EU-AI-ACT

The EU AI Act: What Your Business Must Do Before August 2026

A practical guide for SMBs on the EU AI Act. Which obligations apply, how to approach risk classification, and what a realistic path to the 2 August 2026 deadline looks like.

22 Apr 2026·11 min read·Productized Team

On 2 August 2026, the EU AI Act becomes fully applicable. That's a few months away. Recent research shows that more than 60% of European SMBs haven't started preparing yet. If you're in that group: this article is for you. We explain what the AI Act actually requires, which obligations specifically apply to SMBs, and what a realistic compliance path looks like.

Disclaimer up front: we are not lawyers. For the definitive interpretation of compliance requirements for your situation, consult a lawyer or compliance officer. What we are: engineers who put AI systems into production for mid-sized Dutch companies. This article is written from the angle of what you need to do technically and organisationally.

What is the EU AI Act in short?

The EU AI Act is the world's first comprehensive AI legislation. It classifies AI systems by risk level and sets obligations per level. The thinking: the greater the potential risk to people, the stricter the requirements.

Four risk categories:

Risk level	Examples	Obligations
Unacceptable	Social scoring, manipulative AI, real-time biometric identification in public spaces	Prohibited — not allowed
High risk	AI in healthcare diagnosis, recruitment, credit scoring, critical infrastructure, education	Strict: documentation, monitoring, human oversight, conformity assessment
Limited risk	Chatbots, deepfakes, emotion recognition, AI-generated content	Transparency obligations — users must know they're interacting with AI
Minimal risk	Spam filters, AI in video games, predictive text	No specific obligations — voluntary codes of conduct possible

For Dutch SMBs the relevant category is usually 'limited risk' (chatbots, content generation) or 'high risk' (specific applications in HR, healthcare, finance). Unacceptable isn't something you'll do in practice, and minimal risk requires nothing special.

Which obligations apply to SMBs?

Three scenarios, three sets of obligations.

Scenario 1: You use an AI chatbot or a copilot

By far the most common in SMBs. A customer-facing chatbot, an internal RAG bot, Microsoft Copilot for your employees, or content generation with ChatGPT — this almost always falls under 'limited risk'.

What you need to do:

Transparency: users must know they're interacting with AI. A clear notice such as 'You're talking to an AI assistant' is enough.
Label AI-generated content where it could reasonably be mistaken for human work.
Maintain a register of which AI systems you use — who the vendor is, what the system does, which data it processes.
Privacy and data processing in line with GDPR — usually already arranged through your existing data processing agreements.

Effort: 1–3 days of work for an average SMB. Realistically achievable before 2 August 2026.

Scenario 2: You build or use AI in HR, finance, or healthcare

Here it gets serious. CV screening tools, AI-driven credit scoring, diagnostic support, employee evaluation systems — these are typical 'high risk' systems.

What you need to do:

Risk assessment: a documented analysis of what the system does, for whom, and what can go wrong.
Data quality: demonstrate that the training data is representative and that bias is actively addressed.
Technical documentation: how the system works, how it's been tested, how accuracy is measured. Keep this structured.
Human oversight: a person must be able to meaningfully intervene, not just 'approve' the recommended outcome.
Logging: the system must automatically log enough to make incidents reconstructable after the fact.
Conformity assessment: for some systems a CE-marking-like assessment by a notified body is required.
Registration in an EU database before the system goes to market.

Effort: 4–12 weeks for a new system. For existing systems: at least 4 weeks for documentation and risk assessment, longer if technical changes are needed.

Scenario 3: You use a large language model (GPT, Claude, Llama) as the foundation

The providers of foundation models (OpenAI, Anthropic, Google, Meta) have their own obligations under the Act — you usually don't need to worry about those. But if you integrate such a model into your product, you need to know which risk category your use case lands in. A chatbot on top of GPT-4 for customer service = limited risk. A CV screening system on top of Claude = high risk — regardless of who built the underlying model.

A realistic compliance path for SMBs

Four steps we recommend to SMB clients, in this order:

Inventory all AI systems you use or build. Don't forget: the chatbot on your website, AI in your CRM, content generation tools that marketing uses, copilots in your IDE. Make a list.
Classify the risk level per system. For the majority (limited risk) that's a short exercise. For systems that may be high risk: invest more time.
For limited-risk systems: implement transparency and logging. A clear 'AI notice' on chatbots, label AI content, keep a processing register.
For high-risk systems: document, test, and put human oversight in place. This is where professional help from a compliance specialist and/or legal advisor is worth it. Plan for 1-3 months to get an existing system compliant; new systems should be designed correctly from the start.

The most common mistake: companies realise too late that their existing HR or finance tools use AI that classifies as high risk. So start with the inventory. You can't make compliant what you don't know you have.

What if the deadline isn't achievable?

Be pragmatic. The European Commission has indicated that enforcement in the first months will focus on the highest-risk systems and on clearly reckless behaviour. The Dutch Ministry of Economic Affairs is working on practical guidance for Dutch SMBs.

If you don't have everything in place by 2 August 2026, prioritise:

Stop using any 'unacceptable' systems immediately.
Get high-risk systems at least documented and under human oversight — even if the full conformity assessment comes later.
Implement transparency for chatbots and AI-generated content (simple and quick to do).
Communicate internally what you use — IT, HR and legal need to be aligned.

The practical checklist

Below are the questions you can start with today — whether or not we end up working together:

Which AI systems do we use? (internally and as part of products/services)
Who in the organisation is responsible for AI compliance?
For each system: who is the vendor, what does it do, which data does it process?
For each system: which risk category does it fall into under the AI Act?
For our high-risk systems: do we have documentation, test results, and human oversight?
For our chatbots and generated content: do we make clear it's AI?
Do we have a process for reviewing new AI systems before putting them into use?

How we help with this

For clients we build AI systems with, we bring EU AI Act requirements in from the design phase. That's not an extra service — it's how we work by default. Documentation, logging, human oversight, and risk assessment are part of our build approach.

For companies who want to get compliance of existing systems in order, we run an AI Act discovery of 1-3 weeks. Output: inventory, risk classification per system, and a concrete action plan with priorities and timelines. Fixed price from €5,000.

Want to know how we'd look at your situation? Tell us via the contact form what you use and build. We respond within one business day with an initial indication or an invitation for an exploratory call.

Relevant pages

serviceAI implementation →EU AI Act-aware AI systems, agents, and RAG workflows.industryPublic sector →Governed AI and data delivery for accountable public-sector workflows.