eu ai act for smbs 2026

TL;DR. The EU AI Act (Regulation (EU) 2024/1689) classifies AI systems by risk and assigns graded obligations to providers and deployers. For most SMB applications (chat assistants, internal LLM usage, marketing automation), Art. 50 transparency notices are usually enough — high-risk obligations apply only in specific domains. As of 2026-05.

what is the eu ai act?

The EU AI Act is the world's first comprehensive AI regulation. Adopted on 13 March 2024, published in the EU Official Journal in July 2024, with staggered entry into force between February 2025 and August 2027. Scope: every AI system placed on the market or put into service in the EU, or whose output is used in the EU. That means it applies to US providers like OpenAI or Anthropic as soon as their outputs land in the EU.

The regulation distinguishes four risk classes:

the four risk classes

Prohibited practices (Art. 5). Social scoring by public authorities, manipulative techniques exploiting vulnerabilities, certain forms of real-time biometric identification in public spaces. Rarely relevant in a SMB setup.

High-risk systems (Art. 6, Annex III). AI in specific application areas: critical infrastructure, education and vocational training, employment (HR recruiting scoring, employee evaluation), access to essential services (credit scoring, social benefits), law enforcement, migration, justice. Heavy obligations apply: risk analysis, quality management system, technical documentation, human oversight, accuracy/robustness/cybersecurity, CE conformity assessment, registration in an EU database.

Limited risk (Art. 50). Systems that interact with humans (chatbots, voice agents) or generate synthetic content (deepfakes, AI-generated text). Obligation: transparency notice that the person is interacting with an AI system. This is the relevant class for most SMB AI use cases.

Minimal risk. Spam filters, AI-based game mechanics, inventory management. No specific obligations — voluntary codes of conduct encouraged.

provider or deployer — which role do i play?

The EU AI Act consistently distinguishes two roles with different obligations:

Provider. Whoever develops an AI system or places it on the market under their own name. OpenAI is the provider of GPT, Microsoft of Copilot. If you build an internal tool and deploy it inside your company, you are also a provider under the Act — even without commercial distribution.

Deployer. Whoever uses an AI system under their own responsibility in a professional context. If you run Microsoft 365 Copilot in your tenant, or a voice agent in your hotline, you are a deployer. Your main obligations: appropriate use, human oversight for high-risk systems, input data quality, informing your staff about AI usage.

Most SMBs are deployers, not providers — which significantly reduces obligations.

what does this concretely mean for smbs?

For everyday SMB AI use cases — a Company-GPT for internal research, a voice agent in customer service, automated email classification — the following obligations typically apply:

• Transparency (Art. 50). End-users interacting with an AI system must be informed. For voice agents, this is usually an opening sentence ("You're talking to an AI assistant from ...").
• Staff information. When AI systems are deployed in the workplace, an information obligation applies — independent of the AI Act, also through German labour law / GDPR.
• Don't pursue certain purposes. No fully automated scoring of job applicants without human final decision (that would be high-risk, Annex III no. 4).
• DPA and GDPR remain in parallel. The AI Act does not replace GDPR — both apply cumulatively.

Those operating in high-risk areas (HR-tech vendors, providers of medical decision tools, fintechs with credit scoring) have substantially more compliance work and should clarify it early with specialised legal counsel.

timeline

• 2 February 2025: Art. 5 prohibitions take effect.
• 2 August 2025: Obligations for general-purpose AI models (providers like OpenAI, Anthropic) take effect — documentation, copyright compliance, training-data summary.
• 2 August 2026: Obligations for most high-risk systems.
• 2 August 2027: Obligations for high-risk systems already embedded in regulated products (e.g. medical devices).

For most SMB use cases the critical dates have already passed or are imminent — if you haven't looked yet, now is the time.

what does tokyn do?

We operationalise the AI Act in our [consulting projects](/consulting):

• Risk classification per AI initiative — we sort your portfolio into the four classes.
• Obligations mapping per class — what this concretely means for your implementation, your documentation, your staff information.
• Compliance inventory for the next audit — structured and traceable.
• Transparency building blocks for voice agents and chatbots (see also our [voice agent service](/agents)).

If you want a quick scan for EU AI Act readiness: a free 30-minute intro call is the starting point.

sources

• [Regulation (EU) 2024/1689 (EU AI Act, consolidated text)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj)
• [European Commission: AI Act Q&A](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai)
• [EU AI Office](https://digital-strategy.ec.europa.eu/en/policies/ai-office)
• Terms like [Company-GPT](/glossar#company-gpt) and [RAG](/glossar#rag) in the tokyn glossary