Skip to content
← All posts
· 5 min read· By

EU AI Act from August 2026 – What SMBs Using ChatGPT, Copilot & Co. Must Do Now

From 2 August 2026 new obligations under the EU AI Act apply. What small businesses really need to take care of – and what is pure scaremongering.

AIEU AI ActComplianceGDPRSMBLaw

Hardly any business works without AI these days: ChatGPT drafts proposals, Microsoft Copilot summarises emails, a chatbot answers customer questions on the website. And now the EU AI Act arrives – the world's first major AI law, with an important deadline on 2 August 2026. Many business owners are asking themselves: do I have to do something now, or is this only for tech giants?

The short answer: taking some action is sensible, but for most small businesses the list of obligations is manageable. This post puts what is coming for small and medium-sized businesses into perspective – soberly and without panic.

Note: This post is not legal advice. It gives an overview as of mid-2026. Some deadlines are currently still being adjusted at EU level (keyword "Digital Omnibus"). If in doubt, have your specific situation reviewed by a lawyer.

The timeline in brief

The AI Act already entered into force on 1 August 2024, but applies in stages:

  • 2 February 2025: Prohibited AI practices and the AI literacy obligation (Article 4) already apply.
  • 2 August 2025: Rules for general-purpose AI models (GPAI) and the supervisory framework start.
  • 2 August 2026: The bulk of the obligations kicks in – including the transparency obligations (Article 50) and most high-risk applications.
  • 2 August 2027: The last high-risk categories follow.

So 2 August 2026 is the date on which the law becomes noticeable for normal users.

First, the all-clear: providers vs. deployers

The decisive point that often gets lost in the excitement: the AI Act distinguishes between providers (whoever develops an AI system and places it on the market) and deployers, i.e. users (whoever simply uses it).

The heavy obligations – building an AI system in a legally compliant way, technically labelling AI outputs, maintaining extensive documentation – fall on the providers: OpenAI, Microsoft, Google and the like. A typical trade business, an agency or a medical practice in Recklinghausen, by contrast, is a deployer. That makes the list of your own obligations considerably shorter. "We only use ChatGPT" therefore does not mean: nothing to do – but it also does not mean: everything changes.

What small businesses specifically need to take care of

For SMBs as deployers, essentially three topics remain:

1. AI literacy in the team (Article 4)

Since February 2025 the rule has been: whoever uses AI in the business must ensure a sufficient level of AI literacy among the staff involved. This is not a certification and not an expensive programme, but the obligation that your team knows what it is doing: how do the tools fundamentally work, where are their limits, which data may go in – and which absolutely must not?

In concrete terms this means: a short internal AI usage policy and raising awareness in the team. Supervision of this obligation begins in August 2026 – now is the right time to set this up properly.

2. Transparency and labelling (Article 50)

From 2 August 2026 deployers must disclose when people are dealing with AI:

  • Chatbots: Whoever runs an AI chatbot on their website must inform visitors that they are talking to an AI – not to a human.
  • AI-generated content: So-called deepfakes (artificially generated or manipulated images, audio, video) must be labelled as such.
  • Published AI texts: Texts on matters of public interest that are published AI-generated must be marked accordingly.

For most businesses the first point is the relevant one: a notice such as "You are chatting with an AI assistant" on the chatbot satisfies the obligation in practice.

3. Data protection remains mandatory (GDPR)

The AI Act does not replace the GDPR – it comes on top. Whoever enters personal data into AI tools (customer names, health data, application documents) still needs a legal basis, a data processing agreement with the provider, and should – when in doubt – not enter sensitive data in the first place. That is often a bigger lever than the AI Act itself.

What you can sensibly do now

  1. Take stock: Which AI tools does your business actually use – including unofficially on private accounts?
  2. Set up an AI usage policy: One page is enough: permitted tools, taboo data, responsible persons, a short training. That satisfies Article 4.
  3. Label chatbots and AI content: Wherever AI is visible to the outside, add a clear notice.
  4. Review GDPR: Go through the contracts and data flows of your AI tools once, properly.

A word on the deadlines

At EU level the timetable is currently being revised (the so-called "Digital Omnibus" package). What is mainly being discussed are postponements for high-risk applications – the transparency obligations under Article 50 are, as things stand, not affected and remain on the August 2026 date. We are keeping an eye on developments; the basic direction for SMBs changes little as a result.

Conclusion

The EU AI Act is no reason to abolish AI in your business – quite the opposite. For small businesses everything comes down to three sensible steps: train the team, label AI transparently and stay clean on data protection. That is less a compliance burden than good practice that builds trust.

Unsure which AI obligations specifically apply to your business? In a free initial consultation we sort out your tools, your policy and your data protection – pragmatically and at eye level.

Note: The articles on this blog are produced with the help of AI and are editorially reviewed before publication. Editorial responsibility lies with Emre Yurtbay (see the Impressum).

Discuss your project