Skip to content
tokynstudio
journal
26 June 2026 · consulting

eu ai act: what kicks in on 2 august 2026

From 2 August 2026 the high-risk and transparency obligations apply. What that means for SMEs, what to do before then - and what the Digital Omnibus debate might change.

by tokyn studio · 5 min read

EU AI Act: what kicks in on 2 August 2026 - Consulting

TL;DR. On 2 August 2026 the EU AI Act gets real for most companies: the obligations for high-risk systems (Annex III) and the transparency duties (Art. 50) become applicable. Most SMEs are deployers, not providers - which means lighter, but still real, duties. In parallel, the EU is debating a possible delay of some high-risk rules under the "Digital Omnibus". Plan around 2 Aug 2026 as the baseline. As of 2026-06.

> Quick check: Which risk class does your AI use fall into? Our free EU AI Act check classifies it in 4 questions.

2 august 2026 - the date that actually matters

The EU AI Act has been in force since 1 August 2024, but in stages. So far only the first tiers applied: prohibited practices and the AI-literacy duty (Art. 4) since February 2025, the rules for general-purpose AI models and the governance structure since August 2025.

2 August 2026 is the stage that hits the broad mid-market: from this date the obligations for high-risk systems under Annex III and the transparency duties under Art. 50 apply. If you don't just build AI but deploy it, you should know by then which category your use-cases fall into.

what concretely applies from that date

Transparency (Art. 50). This is the rule that touches almost every SME with customer contact. If you run a chatbot or voice agent, you must tell users they are talking to an AI - unless it's obvious. AI-generated or -manipulated content (image, audio, video, public-interest text) must be machine-readably marked as such. Low effort, but mandatory.

High-risk systems (Annex III). This covers clearly delineated fields: AI in recruiting (candidate scoring, CV filtering), credit and creditworthiness assessment, critical infrastructure, education, access to essential services. These systems carry hard duties - risk management, data governance, technical documentation, human oversight, logging. The good news for most SMEs: the typical use-cases - a company GPT for internal research, email triage, lead qualification - are usually not high-risk.

GPAI - next stage. Models placed on the market before August 2025 have until August 2027 to comply. For you as a deployer this mainly means: make sure the provider you use meets its GPAI duties (documentation, copyright policy, training-data summary).

are you affected? provider vs. deployer

The central distinction in the AI Act: providers develop an AI system or place it on the market under their own name. Deployers use an existing system under their own responsibility. The vast majority of SMEs are deployers - using ChatGPT Enterprise, Copilot, a voice-agent service, or a setup built with us.

Deployer duties are far lighter than provider duties, but not zero - especially for high-risk systems: use according to instructions, ensure human oversight, keep input data relevant within your control, retain logs, inform affected people. But if you substantially modify a system or resell it under your own name, you can become a provider yourself - a line worth knowing before you cross it.

the digital omnibus debate: is a delay coming?

In late 2025 the European Commission proposed simplifications to the AI Act under the "Digital Omnibus" - including the idea of stretching some high-risk duties or tying them to the availability of standards. Whether and in what form this lands was not finally decided at the time of writing.

Our take: plan around 2 Aug 2026 as the baseline. A possible easing of high-risk rules changes nothing about the transparency duties and nothing about the need to classify your use-cases. Waiting until the legal situation is "final" wastes exactly the lead time the law grants you.

checklist before august

1. Use-case inventory. List every production AI use - with role (provider/deployer) and risk class (prohibited / high / limited / minimal). 2. Transparency building blocks. Prepare notice texts for chatbots, voice agents and AI-generated content - in German and English. 3. AI literacy (Art. 4). Mandatory since February 2025 and often overlooked: staff who use AI need an adequate basic understanding. A short internal briefing usually suffices - but it has to happen. 4. High-risk check. Running recruiting, scoring or creditworthiness AI? Then assess the provider duties early - that's where the real work sits. 5. GDPR alignment. The AI Act doesn't replace the GDPR, it complements it. Documenting both in parallel halves the effort (see our GDPR + AI post).

what we do at tokyn

We bake AI Act classification into our consulting and delivery projects - not a separate compliance project, but part of the setup:

  • use-case classification (provider/deployer, risk class) per project
  • ready-made transparency notices for voice and text, DE + EN
  • an AI-literacy briefing for the team
  • alignment with the GDPR record of processing activities

Want to know where your use-cases stand? A 30-minute intro call is free and pitch-deck-free. For the fundamentals, our EU AI Act guide is worth reading first.

sources

related service

Consulting

next step

your case, concretely - let's talk.

30 minutes, no pitch deck. We look at your use case and tell you honestly whether - and how - it's worth doing.

EU AI Act: what kicks in on 2 August 2026 · tokyn studio