On 2 August 2026, the European Artificial Intelligence Regulation — the AI Act — enters into full application. Adopted on 21 May 2024 and in force since 1 August of the same year, this text is the first comprehensive AI regulation by any major jurisdiction in the world. For European SMEs and mid-caps, August 2026 marks the shift from regulatory watch to defensible compliance.

This note summarises what changes concretely, presents the official timeline after the amendments adopted on 7 May 2026 by the Parliament and Council, and proposes six actions to launch in the coming weeks.

In 30 seconds

The AI Act distinguishes four risk levels (unacceptable, high, limited, minimal). Penalties reach up to EUR 35 million or 7% of global annual turnover, depending on the nature of the violation. All organisations using AI — not only the developers — are concerned, to varying degrees.

The regulation at a glance

The AI Act does not regulate AI as a technology, but its uses. The regulation adopts a risk-based approach: the more an AI system is likely to affect fundamental rights or the safety of persons, the stricter the obligations on its providers and deployers.

Four categories are defined:

The dates that shape 2026-2027

On 7 May 2026, after tense negotiations, the European Parliament and Council reached political agreement on the Digital Omnibus on AI, which adjusts certain deadlines. The goal: give more time to companies and national authorities to organise themselves, after the finding that the harmonised technical standards would not be ready in time.

New as of 7 May 2026

The 7 May political agreement extended to "small mid-caps" (companies up to 750 employees and EUR 150 million annual turnover) the simplifications initially reserved for SMEs: lighter technical documentation, proportionate penalties, access to regulatory sandboxes.

Who is concerned, and in what capacity

The most frequent mistake is to believe the AI Act only concerns AI model developers. This is wrong. The regulation distinguishes several roles, and most SMEs and mid-caps fall under the deployer category — that is, professional users of AI systems developed by third parties.

An SME becomes a deployer as soon as it uses, integrates or makes available to its clients:

For each of these uses, the deployer has its own obligations, even if the system provider is itself compliant. Compliance is not contagious — it is assessed at every link.

Financial and reputational exposure

The regulation provides three penalty tiers, calibrated to the severity of the breach:

These administrative penalties are compounded by collateral risks that the business press often underestimates:

"The cost of non-compliance is not just the fine. It is also the withdrawal of a product mid-cycle, and the collapse of trust from an institutional buyer who will have run their own due diligence before signing."

Six actions to launch within 90 days

For an SME or mid-cap executive, compliance is not handled as an isolated IT project. It is a cross-functional effort that mobilises executive leadership, business unit heads (HR, sales, legal), and the CIO/CISO. Here are the six structuring actions to launch now.

1. Build an exhaustive inventory of AI systems in use

Everything starts with a census. For each tool identified, note: vendor name, exact AI function, data processed, individuals affected, probable classification under the four risk categories. This inventory becomes the documentary basis for all compliance work.

2. Classify each system by risk level

The same type of tool may shift from one category to another depending on usage context. A generative assistant used internally is not subject to the same obligations as the same tool exposed to clients. Classification must be reasoned and documented, with reference to the applicable article of the regulation.

3. Question vendors with a precise framework

Five questions to ask systematically of every third-party vendor:

A vendor that cannot answer these questions is a compliance risk. This should be reflected in contracts.

4. Update vendor contracts

Standard IT service purchase clauses generally do not cover the AI Act. Add: explicit compliance clause, audit right, obligation to inform of substantial system modifications, liability sharing in case of penalty.

5. Train executives and exposed managers

Article 4 of the regulation imposes an "AI literacy" obligation on all employers since February 2025. Concretely: training of employees who use or supervise AI systems, proportionate to the risk level. This training must be documented — it is defensible in case of audit.

6. Designate a lead and formalise governance

While not mandatory, designating an AI Act lead (equivalent to the DPO for GDPR) is strongly recommended for organisations deploying multiple systems or operating in regulated sectors. This lead is the single point of contact for national authorities in case of question or audit.

Checklist · to validate before 2 August 2026
  • Inventory of AI systems in use, up-to-date and signed by management
  • Documented classification by risk level (with applicable article)
  • Vendor questionnaire sent to main AI providers, responses archived
  • Vendor contracts amended (AI Act compliance, audit, modification clauses)
  • AI literacy training delivered and tracked for all users
  • Internal policy on generative system usage (chatbots, copilots) published
  • Transparency mechanism visible to end users (chatbot disclosure, content marking)
  • AI Act lead designated and published in internal organisation chart
  • AI incident reporting procedure documented and tested
  • Annual compliance review planned and on the executive agenda

Beyond compliance, a strategic advantage

The temptation is strong to treat the AI Act as an administrative burden. This is a strategic mistake. Organisations that anticipate this regulation are actually building a durable commercial advantage: ability to respond to tenders requiring AI Act compliance, increased credibility with institutional buyers, reduced litigation risk.

Several major procurement organisations — European institutions, banks, insurers, public authorities — are already integrating AI Act compliance into their vendor selection criteria. This filter will become widespread before the effective application of August 2026.

For an SME or mid-cap that invests today in structured AI governance, the return is not only defensive. It is also commercial. The cost of an organised, progressive compliance effort — between 6 and 18 months depending on initial maturity — is incomparable with that of a rushed regularisation under threat of sanction.

Want to launch a compliance scoping?

Delph Concept supports SME and mid-cap executives on AI Act compliance, from inventory through to executive committee training. An initial reading of your exposure can be delivered in a few days.

Open a conversation →