If you run a small or medium-sized business in the European Union and you use any AI tool — a chatbot, a CV-screening assistant, a recommendation engine, a generative content tool — the rules of the game change on 2 August 2026. That's the day the majority of the EU AI Act's obligations become legally enforceable.

Most SMBs we speak to fall into one of two camps: blissfully unaware, or panicking unnecessarily. Neither is the right place to be. This guide is the calm middle path — what actually applies to you, what doesn't, and what to do in the months you have left.

A 90-second summary of the AI Act

The EU AI Act is the world's first comprehensive AI regulation, adopted in 2024 and rolling in by phases. It classifies AI systems into four risk tiers:

1. Prohibited — banned outright (social scoring, real-time biometric surveillance, workplace emotion recognition, etc.). These have been banned since February 2025.

2. High-risk — heavily regulated. This includes AI used for hiring, credit scoring, education access, healthcare decisions, and law enforcement.

3. Limited-risk — transparency obligations apply. This is where most chatbots and generative AI tools sit. You must tell users they are interacting with AI.

4. Minimal-risk — most everyday AI (spam filters, recommendation engines, content tools). No specific obligations.

For most European SMBs — restaurants, salons, real estate agencies, marketing agencies, law firms — your AI tools fall into limited-risk or minimal-risk. That's good news. The compliance burden is manageable.

The "provider vs. deployer" distinction nobody explains

This single distinction will save you tens of thousands of euros in unnecessary legal fees.

• A provider is a company that builds and places an AI system on the market. If you've built your own AI product as a SaaS, you're a provider.

• A deployer is a company that uses an AI system someone else built. If you use Microsoft Copilot, ChatGPT, HubSpot's AI, or a chatbot we built for you — you are a deployer.

Most SMBs are deployers. Deployer obligations are dramatically lighter than provider obligations. If you're a Slovakian aesthetic clinic using a chatbot built by an EU agency, the agency typically carries the bulk of the technical compliance work. You inherit a much lighter "use it responsibly" duty.

What deployers actually need to do

For most SMB deployers using limited-risk AI (chatbots, generative content, marketing automation), the practical to-do list is:

1. Inventory every AI tool your business uses. Most SMBs are surprised to discover they're running 8–15 AI features (CRM scoring, email subject-line testing, image generation, chatbots, transcription, etc.).

2. Classify each one by risk tier. The Future of Life Institute's free EU AI Act Compliance Checker is a good starting point.

3. Disclose AI to users. If a customer is interacting with a chatbot or receiving AI-generated content, say so. A simple "You're chatting with our AI assistant — type 'human' anytime to reach our team" is enough for most cases.

4. Establish human oversight. No consequential decision (hiring, firing, credit, healthcare) should be 100% automated. A human signs off.

5. Vendor due diligence. Ask every AI vendor for their compliance posture, EU data residency, and Data Processing Agreement. If they can't answer — that's the answer.

6. Write a one-page internal AI policy. What's allowed, what's not, who to call when something breaks. One page. Make it readable.

7. Document everything. Compliance is shown through documentation, not intent.

What changes if you do high-risk AI

If your business uses AI to screen, rank or match job candidates, score creditworthiness, gate access to education, or take healthcare decisions — you fall under high-risk obligations. That's a different conversation. You'll need formal risk assessments, technical documentation, mandatory human oversight, registration in the EU database, and bias testing. The penalties for non-compliance are real: up to €15 million or 3% of global turnover.

The penalty structure (and why it should not panic you)

Yes, headline fines under the AI Act go up to €35 million or 7% of global turnover for prohibited practices. But Article 62 explicitly requires proportionate enforcement for SMEs. The reality for a small clinic, salon or real estate agency is that authorities will look at your size, intent, and effort. Companies that have made a documented good-faith effort at compliance — even if imperfect — will be treated very differently from companies that did nothing.

The worst position to be in on August 3, 2026 is to have done nothing at all.

What about the rumoured delay?

There's been talk through 2025 and early 2026 of a "Digital Omnibus" that could push some high-risk obligations out to December 2027. As of writing, this is proposed, not law. Plan for August 2, 2026 as the operative date. If a delay passes, you've used the extra runway profitably. If it doesn't, you're not exposed.

The realistic compliance budget for an SMB deployer

For a typical European SMB using AI only as a deployer (not as a provider), end-to-end compliance — inventory, classification, disclosures, vendor checks, internal policy — is a 4-to-6-week internal exercise costing roughly €5,000 to €15,000 if you handle it internally with light external review. That's it.

For high-risk system deployers, budget €20,000–€50,000 for a proper readiness exercise.

Where Launchzy fits in

When we build AI workflows, chatbots and voice agents for European SMBs, compliance is built into the architecture from day one — EU data residency, signed DPAs, AI-disclosure messaging, documented retention, human-handoff fallback. You inherit a system that's defensible by design, not retrofitted under deadline pressure. Book a free 30-minute compliance and automation audit or explore our AI services.