AI Compliance · 2026-06-26 · 14 min read
The EU AI Act and 2 August 2026: What Actually Goes Live for Small Businesses

Michael Kaiser
Co-Founder & Head of Systems, Vincency
On 2 August 2026, the EU AI Act — Regulation (EU) 2024/1689 — reaches its general start of application. For small businesses the headline is simple: if you run an AI chatbot or voicebot, you must make sure people can tell they are talking to a machine (Article 50), and you must already have ensured a basic level of AI literacy among your staff (Article 4, in force since February 2025). The dangerous assumption I keep hearing is „the Digital Omnibus bought us time“. It did not, at least not here. The Omnibus is still a proposal on 26 June 2026, it mainly postpones the high-risk rules, and it does not touch the chatbot and deepfake labelling that affects ordinary practices, law firms, and agencies. So the honest answer is: the parts that hit small businesses go live on schedule, and waiting for relief that has not been adopted is a poor plan.
2 August 2026: what actually goes live
The AI Act did not arrive all at once. It switches on in stages, and the 2 August 2026 date marks the moment most of it becomes the general law (Article 113). Two things were already in force before that. Since 2 February 2025, the prohibition of certain AI practices (Article 5) and the AI literacy obligation (Article 4) have applied. Since 2 August 2025, the obligations for general-purpose AI models (GPAI, Articles 51–56) have applied to the providers of those models.
What changes on 2 August 2026 is twofold. First, the regulation reaches its general start of application: the transparency obligations of Article 50 become enforceable, and national market surveillance authorities can act against breaches — including breaches of the AI literacy duty that has technically applied since February 2025. Second, the enforcement of the GPAI rules by the European Commission and the AI Office, including fines under Article 101, begins on this date. The obligations existed before; the teeth arrive now. For completeness: GPAI models that were already on the market before 2 August 2025 have until 2 August 2027 to become compliant.
The GPAI distinction matters less directly for a small business than the date itself suggests, and it is worth saying why. A general-purpose AI model is the large foundation model underneath the tools — the engine, not the car. The obligations and the enforcement under Articles 51 to 56 and 101 land on the companies that build and supply those models, not on the practice that uses a chatbot powered by one. What the 2 August 2026 date signals for you is therefore not a new GPAI burden, but the broader fact that the whole regulation has moved from text on paper to a regime with authorities, deadlines, and penalties behind it. Reading the staged timeline correctly is half the work; the table below sets it out so the „what applies when“ question has a single answer.
| Date | What | Status |
|---|---|---|
| 2 Feb 2025 | Prohibited AI practices (Article 5), AI literacy (Article 4) | in force |
| 2 Aug 2025 | GPAI model obligations (Articles 51–56) | in force |
| 2 Aug 2026 | General start of application; GPAI enforcement & fines; Article 50 transparency | in force / live |
| 2 Dec 2026 | Watermarking (Article 50(2)) for legacy systems already in operation | planned (Omnibus) |
| 2 Aug 2027 | Legacy GPAI models must be compliant | in force |
| 2 Dec 2027 (at the latest) | High-risk systems under Annex III | planned (Omnibus, not yet in force) |
Article 50: who the transparency obligation hits
Article 50 is the part of the regulation that reaches the everyday business, and it is worth reading precisely rather than in the panicked summary that circulates on social media. It has four limbs. Paragraph 1: providers must design AI systems so that humans can recognise they are interacting with an AI — this is the classic chatbot disclosure. Paragraph 2: AI-generated content must be marked in a machine-readable way, the watermarking duty. Paragraph 3: deployers must inform people when emotion recognition or biometric categorisation is used. Paragraph 4: deployers must label deepfakes, and AI-generated text published to inform the public on matters of public interest.
The nuance that matters for a small business is the split between provider and deployer. The chatbot disclosure in paragraph 1 is primarily a provider obligation — the company that builds and supplies the system. The obligations that fall on you as a deployer directly are paragraphs 3 and 4. In plain terms: if you run a chatbot or voicebot built by someone else, the duty to design the „you are talking to an AI“ notice technically sits with the provider, but you should still make sure that notice is actually visible or audible to your callers and visitors. And if you publish deepfakes or AI-written content on topics of public interest, that labelling duty is squarely yours. A reservation bot that says „Hi, I'm the digital assistant of Practice X“ before it takes a booking has, in practice, done the important part.
It is worth being precise about who counts as a deployer, because the word does more work than it looks. Under Article 3(4), a deployer is anyone who uses an AI system in a professional capacity — which is exactly the medical practice, the law firm, and the real-estate office. You do not have to have built or modified anything; running a third-party tool in the course of your business is enough. That is why „we just bought it off the shelf“ is not a defence. The provider carries the design obligations, but the deployer carries the contextual ones, and the two roles can sit in the same company if you also adapt or rebrand the system you use.
Made concrete across the three professions I get asked about most, the picture is calm rather than alarming. A practice running an after-hours voice agent that says who it is and books appointments is essentially done on Article 50, provided the spoken disclosure is genuinely there. A law firm using a web chatbot to answer intake questions needs the same disclosure, plus a clear handover to a human the moment the conversation turns into actual legal advice. A real-estate agent generating property descriptions with AI is fine for ordinary listings, but the moment a synthetic image or video edit could be mistaken for a real photograph of a real property, the deepfake-labelling duty of paragraph 4 wakes up. None of this is exotic; it is good practice written into law.
The underestimated duty: AI literacy since February 2025 (Article 4)
The obligation almost nobody talks about is the one that has already been in force the longest. Article 4 requires both providers and deployers to ensure a sufficient level of AI literacy among the staff who deal with these systems on their behalf. It has applied since 2 February 2025. There is no dedicated EU-wide fine attached to Article 4, which is exactly why it gets ignored — but that is a misreading. From 2 August 2026, national market surveillance authorities can act on breaches, and AI literacy is the kind of duty that becomes visible the moment something goes wrong: a staff member who pastes patient data into a public model, or who trusts a hallucinated answer because nobody explained that the system can invent things.
The good news is that meeting Article 4 is not a compliance project; it is a half-day of structure. What „sufficient“ means scales with what you do — a practice using a booking bot needs far less than a firm using AI to draft client documents — but the floor is the same: the people who operate the system understand what it is, what it can and cannot do, and where the boundaries are. A documented internal training session and a short written usage policy are usually enough to demonstrate that you took the duty seriously. That documentation is also what you reach for if a supervisory authority ever asks.
What the Digital Omnibus postpones — and why it is no free pass
This is where I see the most wishful thinking, so let me be exact about the procedural status. The Digital Omnibus is formally COM(2025) 836 final, procedure 2025/0359(COD), tabled on 19 November 2025. On 16 June 2026 the European Parliament approved it (423 in favour, 57 against, 174 abstentions). But formal adoption by the Council — expected towards the end of June 2026 — and publication in the Official Journal are still outstanding. Until that happens, the original timetable is the law. On 26 June 2026, the Omnibus is a strong signal, not yet a rule you can build on.
What it plans to move is real but specific. The obligations for high-risk systems under Annex III (standalone systems) would shift from 2 August 2026 to no later than 2 December 2027. Annex I (AI embedded in products) would move from 2 August 2027 to 2 August 2028. The watermarking duty in Article 50(2) for legacy systems already in operation before 2 August 2026 would move to 2 December 2026. The Omnibus also introduces a new „small mid-caps“ category (under 750 employees) with SME-style relief.
Here is the part that turns the wishful thinking off. The Omnibus does not postpone Article 50 (chatbot and deepfake labelling), and it does not change the start of GPAI enforcement on 2 August 2026. What it postpones is, at its core, the high-risk obligations — the heavyweight regime for systems that decide on credit, employment, or access to essential services. For a typical practice, law firm, or agency, almost none of that bites in the first place. The obligations that actually apply to you — Article 4 literacy and Article 50 transparency — are precisely the ones the Omnibus leaves untouched. So „we have more time thanks to the Omnibus“ is, for most small businesses, simply false.
The reality of the fines
The numbers look frightening in isolation, and they are designed to. In each case the regulation applies the higher of a fixed amount and a percentage of global annual turnover:
- Prohibited practices (Article 5): up to EUR 35 million or 7 percent of global annual turnover.
- Other breaches, including Article 50: up to EUR 15 million or 3 percent.
- Incorrect or misleading information to authorities: up to EUR 7.5 million or 1 percent.
- GPAI breaches (Article 101): up to EUR 15 million or 3 percent.
For a small business there is one crucial inversion. Under Article 99(6), for SMEs and start-ups the fine is the lower of the fixed amount and the percentage — the opposite of the general rule. An SME is defined, following Recommendation 2003/361/EC, as a business with fewer than 250 employees and no more than EUR 50 million in turnover. For a practice with a turnover well under a million euros, the percentage is what governs, not the eye-watering headline figure. That is not a licence to ignore the rules — an authority can still order you to stop — but it does put the risk into proportion. The point of compliance here is not to dodge a EUR 35 million fine; it is to handle a routine duty routinely.
The AI Act also builds in genuine SME relief beyond the fines. Article 62 grants priority access to regulatory sandboxes and reduced fees; Article 11 together with Annex IV allows simplified technical documentation. One caveat worth stating clearly: the simplified quality-management option under Article 63 applies only to micro-enterprises with fewer than ten employees, not to all SMEs.
Seven steps every business can take now
None of this requires a compliance department. Here is the concrete sequence I would walk through with any small business that uses AI in its customer-facing or back-office work:
- Build an AI inventory. Where do we actually use AI? Chatbots, voicebots, AI-generated text and images in marketing, internal tools. You cannot govern what you have not listed.
- Make the AI disclosure visible. Users must be able to recognise they are talking to an AI (Article 50). A short opening line on the bot, a sentence on the page.
- Label synthetic content. Deepfakes and AI-generated text on matters of public interest get marked as such.
- Demonstrate AI literacy. Train staff, document a usage policy (Article 4). Half a day and a one-page document usually covers it.
- Check for high-risk. Does our system assess people or decisions? For pure appointment booking, the answer is normally no — but it can flip if the system starts triaging or evaluating.
- Couple it with data protection. Data processing agreements with your AI providers, documented data flows (GDPR). AI compliance and GDPR are two sides of the same file.
- Assign responsibility. Who monitors compliance, keeps the documentation, and updates it as the law moves? A named person beats a vague intention.
Compliance is not a brake — it is part of the AI strategy
The framing I want to push back on is „the AI Act slows us down“. It does not, if you treat it as part of the design rather than a tax bolted on afterwards. A visible AI disclosure is not a legal nuisance; it is a trust signal. Customers who know a machine answered, and that you said so plainly, extend more trust to the cases where a human takes over. The same is true of documented data flows: the practice that can show where patient data goes is the practice patients keep. We treat these obligations as part of how an AI integration is built, not as a hurdle to clear once the bot is already live. You can see how that fits into the broader picture of what we do under services, and the cheapest moment to get the disclosure, the literacy, and the data flows right is before the system ships, which is exactly when we like to have the conversation — the kind of conversation that belongs on a first call, not in a letter from a supervisory authority.
There is one place where strategy and compliance genuinely converge, and it is the high-risk question. A pure appointment or service bot is, as a rule, not a high-risk system. But the classification can flip the moment the system stops scheduling and starts judging — the clearest example being a medical bot that moves from „here are the next free slots“ to triaging urgency or sorting an emergency, which can pull it into Annex III. That is not a reason to avoid AI; it is a reason to design the boundary deliberately. Decide, up front, what the agent is allowed to decide and where it must hand a human the wheel. Done well, that boundary is simultaneously the smarter product and the lighter compliance position — the same line that keeps you out of the high-risk regime is the line that keeps a machine from making a call it should not. This is exactly why we do not bolt the legal review onto a finished bot: the scope decision that determines your risk class is a strategy decision, and it is cheapest to make before a single line of the integration is written.
Conclusion
The 2 August 2026 deadline is real, and for small businesses it is also manageable. The parts that affect you — the chatbot and deepfake transparency of Article 50, the AI literacy of Article 4 — are not postponed by the Digital Omnibus, which on 26 June 2026 is still only a proposal. The heavyweight high-risk regime, which the Omnibus does aim to delay, mostly does not apply to a practice, a law firm, or an agency in the first place. So the sensible move is neither panic nor the comfortable wait for relief that has not been adopted. It is the seven unglamorous steps above: list your AI, disclose it, label synthetic content, train your people, check for high-risk, couple it with GDPR, and name someone responsible. Do that, and the deadline stops being a threat and becomes what it should be — a baseline you have already cleared.
Frequently asked questions about the EU AI Act and the 2 August 2026 deadline
Does the EU AI Act apply to my small practice, law firm, or real-estate office too?
Yes. The AI Act does not hinge on company size but on your role. Anyone who uses an AI chatbot or voicebot professionally is a „deployer“ under Article 3(4) and must meet the relevant obligations — in particular AI literacy under Article 4 (in force since 2 February 2025) and the transparency obligations under Article 50 (from 2 August 2026). SMEs and start-ups enjoy relief such as simplified documentation and lower fine ceilings, but there is no blanket exemption.
Do I have to label my AI chatbot or voicebot?
In practice, yes. Article 50(1) requires that people can recognise they are interacting with an AI. That is primarily a provider obligation, but as a deployer you should make sure the AI disclosure is visible or audible on your chatbot or voicebot. The obligations that fall on the deployer directly are Article 50(3) (informing people about emotion recognition and biometric categorisation) and Article 50(4) (labelling deepfakes and AI-generated text on matters of public interest). These obligations apply from 2 August 2026.
What exactly has the „Digital Omnibus“ postponed — and can I rely on it?
As of 26 June 2026 the Digital Omnibus (COM(2025) 836) is not yet in force: the European Parliament approved it on 16 June 2026, but formal adoption by the Council and publication in the Official Journal are still pending. The main planned change is a postponement of the high-risk obligations (Annex III) to no later than 2 December 2027. You cannot legally rely on it yet — until publication, the original timeline applies. Crucial for small businesses: Article 50 (chatbot and deepfake labelling) is NOT postponed by the Omnibus.
What happens if you breach the rules?
The higher of two amounts applies in each case: prohibited AI practices (Article 5) up to EUR 35 million or 7 percent of global annual turnover; other breaches including Article 50 up to EUR 15 million or 3 percent; incorrect or misleading information to authorities up to EUR 7.5 million or 1 percent. Important for small businesses: for SMEs and start-ups, Article 99(6) applies the lower of the two amounts — the reverse of the general rule.
What is the AI literacy obligation (Article 4) and since when does it apply?
Article 4 requires providers and deployers to ensure a sufficient level of AI literacy among their staff — meaning the people operating AI systems must understand how they work and where their limits lie. This obligation has applied since 2 February 2025. There is no dedicated EU-wide fine for it, but national market surveillance authorities can act against breaches from 2 August 2026. In practice, a documented training session and a usage policy often suffice.
Do I absolutely need a lawyer for this?
For the basics — making the AI disclosure visible, training staff, keeping an AI inventory — not necessarily; you can implement this yourself in a structured way. But as soon as a high-risk classification is on the table (for instance because a system substantively assesses people or decisions) or fine risks become concrete, a law firm specialising in IT and AI law is the right address. This article is a general overview and does not replace legal advice.
Sources and legal note: Primary source: Regulation (EU) 2024/1689 (the AI Act), in particular Articles 4, 50, 99, 101, and 113. On AI literacy, the European Commission's AI literacy FAQ. On the planned changes, the Digital Omnibus COM(2025) 836 (status: approved by the European Parliament on 16 June 2026; not yet in force as of 26 June 2026 — formal Council adoption and publication in the Official Journal still pending). This article is a general overview to the best of our knowledge as of 26 June 2026 and does not replace legal advice. The legal situation — in particular around the Digital Omnibus — is in flux; for binding information, consult a law firm specialising in IT and AI law. Transparency: Michael Kaiser is a co-founder of Vincency and the founder of ArkeonTech.
Related insights




