mistral, the Microsoft-hosted versions) became enforceable. You’re not the provider here — Microsoft / OpenAI is — but as a deployer you should know what changed.

• Technical documentation from the GPAI provider must be available to downstream deployers. Microsoft publishes this for Azure OpenAI and Copilot family products; the documents are linkable from the Microsoft Trust Center.
• Copyright compliance — providers must respect EU copyright opt-outs in training data. This is upstream of you, but enterprise customers will ask whether your underlying model honours these.
• Summary of training content — published by the provider. Useful when a procurement team asks “what data was this trained on?”
• Systemic-risk GPAI models (above the 10²⁵ FLOPS threshold) carry additional incident-reporting and red-teaming duties. The frontier model providers comply; you cite them, not yourself.

What bites on 2 August 2026

The high-risk-system obligations for AI systems sold or deployed in the EU phase in. Practically, this means three things for an SMB:

1. If you ship AI features in a product sold into the EU and any feature touches an Annex III use case — you become a provider with high-risk obligations. Conformity assessment, EU database registration, technical file. Talk to counsel now, not in July 2026.
2. If you deploy a high-risk AI system internally — say a CV-screening tool for hiring — you have deployer obligations: human oversight, instructions-of-use compliance, monitoring, incident reporting. Lighter than the provider load but still real.
3. If you do neither — which is the case for 80%+ of the SMBs we work with — the August 2026 milestone is mostly a non-event for you. Your obligations are the transparency duties from the limited-risk tier plus literacy from the next section.

Article 4 — AI literacy, applies to everyone

This is the article most SMBs miss. Article 4requires any provider or deployer of an AI system to ensure their staff and other persons operating the system “have a sufficient level of AI literacy.” It applies regardless of risk tier. It applied from 2 February 2025.

In practice this is the easiest obligation to satisfy and the one most likely to get cited by a regulator if you have an incident. The compliant artefact is:

• A written AI-literacy training programme appropriate to the role and the system being used.
• Records of who completed it and when.
• Refresh cadence (annual is the practical default).
• Linkage to your AI acceptable-use policy.

For a 100-person SMB using Copilot, this is a 30-minute online module plus a quarterly tips email. We bundle this into the 9-document governance pack referenced at the bottom of this post.

The six-document SMB response

The honest answer to “what do we have to do?” for an SMB in the limited-risk tier with some EU exposure is six documents. None of them need to be long. All of them need to exist, be named-owner, and be findable when asked.

1. AI use register. One table. Every AI system in use, its risk tier, its owner, its purpose. Updated quarterly.
2. AI acceptable-use policy. One page. What staff can and can’t do with AI tools. Approved by the senior leadership team.
3. AI-literacy training record. Article 4 evidence. Who’s completed what, when, on which systems.
4. Transparency notices. The user-facing disclosure language for any AI-touching customer surface. Stored once, deployed consistently.
5. Incident-response addendum. Existing incident-response process, with an AI-specific addendum covering hallucination, bias, model behaviour change.
6. Vendor assurance file. The Trust-Center docs from each AI vendor (Microsoft, OpenAI, etc.) collected in one place so you can answer a customer questionnaire in an afternoon, not a week.

Two weeks of focused work to author the first version. Two hours a quarter to maintain. One named owner — usually whoever ends up being the Copilot Champion. The document set covers the AI Act’s practical demands on a limited-risk SMB and roughly 80% of enterprise vendor-risk questionnaires by coincidence.

Penalties — what’s actually at stake

The Act’s fine structure is GDPR-like. Three tiers:

• €35M or 7% of global annual turnover (whichever is higher) for the banned-AI prohibitions. Functionally not relevant to SMBs unless you’re building something on the unacceptable-risk list.
• €15M or 3% of global annual turnover for most other substantive obligations — high-risk-system non-compliance, GPAI breaches, transparency failures.
• €7.5M or 1% of global annual turnover for incorrect / incomplete / misleading information supplied to authorities.

For SMBs the Act explicitly directs authorities to consider the size and resources of the firm when setting penalties — you’re unlikely to be made a regulatory example of, but you can absolutely be fined enough to materially hurt. More importantly: an EU enterprise customer can cancel a contract on a compliance breach, and that’s the more common commercial outcome.

What this means for the next AI tool you buy

Before signing any AI tool order form in the next 18 months, ask the vendor three questions:

1. “Is the underlying model classed as GPAI? Systemic-risk GPAI?” Tells you whether to expect the provider’s transparency docs.
2. “Does any feature in this product touch an Annex III high-risk use case? If yes, are you the provider or am I?” Tells you whether you’re inheriting deployer or provider obligations.
3. “Where can I download your conformity assessment / technical documentation / transparency-notice templates?” Tells you how seriously the vendor takes their own obligations.

Microsoft answers all three cleanly for the Copilot family. Most of the small AI-startup tools your team is asking to buy do not. That difference is part of the case for staying inside the Microsoft tenant where the compliance story is already written.

The honest summary

For 80% of the SMBs we work with, the AI Act in 2026 means:

1. Don’t deploy AI in HR / credit / education / justice without counsel.
2. Add an AI disclosure line to any customer-facing AI surface.
3. Run a 30-minute AI-literacy module for every staff member.
4. Maintain the six-document file above.
5. Cite the vendor’s GPAI documentation when asked.

Five things. None of them are hard. All of them need to be done by someone with their name on them, and that someone is usually missing — which is the actual reason the SMBs that end up in trouble end up in trouble. Not the Act’s complexity, the absence of an owner.

The AI Act doesn’t require an AI lawyer. It requires someone whose name is next to “AI governance” on the org chart. That’s a different problem.

We cover the document set and the literacy programme in the 9-document governance pack post. If you’re in a regulated vertical — financial services, healthcare, legal — the industry-specific landing pages walk through what these six documents look like with the regulatory overlay that bites in your sector.