On 2 August 2026, the European Artificial Intelligence Regulation — the AI Act — enters into full application. Adopted on 21 May 2024 and in force since 1 August of the same year, this text is the first comprehensive AI regulation by any major jurisdiction in the world. For European SMEs and mid-caps, August 2026 marks the shift from regulatory watch to defensible compliance.
This note summarises what changes concretely, presents the official timeline after the amendments adopted on 7 May 2026 by the Parliament and Council, and proposes six actions to launch in the coming weeks.
The AI Act distinguishes four risk levels (unacceptable, high, limited, minimal). Penalties reach up to EUR 35 million or 7% of global annual turnover, depending on the nature of the violation. All organisations using AI — not only the developers — are concerned, to varying degrees.
The regulation at a glance
The AI Act does not regulate AI as a technology, but its uses. The regulation adopts a risk-based approach: the more an AI system is likely to affect fundamental rights or the safety of persons, the stricter the obligations on its providers and deployers.
Four categories are defined:
- Unacceptable risk · systems prohibited outright (mass social scoring, subliminal manipulation, certain biometric uses). Ban effective since 2 February 2025.
- High risk · systems used in sensitive domains: recruitment, HR management, access to essential services, education, critical infrastructure. Reinforced obligations (technical documentation, human oversight, EU register).
- Limited risk · chatbots, generative AI, deepfakes. Transparency obligations (inform users they are interacting with a machine, label synthetic content).
- Minimal risk · spam filters, content recommendations. No specific obligations.
The dates that shape 2026-2027
On 7 May 2026, after tense negotiations, the European Parliament and Council reached political agreement on the Digital Omnibus on AI, which adjusts certain deadlines. The goal: give more time to companies and national authorities to organise themselves, after the finding that the harmonised technical standards would not be ready in time.
-
2 February 2025 · in force
Prohibitions on unacceptable AI practices
Mass social scoring, subliminal manipulation, exploitation of vulnerabilities. AI literacy obligations for employers.
-
2 August 2025 · in force
Obligations for general-purpose AI models (GPAI)
Providers of models such as GPT-4, Claude, Gemini are subject to documentation and governance obligations.
-
2 August 2026 · full application
Transparency obligations (Article 50) — chatbots, deepfakes, generative content
Any deployer of a chatbot or generative system must inform the user. GPAI models placed on the market before 2 August 2025 have until 2 August 2027.
-
2 December 2026 · in force
AI-generated content watermarking
Deadline reduced to 3 months (from 6) after the 7 May agreement. Tight timing for content producers.
-
2 December 2027 · in force
Obligations for high-risk AI systems listed in Annex III
16-month postponement enacted by the Digital Omnibus. Covers biometrics, critical infrastructure, education, employment, migration.
-
2 August 2028 · in force
Obligations for high-risk AI systems embedded in regulated products
Medical devices, toys, lifts, radio equipment: extended transition.
The 7 May political agreement extended to "small mid-caps" (companies up to 750 employees and EUR 150 million annual turnover) the simplifications initially reserved for SMEs: lighter technical documentation, proportionate penalties, access to regulatory sandboxes.
Who is concerned, and in what capacity
The most frequent mistake is to believe the AI Act only concerns AI model developers. This is wrong. The regulation distinguishes several roles, and most SMEs and mid-caps fall under the deployer category — that is, professional users of AI systems developed by third parties.
An SME becomes a deployer as soon as it uses, integrates or makes available to its clients:
- A customer service chatbot, even from a third-party provider
- A recruitment tool automating candidate screening or scoring
- An HR platform that evaluates or scores employee performance
- A credit scoring system, even white-labelled
- A generative assistant embedded in a public-facing product or service
- A user surveillance or rating tool
For each of these uses, the deployer has its own obligations, even if the system provider is itself compliant. Compliance is not contagious — it is assessed at every link.
Financial and reputational exposure
The regulation provides three penalty tiers, calibrated to the severity of the breach:
- Up to EUR 35 million or 7% of global annual turnover for placing prohibited practices on the market (manipulation, social scoring).
- Up to EUR 15 million or 3% for non-compliance with high-risk system obligations.
- Up to EUR 7.5 million or 1% for providing inaccurate information to authorities.
These administrative penalties are compounded by collateral risks that the business press often underestimates:
- Mandatory withdrawal of misclassified systems (recall or commercial ban).
- Civil claims from individuals who consider themselves harmed by an automated decision (recruitment, credit, service access).
- Criminal liability in certain jurisdictions, particularly for AI practices generating illegal content.
- Cumulation with GDPR penalties (up to EUR 20 million or 4%), particularly for biometric or emotion recognition uses.
"The cost of non-compliance is not just the fine. It is also the withdrawal of a product mid-cycle, and the collapse of trust from an institutional buyer who will have run their own due diligence before signing."
Six actions to launch within 90 days
For an SME or mid-cap executive, compliance is not handled as an isolated IT project. It is a cross-functional effort that mobilises executive leadership, business unit heads (HR, sales, legal), and the CIO/CISO. Here are the six structuring actions to launch now.
1. Build an exhaustive inventory of AI systems in use
Everything starts with a census. For each tool identified, note: vendor name, exact AI function, data processed, individuals affected, probable classification under the four risk categories. This inventory becomes the documentary basis for all compliance work.
2. Classify each system by risk level
The same type of tool may shift from one category to another depending on usage context. A generative assistant used internally is not subject to the same obligations as the same tool exposed to clients. Classification must be reasoned and documented, with reference to the applicable article of the regulation.
3. Question vendors with a precise framework
Five questions to ask systematically of every third-party vendor:
- Is your system classified as high-risk under the AI Act?
- Do you have technical documentation compliant with Annex IV?
- What training data was used, and how is it documented?
- What human oversight mechanisms do you offer to your clients?
- Are you registered in the EU database of high-risk systems?
A vendor that cannot answer these questions is a compliance risk. This should be reflected in contracts.
4. Update vendor contracts
Standard IT service purchase clauses generally do not cover the AI Act. Add: explicit compliance clause, audit right, obligation to inform of substantial system modifications, liability sharing in case of penalty.
5. Train executives and exposed managers
Article 4 of the regulation imposes an "AI literacy" obligation on all employers since February 2025. Concretely: training of employees who use or supervise AI systems, proportionate to the risk level. This training must be documented — it is defensible in case of audit.
6. Designate a lead and formalise governance
While not mandatory, designating an AI Act lead (equivalent to the DPO for GDPR) is strongly recommended for organisations deploying multiple systems or operating in regulated sectors. This lead is the single point of contact for national authorities in case of question or audit.
- Inventory of AI systems in use, up-to-date and signed by management
- Documented classification by risk level (with applicable article)
- Vendor questionnaire sent to main AI providers, responses archived
- Vendor contracts amended (AI Act compliance, audit, modification clauses)
- AI literacy training delivered and tracked for all users
- Internal policy on generative system usage (chatbots, copilots) published
- Transparency mechanism visible to end users (chatbot disclosure, content marking)
- AI Act lead designated and published in internal organisation chart
- AI incident reporting procedure documented and tested
- Annual compliance review planned and on the executive agenda
Beyond compliance, a strategic advantage
The temptation is strong to treat the AI Act as an administrative burden. This is a strategic mistake. Organisations that anticipate this regulation are actually building a durable commercial advantage: ability to respond to tenders requiring AI Act compliance, increased credibility with institutional buyers, reduced litigation risk.
Several major procurement organisations — European institutions, banks, insurers, public authorities — are already integrating AI Act compliance into their vendor selection criteria. This filter will become widespread before the effective application of August 2026.
For an SME or mid-cap that invests today in structured AI governance, the return is not only defensive. It is also commercial. The cost of an organised, progressive compliance effort — between 6 and 18 months depending on initial maturity — is incomparable with that of a rushed regularisation under threat of sanction.
Want to launch a compliance scoping?
Delph Concept supports SME and mid-cap executives on AI Act compliance, from inventory through to executive committee training. An initial reading of your exposure can be delivered in a few days.
Open a conversation →