The EU AI Act for Small Businesses — What You Actually Have to Do Before August 2026
Somewhere between "the EU banned AI" headlines and consultants selling €50,000 compliance programs sits the boring truth: if you run a small business that uses AI tools, the AI Act probably asks three modest things of you — and one of them has a deadline on August 2, 2026.
I audit AI usage in SMBs for a living. Let me give you the version of the AI Act you can act on in an afternoon — with the standard caveat that this is practitioner guidance, not legal advice.
First, which hat are you wearing?
The AI Act splits the world into roles, and your obligations depend almost entirely on which one you occupy:
- Provider — you build or sell AI systems under your own name. Heavy obligations for high-risk systems: conformity assessment, documentation, registration.
- Deployer — you use AI systems in your business. Much lighter obligations, mostly transparency and oversight.
A typical SMB — using a chatbot on the website, an AI layer that reads incoming orders, ChatGPT for marketing texts, maybe an HR tool that pre-sorts CVs — is a deployer. That single fact removes about 80% of the scary content from the regulation.
The nuance worth knowing: if you have custom AI software built for you and offer it under your own brand, the provider hat can slip onto your head. Worth checking during any AI readiness assessment.
The four risk tiers, in plain words
Every AI use in your company lands in exactly one bucket:
1. Prohibited (banned since February 2025). Social scoring, emotion recognition at the workplace, manipulative techniques causing harm. If any tool you use does this, stop using it. For a normal wholesale, retail or services SMB, this bucket is empty.
2. High-risk (the August 2, 2026 deadline). This is Annex III territory: AI making or substantially influencing decisions about employment (CV screening, promotion, termination), credit, education, essential services. From August 2, 2026, high-risk systems must run with risk management, logging, human oversight and data governance — and deployers have real duties too: use the system per its instructions, ensure human oversight, keep logs, inform affected people.
The SMB translation: the most common high-risk trap is HR. If a tool ranks or filters job applicants with AI, you're a high-risk deployer. Either drop the AI ranking, or make sure the provider is compliant and a named human genuinely reviews decisions.
3. Limited risk — transparency. Chatbots and generated content. People must be able to tell they're talking to a machine, and synthetic content must be identifiable. A disclosure line in the chat window covers most of it.
4. Minimal risk — everything else. Spam filters, demand forecasting, route optimisation, AI code assistants, an order-parsing assistant that a human approves. No specific obligations.
There's one horizontal duty that already applies to everyone since February 2025: AI literacy (Article 4). Staff using AI tools need to understand what the tools do and where they fail. A half-day internal training with a written record is a proportionate answer for a small company.
The afternoon audit: five steps
Here's the sequence I run with clients, compressed:
- Inventory. List every AI touchpoint — official and shadow. The unofficial ChatGPT usage in sales is part of your risk surface. Typical SMB list: 5–15 items.
- Classify. Each item into one of the four buckets. Be honest about HR tools.
- Close the gaps. Chatbot disclosure line (an hour of work). Human-in-the-loop for anything touching employment decisions. A one-page internal AI usage policy: which tools are approved, what data must never be pasted into them, who approves new ones.
- Do the literacy training. Half a day, everyone who touches AI tools, keep the attendance record.
- Document that you did 1–4. Not because an inspector is coming tomorrow — because documentation is the difference between "we comply" and "we can show we comply". Poland's supervisory structure is still maturing, but the obligations apply regardless.
That's genuinely it for most small businesses. No conformity assessments, no notified bodies, no €50k program.
Why I'd do it before August anyway
Three reasons, none of them fear-based:
- The deadline is real for one specific area. If AI touches your hiring, August 2, 2026 is your date. Everything else is already in force or doesn't apply to you.
- Your B2B clients are starting to ask. Larger companies push compliance down their supply chain. "Do you use AI to process our data, and under what controls?" is appearing in vendor questionnaires. A one-page answer wins deals quietly.
- The inventory pays for itself. Every time I run one, we find something better than a compliance gap: a process where AI would save real hours, or a tool being paid for twice. Compliance is the excuse; the map is the value.
Where this fits in an AI readiness audit
I fold AI Act classification into every AI readiness audit I deliver: you get the inventory, the risk classification, the gap list with effort estimates, and the usage policy template — alongside the actual point of the audit, which is finding where AI makes your business money. Compliance as a by-product of strategy, not a project of its own.
More questions? There's a FAQ covering how I work.
Want the inventory, classification and gap list done for your company — plus a roadmap of where AI actually pays off? That's the AI Readiness Audit, fixed price, two weeks.
Let’s talk about your project
Free 30-minute consultation. We’ll figure out if and how I can help.



