HRZN
airegulationeu-ai-actcompliancesmall-businessguide

EU AI Act for Small Businesses: What to Do Before 2 August 2026

A practical guide for small businesses that use AI and need to understand what the EU AI Act changes on 2 August 2026, what may be delayed, and what to do now.

EU AI Act for Small Businesses: What to Do Before 2 August 2026

The EU AI Act is not “another AI policy page” for small businesses. It is a product, procurement, documentation and workflow problem with legal deadlines attached.

The headline date is 2 August 2026: under the official AI Act timeline, most remaining provisions are due to start applying then. But the practical picture is more nuanced. On 7 May 2026, the Council of the EU and the European Parliament reached a provisional political agreement on AI simplification rules that would delay parts of the high-risk regime: standalone high-risk AI systems would move to 2 December 2027, and high-risk systems embedded in products would move to 2 August 2028. As of 22 May 2026, that agreement still needs formal adoption and publication before businesses can treat it as settled law.

So the useful question is not “does this apply to us?” It is: where are we using AI, what role do we play, and which parts must be ready by which date?

The short version

If you run a small company, you probably do not need a huge AI compliance department. You do need a clear map of AI use inside the business.

Start with six moves:

  1. List every AI system your company builds, sells, integrates or uses.
  2. Decide whether you are a provider, deployer, importer, distributor or product manufacturer for each system.
  3. Classify each system: prohibited, high-risk, transparency-triggering, general-purpose AI related, or ordinary low-risk use.
  4. Ask vendors for evidence, not slogans.
  5. Add human review, logs and user-facing notices where the Act expects transparency or oversight.
  6. Track the May 2026 simplification package before locking your final deadline plan.

This is not legal advice. It is an operational guide for founders, ops leads, product managers and small-business owners who need to turn a dense regulation into a workable checklist.

What actually changes on 2 August 2026

The AI Act entered into force on 1 August 2024. It applies in stages.

Some rules are already active by the time you are reading this. The bans on prohibited AI practices and AI literacy obligations started applying on 2 February 2025. Obligations for providers of general-purpose AI models started applying on 2 August 2025.

The next major date is 2 August 2026. The European Commission describes the Act as becoming fully applicable two years after entry into force, with exceptions. The AI Act Service Desk also lists 2 August 2026 as the date when the remainder of the Act starts to apply, except for specific provisions.

The catch: “fully applicable” does not mean every compliance duty for every AI system lands on the same day.

The most important uncertainty is high-risk AI. The May 2026 provisional agreement would set later application dates for high-risk rules: 2 December 2027 for standalone high-risk systems and 2 August 2028 for high-risk systems embedded in products. Until the amendments are formally adopted and published, treat this as a likely but not final change.

A stylized AI regulation timeline with key dates from 2024 to 2028.

First, find your role

The same AI tool can create different obligations depending on what your company does with it.

Provider

You are likely a provider if you develop an AI system or general-purpose AI model and place it on the EU market or put it into service under your name or trademark.

For a small software company, this can happen faster than expected. If you wrap a model into a SaaS product, market the AI feature as your product, and sell it to EU customers, you may not be “just using ChatGPT.” You may be providing an AI system.

Deployer

You are likely a deployer if you use an AI system in a professional context.

A retailer using AI for customer support, a recruiter using an AI ranking tool, a clinic using AI transcription, or an agency using generative AI for client work may all be deployers. Deployer obligations are usually lighter than provider obligations, but they are not zero.

Importer or distributor

You may be an importer or distributor if you make an AI system from outside the EU available in the EU market. This matters for resellers, marketplaces, integrators and channel partners.

Product manufacturer

If AI is embedded in a regulated product, the AI Act can interact with product safety rules. This is especially relevant for medical devices, machinery, toys, lifts, vehicles and other regulated categories.

For most small businesses, the provider-versus-deployer distinction is the first fork in the road.

Then classify the AI use

The AI Act uses a risk-based structure. Small companies should not start by reading every article line by line. Start by sorting systems into practical buckets.

Prohibited AI practices

Some practices are banned. The exact boundaries matter, but the general category includes AI uses the EU treats as unacceptable risk. If your use case touches manipulation, exploitation of vulnerabilities, social scoring, certain biometric categorisation, or real-time remote biometric identification in public spaces, stop and get specialist advice.

For ordinary small businesses, this bucket is less common than the others. But it is the first thing to rule out because the tolerance is low.

High-risk AI systems

High-risk is where the Act becomes operationally heavy.

The obvious small-business traps are not futuristic robots. They are everyday tools in sensitive domains: hiring, worker management, education, access to essential private or public services, creditworthiness, biometric identification, critical infrastructure, law enforcement, migration and justice-related uses.

If your company uses AI to rank job applicants, score employees, filter students, assess eligibility, recommend credit decisions or influence access to important services, you should assume this needs serious review.

Under the current political agreement, many high-risk obligations may be delayed beyond 2 August 2026, but that does not make them irrelevant. Procurement cycles, documentation, vendor negotiations and workflow redesign often take months.

Transparency-triggering AI

Some AI uses require people to be told what is happening.

This is especially relevant for chatbots, synthetic audio, synthetic video, image generation, deepfake-style content and AI systems that interact directly with people. A small marketing team using ElevenLabs, HeyGen or Runway for synthetic media should think less about “AI content is cool” and more about disclosure, consent, rights, provenance and recordkeeping.

That does not mean every AI-generated image needs a dramatic warning label in every context. It does mean the team needs a policy for when content is synthetic, when people could reasonably mistake it for real, and how disclosure is handled.

General-purpose AI model exposure

Most small businesses are not providers of general-purpose AI models. They are customers of model providers.

If you use frontier models through APIs or commercial tools, the model provider carries the main GPAI provider obligations. But you still need to understand what the model is doing inside your product, what data you send to it, what outputs affect users, and what your own product claims.

If you fine-tune, package or redistribute a model, the analysis changes.

Low-risk internal productivity use

Using AI to draft emails, summarize meeting notes, brainstorm copy or generate first-pass code is usually a lower-risk category under the AI Act. That does not mean it is risk-free. Privacy, confidentiality, copyright, security and employment rules can still matter.

But for AI Act triage, low-risk internal productivity use should not consume the same compliance budget as hiring, credit, health or education decisions.

The small-business AI inventory

You cannot comply with what you cannot see. The most useful first artifact is a simple AI register.

Create one row per system or workflow. Include:

  • system name;
  • vendor or internal owner;
  • business purpose;
  • users and affected people;
  • input data;
  • output and how it is used;
  • whether the output influences decisions about people;
  • EU users or EU market exposure;
  • company role: provider, deployer, importer, distributor or manufacturer;
  • likely risk category;
  • human review point;
  • vendor documentation received;
  • retention, logging and incident process;
  • next review date.

This can start as a spreadsheet. The point is not tool sophistication. The point is that someone can ask “where do we use AI?” and get a defensible answer in one place.

What to ask vendors

Small companies often hear the phrase “AI Act compliant” from vendors. That phrase is too vague to be useful.

Ask sharper questions:

  • What role do you consider yourself under the AI Act for this product?
  • Do you consider this system high-risk in any intended use?
  • What uses do you prohibit in your terms?
  • What documentation can you provide for risk management, data governance, testing, logging, human oversight and accuracy?
  • Does the product generate synthetic audio, image, video or text that needs disclosure?
  • Where is data processed and retained?
  • Can we disable AI features we do not need?
  • How will you notify customers about substantial model or system changes?
  • Do you support audit logs and exportable records?

If the vendor gives only marketing copy, treat that as a procurement risk. For high-impact workflows, you need evidence you can keep.

What to do if you use AI in hiring

Recruiting is one of the easiest places for small businesses to underestimate the AI Act.

If an AI tool screens, ranks, scores or recommends candidates, the system may fall into a high-risk employment category. Even when the vendor is the provider, the employer using the system may still have deployer responsibilities.

Practical steps:

  • identify whether the tool merely assists admin work or influences candidate selection;
  • avoid fully automated rejection without meaningful human review;
  • keep records of how recommendations are used;
  • check whether candidates need notice;
  • ask the vendor for high-risk documentation and intended-use statements;
  • test whether the tool behaves differently across protected groups where lawful and feasible;
  • make sure hiring managers understand the limits of the score or ranking.

The key distinction is influence. A scheduling assistant is one thing. A candidate ranking system that decides who gets interviewed is another.

What to do if you create synthetic media

Generative media tools are now ordinary business software. The compliance issue is that synthetic content can mislead people.

For marketing, education, training and support teams, build a lightweight disclosure policy:

  • disclose AI-generated or AI-manipulated media when a reasonable person could mistake it for real;
  • get explicit permission before cloning a real person’s voice or likeness;
  • keep release forms and source files;
  • label fictional avatars clearly in sensitive contexts;
  • avoid synthetic endorsements from people who did not give permission;
  • review local consumer protection, advertising and privacy rules alongside the AI Act.

If you use voice or avatar products such as ElevenLabs, HeyGen, Hume AI or video-generation tools such as Runway, the operational question is not whether the tool is impressive. It is whether your audience can tell what is real, what is synthetic and who authorized it.

What to do if you build AI into your own product

If your startup or agency ships an AI feature to customers, treat the AI Act as part of product management.

Before launch, write down:

  • intended use;
  • prohibited or unsupported uses;
  • model or vendor dependencies;
  • input and output data flows;
  • failure modes;
  • human oversight design;
  • logging and monitoring;
  • user-facing disclosures;
  • escalation path for harmful or wrong outputs;
  • update process when the model changes.

This is especially important if your product touches employment, education, finance, health, insurance, public services or safety-sensitive decisions.

For ordinary AI assistants, the documentation can be short. For high-risk or borderline systems, it needs to become real compliance evidence.

What not to overdo

Small businesses can waste money by treating every AI use as if it were a certified medical device.

Do not start with a 90-page policy nobody reads. Do not buy a compliance platform before you know your AI inventory. Do not rely on a vendor badge without understanding your own role. Do not assume that because a tool is popular, your use of it is low-risk.

A good first version is boring and useful: a register, a role map, a risk classification, a vendor evidence folder, a disclosure policy and a review calendar.

A practical 30-day plan

Week 1: map the AI footprint

Find every AI system in use: official tools, browser extensions, embedded SaaS features, API integrations, internal automations and experiments. Include tools used by marketing, HR, support, sales, finance and engineering.

Week 2: classify and prioritize

Mark systems that affect people’s opportunities, rights, access, eligibility, employment, education, credit, health, safety or essential services. These get priority.

Separate internal productivity tools from systems that face customers or influence decisions.

Week 3: collect evidence

Ask vendors for AI Act position statements, technical documentation, data processing information, transparency features, logs and change-notification processes.

For internal systems, write your own one-page system note.

Week 4: fix the obvious gaps

Add notices where users interact with AI. Add human review where outputs influence important decisions. Remove AI features nobody owns. Restrict risky uses in policy and product settings. Assign an owner for quarterly review.

The deadline that matters most

For many small businesses, 2 August 2026 is the date that forces the inventory conversation. It is not the end of the story.

Some obligations already apply. Some are due on 2 August 2026. Some high-risk obligations may move to 2027 or 2028 if the May 2026 simplification package is formally adopted. Some legacy and public-authority-related provisions have their own timelines.

That uncertainty is exactly why small businesses should start with facts they control: what AI they use, what it does, who it affects, what vendors can prove, and where human judgment remains in the loop.

The companies that handle this well will not be the ones with the thickest policy PDF. They will be the ones that can answer a simple question without panic: “Show me where AI makes or influences decisions in this business.”