What's already law, what hits in August 2026, and what you actually have to do about it, without a legal team.
This guide is for informational purposes only and does not constitute legal advice, regulatory advice, or the establishment of any professional relationship between you and Vectimo GmbH or its representatives.
The EU AI Act, its implementing measures, national transposition laws, and official Commission guidelines are evolving rapidly. The information in this guide reflects research current as of May 2026. It may be incomplete, subject to change, or superseded by subsequent regulatory developments, including the Digital Omnibus package, which remains in trilogue as of publication.
Nothing in this guide should be relied upon as a substitute for advice from a qualified lawyer, compliance professional, or specialist in EU AI regulation. Before making compliance decisions with legal or financial consequences, consult a licensed legal professional in the relevant jurisdiction.
Fines, deadlines, and article references are cited from publicly available official sources. Verify all figures against the current EUR-Lex text of Regulation (EU) 2024/1689 before acting on them.
Three enforcement waves have already started. Most SMEs missed two of them.
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. It operates on a staggered enforcement schedule: different obligations kick in at different dates, with the largest tranche (covering most AI systems used in employment, credit, transport, and services) activating on 2 August 2026.
The numbers are unambiguous about where awareness stands. A survey of 3,200+ employees across 11 Central and Eastern European countries (AI Chamber of Commerce, 2024) found that only 39% of AI users are aware of what the EU AI Act actually requires. Just 8% say their organisation is ready for a compliance audit.1 These are not outliers. The gap between regulatory obligation and organisational readiness is structural, and the August 2, 2026 deadline is closing in fast.
There is also a broader adoption gap that compounds the compliance gap. Eurostat data shows 41.2% of large enterprises used AI in 2024 versus just 11.2% of small businesses.3 SMEs are simultaneously the least experienced with AI deployment and, under the Act, subject to the same legal obligations as multinationals, albeit with fine structures that scale down proportionally.
The regulation is also not entirely future-tense. Two major obligation categories applied before most SMEs started paying attention. The rest of this guide explains exactly what is live, what is coming, and what you actually have to do about it.
Your first job is to place every AI tool your company uses into one of four categories. The obligations flow from there.
The EU AI Act structures AI systems into four tiers based on the risk they pose to fundamental rights, safety, and society. The tier determines what you must do, and the difference between tiers is not subtle. A high-risk deployer has specific documentation, oversight, and notification obligations. A minimal-risk deployer has none.
Not every system listed in Annex III is automatically high-risk. Article 6(3) allows the provider of an AI system to self-assess and document that, despite falling within an Annex III category, the system does not pose a significant risk to health, safety, or fundamental rights, for example because it only assists humans rather than making or influencing decisions.
For SME deployers, this means: check your vendor's documentation. A reputable provider selling into regulated categories should have completed this assessment and provided you with a declaration of conformity. If they haven't, that is itself a red flag and a contractual gap to address before August 2026.
Sources: Art. 6 (artificialintelligenceact.eu) · EC AI Act Service Desk
This single classification determines whether your compliance cost is €5,000 or €200,000.
The EU AI Act assigns obligations differently depending on your role in the AI supply chain. The two primary roles are provider (you build or train the AI system) and deployer (you use someone else's AI system in your own operations). There is also a trap between them: the "substantial modification" rule.
The realistic picture for a 10–250 person European service, trade, or transport company: you are almost certainly a deployer, not a provider. You are using Workday, SAP, Microsoft Copilot, Salesforce Einstein, ChatGPT Enterprise, or similar tools built by someone else. Your obligations under Article 26 are meaningful but tractable.
For high-risk AI systems, Article 26 imposes the following obligations on deployers. These are not suggestions:
Annex III lists eight domain categories. Three of them are relevant to most European SMEs. One is extremely common and widely misunderstood.
Annex III of the EU AI Act defines the eight categories in which AI systems are classified as high-risk. Understanding which of these apply to your operations is the most important practical step in the compliance process. Here is an honest assessment of SME relevance for each:
| Annex III Category | What it covers | SME relevance |
|---|---|---|
| 1. Biometrics | Real-time biometric ID in public (banned for most uses), biometric categorisation using sensitive attributes, emotion recognition | High if you use biometric attendance, access control with facial recognition, or emotion analysis in customer-facing or HR contexts |
| 2. Critical infrastructure | Safety components for power, water, gas, transport infrastructure | Mainly relevant to infrastructure operators and large transport firms. Unlikely for most SMEs. |
| 3. Education / training | AI determining access to educational institutions, evaluating learning outcomes | Relevant if you operate a training platform or use AI to assess employee qualification for roles. |
| 4. Employment & workforce | AI used to recruit, screen CVs, rank candidates, evaluate performance, make/influence promotion or dismissal decisions, monitor workers | Highest SME exposure. Any ATS with algorithmic ranking, AI performance scoring, or AI-assisted dismissal is in scope. Nearly every HR software platform with AI features qualifies. |
| 5. Essential services access | AI used in credit scoring, insurance pricing, emergency services routing | Relevant for SMEs using AI to assess client creditworthiness, set insurance-linked pricing, or route emergency services. |
| 6. Law enforcement | Predictive policing, suspect profiling, evidence evaluation | Not SME-relevant. |
| 7. Migration / border control | Risk assessment of asylum seekers, biometric verification in migration contexts | Not SME-relevant. |
| 8. Administration of justice | AI assisting courts or dispute resolution bodies | Not SME-relevant. |
A 50-person carrier uses an off-the-shelf applicant tracking system to screen driver applications. The ATS ranks candidates algorithmically based on CV content. Under Annex III, point 4 ("AI intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates"), this is a high-risk AI system. The logistics firm is a deployer. Article 26 obligations apply: human oversight, worker notification, 6-month log retention, anomaly monitoring. The firm must notify candidates that an AI system was used in their assessment.
A manager at a 30-person service firm uses ChatGPT to draft structured performance assessments for annual reviews. The outputs feed into promotion and salary decisions. Even if no dedicated "HR AI system" is deployed, the employer is the deployer of a general-purpose AI system being used for an employment decision. The Article 4 AI literacy obligation applies to the employer from 2 February 2025. If the use is systematic and influences decisions, the Annex III employment category may also apply. The practical question is not "did we buy an AI HR tool?" but "is AI being used in decisions that affect our employees?"
The same logistics firm uses AI for route planning, fuel efficiency optimisation, and demand forecasting. None of these decisions relate to fundamental rights of individuals. They are operational efficiency tools. These are almost certainly minimal-risk AI systems. No Annex III category applies. No mandatory obligations under the Act. The compliance effort here is zero beyond keeping this classification documented.
The operative question for every AI tool: Does this AI make or significantly influence a decision that affects a person's rights, access to services, employment, or safety? If yes, classify carefully. If no, move on.
Sources: Annex III (artificialintelligenceact.eu) · AI in HR under the AI Act (pitch.law) · Annex III employment analysis (knowlee.ai)
Two of the three major enforcement phases have already passed. Check your status before reading the rest of this guide.
Regulation (EU) 2024/1689 published in the Official Journal and entered into force. The staggered enforcement clock started.
Article 5 (prohibited practices) became applicable. Eight categories of AI use are banned outright. If your company uses social scoring, subliminal manipulation, emotion recognition in workplaces, or real-time biometric identification in public spaces for prohibited purposes: these are illegal now. The European Commission published official guidelines on Article 5 on 4 February 2025.
Article 4 (AI literacy) also applied from this date. Providers and deployers of AI systems are required to take measures "to their best extent" to ensure staff who work with AI have sufficient AI literacy. This is a best-efforts obligation (not a hard audit standard), but it requires documented action. A structured internal training session with attendance records is the practical minimum deliverable.
Article 99 penalty provisions for Article 5 violations became active. Regulators can now levy fines for prohibited practice breaches. The fine cap for prohibited practices: €35 million or 7% of global annual turnover, whichever is lower for SMEs.
Article 53 (GPAI obligations) applied for providers of general-purpose AI models: foundation models, large language models. If your business provides a software product built on top of an LLM and sold to third parties, Article 53 applies. Note: GPAI models already on the market before 2 August 2025 have a grandfathering period until 2 August 2027 to achieve full compliance.
Full Annex III high-risk deployer obligations (Article 26), conformity assessment requirements, EU database registration, and national authority enforcement of all provisions. This is the deadline that matters most for most SMEs. As of 1 May 2026, no formal deferral has been enacted. The Digital Omnibus proposal is still in trilogue.
If the Digital Omnibus package is enacted, stand-alone Annex III systems would have until 2 December 2027 to comply (AI embedded in regulated products: 2 August 2028). As of 1 May 2026 this is a proposal, not law. The second trilogue failed on 28 April 2026.
Sources: Implementation timeline (artificialintelligenceact.eu) · Art. 5 Guidelines (European Commission) · AI Literacy FAQ (European Commission)
Seven steps. Roughly 15–20 hours of internal time for a 50-person company. Most of it is documentation, not engineering.
List every AI tool the company uses or has access to. Include SaaS platforms with embedded AI features (not just dedicated "AI tools"). For each tool, document:
Common misses: AI features inside HR/payroll platforms, AI-powered email tools, scheduling tools with "smart" routing, embedded scoring in CRMs.
For each tool in your inventory, assign a risk tier: Prohibited / High-Risk / Limited-Risk / Minimal-Risk. Use the Section 2 framework. Flag anything where the classification is uncertain. These cases need a vendor conversation or legal check before August 2026.
Key question for each tool: Does this AI make or significantly influence a decision about a person: their employment, their access to services, their safety?
For each system classified as high-risk, confirm that the following Article 26 obligations are met or in progress:
Article 4 requires documented measures to ensure AI literacy among staff. The obligation is best-efforts, not certification. A structured internal training session (covering what AI systems the company uses, their limitations, when to override them, and how to report concerns) with recorded attendance satisfies the obligation. This document is what an authority would ask for first.
Minimum viable deliverable: a 1–2 hour session agenda, slide deck or notes, attendance register, and a dated record of completion.
A one-page (or short) internal policy covering: approved tools, prohibited uses (social scoring, emotion AI, shadow AI without employer sanction), how AI-influenced decisions must be reviewed by a human, escalation path for AI-related concerns, and incident reporting. This is the first document a regulator or employment tribunal will request. It also disciplines shadow AI use, which is your biggest uncontrolled exposure right now.
Review contracts with any vendor providing AI systems classified as high-risk. Add a clause requiring them to: (a) notify you of any changes to the system's intended purpose; (b) provide updated technical documentation on request; (c) notify you of any serious incidents or regulatory actions involving the system. For new procurement, include this as a standard clause.
Article 27 requires a FRIA from deployers who are public bodies, or private entities deploying high-risk AI in contexts involving public-authority-like functions (e.g., passenger screening, public-benefit eligibility decisions) or particularly vulnerable populations. For most SMEs, this is not triggered. Logistics firms using AI-based driver scoring systems, or financial services SMEs using AI in credit decisioning for individuals, should check with a compliance specialist whether Article 27 applies to their specific deployment.
The proposed postponement is not law. And even if it passes, the compliance work is the same.
In November 2025, the European Commission proposed the Digital Omnibus package, which includes amendments to the EU AI Act. The core amendment would postpone the application of Annex III high-risk obligations (the August 2026 deadline) to give businesses more time to prepare.
The proposed timeline under the Omnibus (if enacted):
| Obligation | Current deadline | Proposed Omnibus deadline | Status |
|---|---|---|---|
| Annex III high-risk systems (standalone) | 2 August 2026 | 2 December 2027 | Not yet law |
| Annex I high-risk (embedded in regulated products) | 2 August 2027 | 2 August 2028 | Not yet law |
| Article 5: Prohibited practices | 2 February 2025 (applied) | No change | In force |
| Article 4: AI literacy | 2 February 2025 (applied) | No change | In force |
| Article 53: GPAI obligations | 2 August 2025 (applied) | No change | In force |
Even if the Omnibus passes before August 2026, the compliance work it would defer is not avoidable. It is only postponed. Every deployer of high-risk AI will eventually need to document their AI systems, establish human oversight, notify workers, and retain logs. Doing this work before a hard legal deadline is always cheaper and less stressful than doing it under enforcement pressure.
The companies that complete their AI inventory, classify their tools, and establish governance documentation by August 2026 will have two advantages: they are immediately compliant if the Omnibus fails, and they have a governance foundation that makes future compliance cheaper. The companies that wait may get lucky on timing, but almost certainly will not have better documentation come December 2027.
There is also a commercial dimension. Enterprise clients, banks, and public-sector buyers are beginning to require AI compliance documentation as a condition of procurement. The first SMEs in each sector with clear AI governance documentation will gain a trust advantage over competitors who treated compliance as a problem for later.
Sources: EP position (europarl.europa.eu) · Omnibus analysis (A&O Shearman) · Trilogue failure reporting: The Next Web, 29 April 2026
The frightening numbers you've seen are for AI providers. Most SMEs are deployers. The cost profile is very different.
Cost figures cited in EU AI Act coverage tend to be provider-side, covering the companies building high-risk AI systems and selling them to the market. The European Centre for Political Studies (CEPS) modelled initial QMS setup costs for high-risk AI providers at €193,000–€330,000, with annual maintenance of €71,400.5 These are real figures for a software company building a regulated AI product from scratch. They are not figures for an SME deployer using that product.
For SME deployers, the cost picture is radically different. The compliance work is primarily organisational: an AI inventory, a risk classification exercise, documentation, training, and a policy document. The primary input is time, not external spend.
| Scenario | Role | Estimated cost | Primary work |
|---|---|---|---|
| Only minimal-risk AI (route optimisation, demand forecasting, spam filters) |
Deployer | €0–500 | Document the classification. Nothing else required. |
| Limited-risk AI only (customer chatbot, AI content generation) |
Deployer | €500–2,000 | Transparency disclosures + AI Use Policy + Article 4 training. |
| Off-the-shelf high-risk AI (ATS with ranking, AI performance scoring, credit AI) |
Deployer | €5,000–25,000 | Legal review of classification, vendor audit, Article 26 documentation, training programme, log retention setup, worker notifications. |
| Building / fine-tuning high-risk AI (custom model, trained on proprietary data) |
Provider | €75,000–200,000+ | QMS, technical documentation, conformity assessment, EU database registration. Consult a specialist. |
| Building GPAI / foundation models | Provider | €200,000–500,000+ | Full Article 53 + provider obligations. Not an SME scenario in practice. |
Global annual turnover, whichever is lower for SMEs.6
For a €5M turnover SME: capped at €350,000. Existential exposure.
Global annual turnover, whichever is lower for SMEs.
For a €5M turnover SME: capped at €150,000. Serious but survivable.
Global annual turnover, whichever is lower for SMEs.
Providing incorrect information in a regulatory review or audit.
The EU AI Act does not designate a single enforcement authority. Member States are designating their own national competent authorities, and sector-specific regulators often have concurrent jurisdiction. Germany has Bundesnetzagentur as the lead authority, but BaFin has jurisdiction over financial AI, sectoral health authorities over medical AI, and so on. Ireland has designated 15 separate regulators depending on the AI use case. For cross-border SMEs, this means knowing which authority has jurisdiction over your specific deployment is itself a compliance task.
Four weeks. 15–20 hours of internal time. The output is an audit-ready compliance posture for most SME deployers.
| Week | Action | Owner | Output |
|---|---|---|---|
| Week 1 | AI inventory: all tools, use cases, decisions influenced, data processed | Ops / IT / CEO | Spreadsheet: tool name, vendor, use, risk-tier (draft) |
| Week 2 | Risk classification: assign each tool to Prohibited / High / Limited / Minimal | CEO + legal (if available) | Classified inventory; flag ambiguous cases for vendor conversation |
| Week 2–3 | Deployer gap analysis: for each high-risk tool, check Article 26 obligations against current state | Ops / HR / IT | Gap list: what's missing (oversight person, logs, worker notification, vendor docs) |
| Week 3 | AI literacy training: design and run the first session for relevant staff | HR / CEO | Session notes, attendance register, completion date recorded |
| Week 3–4 | Vendor outreach: request technical documentation and declaration of conformity for high-risk systems | Procurement / CEO | Docs received or formal request on record (protects you) |
| Week 4 | AI Use Policy: draft and approve the internal policy | CEO + HR | Signed AI Use Policy v1.0 |
| Week 4 | Supplier contract review: add AI Act compliance clause to existing and future contracts | Legal / CEO | Contract addenda or updated standard terms |
Working with Vectimo
Three paths, depending on where you are in this process. No vendor affiliations. Fixed prices. EU-first.
Vectimo is an AI consulting agency for European SMEs, founded by Felix Steinhauser, former Director of AI Strategy at SIXT SE. The firm's positioning is operator-first: we have built and deployed AI systems inside large European businesses, and we apply that experience to SME contexts in service, trade, and transportation. The EU AI Act compliance work above is not theoretical for us. It is the governance foundation we apply to every client engagement.
This guide covers the full compliance roadmap. The accompanying 1-page checklist (download below) gives you the 30-day sprint in portable form. If your AI exposure is minimal-risk only, this may be all you need.
A structured 3-hour session plus a full written report: AI inventory, risk classification, deployer obligations gap analysis, and a prioritised action plan. The output is a document you can show a regulator, a client, or a bank.
As the AI Act matures (Omnibus outcome, national authority guidance, sector-specific rules), your compliance posture needs maintenance. Quarterly reviews, vendor contract monitoring, incident response support.
The AI inventory, classification, and documentation work takes 15–20 internal hours for a 50-person company. The AI Operations Audit compresses that into one structured session and delivers a written report your team can execute against.
References
Primary official sources used in this guide. All regulatory citations should be verified against current EUR-Lex text before reliance.
This guide reflects the regulatory landscape as of May 2026. The EU AI Act and its implementing measures are evolving. The Digital Omnibus remains in trilogue. National competent authorities are still being designated. Commission guidelines on Article 6 risk classification were due by February 2026 and continue to be refined. Check artificialintelligenceact.eu and your national authority's guidance before making compliance decisions. When in doubt, consult a qualified legal professional.
New practical guides for European SMEs adopting AI, delivered when they drop. No spam, unsubscribe anytime.
Want this done for you, not just explained? Vectimo runs the AI adoption end to end.
Work with Vectimo →