← All notes

The EU AI Act from August 2026: what actually applies to SMEs

9 July 2026 · 3 min read · Robert Van Ysendyck

If you searched "EU AI Act August 2026" this year, most of what you found is already outdated. In June 2026 the EU adopted the so-called Digital Omnibus, which rewrote the timeline weeks before the deadline. Here is what actually applies to a typical SME, as of 9 July 2026.

The big relief: high-risk rules moved to December 2027

The heavyweight obligations for "high-risk" AI systems (think recruitment scoring, credit decisions, performance monitoring) were scheduled for 2 August 2026. The omnibus deferred them to 2 December 2027, and product-embedded AI to 2028. If a consultant is currently selling you a high-risk compliance project "before August," ask them about the omnibus.

What does start on 2 August 2026: transparency

Article 50 was not delayed. From 2 August 2026:

Fines for transparency breaches become enforceable at the same time: up to 15 million euros or 3 percent of turnover. The SME rule caps this at whichever is lower, so a company with 2 million euros in revenue faces a maximum of roughly 60,000 euros, not 15 million. Still not a rounding error.

What a typical SME automation is (and is not)

The good news that rarely makes headlines: FAQ chatbots, phone agents that book appointments, invoice extraction, quote drafting and internal knowledge copilots are not high-risk systems under Annex III, provided a human makes the consequential decisions. They fall under the transparency rules above and nothing more.

Where you cross the line: AI that screens or scores job candidates, decides promotions or terminations, monitors employee performance by behavior, or scores creditworthiness. That is Annex III territory, with the heavy obligations arriving December 2027.

The duty you already have: AI literacy

Since February 2025, companies using AI must take measures to support staff AI literacy. The omnibus softened this: you must support literacy, not guarantee a level. In practice, a short training and a record of it satisfies the duty. It is the cheapest compliance item on this list.

Who enforces this in Austria and Germany

Austria runs a central contact point, the KI-Servicestelle at RTR, while the formal designation of market-surveillance authorities is still pending. Germany passed the KI-MIG in June 2026, making the Bundesnetzagentur the central AI supervisor. Both countries must operate at least one regulatory sandbox from August 2026, with priority access for SMEs.

A practical checklist for August

  1. If you run a chatbot or voice agent: confirm it discloses being AI at first contact.
  2. If you publish AI-generated content: check your tools mark it as such.
  3. Document a short AI-literacy measure for your team.
  4. If you use AI anywhere near hiring or employee evaluation: put a proper Annex III assessment on your roadmap for 2027.
  5. Everything else: build, but build supervised. Human sign-off is not just good compliance, it is good engineering.

We build every system to these rules by default: disclosure built into chatbots and voice agents, human sign-off where it matters, and the documentation you would need if anyone asks.

This is a practical orientation as of 9 July 2026, not legal advice. Primary sources: the Council's adoption of the Digital Omnibus (29 June 2026), Articles 50 and 99 of the AI Act, and Annex III.

Got a workflow like this?

Tell me about it. Honest take and a rough price, usually within a day.