EU AI Act 2026 — complete guide + checklist

The EU AI Act is the EU's first AI law. For most SMBs, it doesn't mean a revolution. Around 95 percent of your AI systems fall into the "minimal risk" category with few or no requirements. On May 7, 2026, the EU also reached a provisional agreement to delay parts of the law. This guide shows what applies today, what is likely to be postponed, and the five concrete steps you should take now.

What is the EU AI Act in 60 seconds?

The EU AI Act is Regulation (EU) 2024/1689, the first comprehensive AI regulation in the world. The law entered into force on August 1, 2024, and classifies AI systems into four risk categories with different requirements. All companies using AI within the EU are affected, including non-EU companies selling to the EU market.

The law builds on a simple principle: the higher the risk to people's safety and rights, the stricter the requirements. The regulation takes inspiration from GDPR in its structure but has a broader ambition. It doesn't just regulate data protection but the entire chain from AI system to end user.

For SMBs, this means you need to classify your AI systems, understand which category they belong to, and take appropriate measures. For most, the measures are minimal. The full legal text is available at EUR-Lex in 23 EU languages.

Compared to GDPR, the EU AI Act is more specific in its risk assessment. GDPR builds on general principles (legality, transparency, purpose) and requires companies to interpret how they apply. The EU AI Act instead lists concrete scenarios that are prohibited, high-risk, or transparency-required. That makes the law easier to understand but also stricter when it applies.

Which deadlines apply and what is being delayed?

The EU AI Act is built in phases with multiple deadlines between 2025 and 2028. Prohibited AI practices, GPAI rules, and the AI literacy requirement have applied since 2025. High-risk AI originally has a deadline of August 2, 2026, but the European Commission's Digital Omnibus proposal from May 7, 2026, wants to postpone it to December 2, 2027.

The timeline is built in phases. Some parts already apply, others are on the way, and some may be postponed after the European Commission's Digital Omnibus proposal.

Already in force:

• February 2, 2025: prohibited AI practices (Article 5) apply. No delay proposed.
• August 2, 2025: requirements for General-Purpose AI models (OpenAI, Anthropic, Mistral, and similar) apply.
• AI literacy (Article 4): applies since February 2025. All staff handling AI systems must have sufficient knowledge.

On the way, possibly delayed:

• August 2, 2026: original deadline for high-risk AI and national supervisory authorities.
• May 7, 2026: EU Council, Parliament, and Commission reached a provisional agreement to delay the high-risk deadline to December 2, 2027.
• August 2, 2027: high-risk AI embedded in regulated products (may be shifted to August 2, 2028).

The May 7 agreement has not yet been formally adopted. It needs to be approved by both the Council and Parliament in its final form. The EU's press release confirms the trilogue agreement but states that adoption is expected before August 2, 2026.

What does this mean practically? Prohibited practices, GPAI rules, and the AI literacy requirement are unchanged and already apply. High-risk provisions are likely to be postponed, but prepare as if the deadline stands until otherwise officially announced.

What are the four risk categories and how do they differ?

The EU AI Act classifies AI systems into four categories based on risk to humans: prohibited, high-risk, limited risk, and minimal risk. Prohibited is stopped entirely, high-risk requires extensive documentation and registration, limited risk requires transparency disclaimers, and minimal risk has no special requirements. Here's what each category means practically for SMBs.

Prohibited AI systems (Article 5)

Certain practices are entirely prohibited since February 2, 2025. They concern eight types of AI considered unacceptable in a democratic society, all listed in Article 5 of the law:

• Manipulative AI techniques exploiting psychological vulnerabilities
• Social scoring systems (like China's social credit)
• Real-time biometric identification in public spaces (with few police exceptions)
• Emotion recognition in the workplace or in education
• Biometric categorization based on race, religion, or political opinion
• Predictive policing based solely on profiling
• Unselective scraping of facial images from the internet for biometric databases
• AI systems classifying people based on certain social traits

For SMBs, the most relevant prohibited practices are manipulative techniques (sales psychology exploiting vulnerable people) and emotion recognition on staff (monitoring employees' mood through cameras or voice analysis). Use these areas as a clear "no zone" when evaluating new AI vendors.

High-risk AI (Annex III)

The high-risk category is where documentation requirements become extensive. Annex III of the law lists eight use cases classified as high-risk:

• Biometrics beyond what is prohibited
• Critical infrastructure (energy, transport)
• Education and vocational training
• Recruitment and HR decisions
• Credit assessment, insurance, and social security
• Law enforcement
• Migration, asylum, and border control
• Democratic processes and the justice system

For SMBs, the two relevant areas are recruitment AI (CV screening, candidate evaluation) and credit assessment. Do you use AI to filter job applications or assess a customer's payment ability? Then you're in the high-risk category.

Requirements include registration in the EU database, technical documentation, risk management system, human oversight, and quality control of training data. Prepare budget and time for this as a project of several months, not a weekend.

Limited risk: transparency requirements (Article 50)

Article 50 regulates AI systems that must be transparent to the user. It concerns three types:

• Chatbots and AI agents that talk with humans. The person must be informed they are interacting with AI.
• Deepfakes (AI-generated image, video, or audio). Clear labeling required.
• AI-generated text content in the public interest. Must be labeled, unless a human has reviewed and taken editorial responsibility.

This is where most Eteya customers land, but the nuance matters. A customer service chatbot or voice bot answering guests must clearly declare "You're talking with an AI assistant" at first interaction. An internal AI agent calculating cost per pizza or proposing restock orders (like the inventory system at Sannegårdens Pizzeria) instead lands in minimal risk, because the end customer never meets it directly. The message: the transparency requirement hits the interface to the human, not the automation in the background.

Minimal risk: no special requirements

The fourth category is all other AI systems. No specific requirements from the EU AI Act here. Around 95 percent of AI systems in SMB companies land here: process automation, internal productivity AI, AI-based reporting, and automated workflows that don't interact directly with customers.

For these systems it's "business as usual", but you should still document which systems you use and for what purpose if an auditor or authority were to ask.

Is your AI system high-risk? Quick test for SMBs

Quick test for SMBs: go through five questions in order to determine your AI system's risk category. If you use AI for recruitment or credit assessment, you land in high-risk. Chatbots or AI agents talking with customers are limited risk. ChatGPT internally without customer contact is minimal risk. Here are the questions:

Question 1: Do you use AI for decisions about people?

Areas to check:

• Recruitment (CV screening, candidate ranking, interview analysis)
• Credit assessment or insurance decisions
• Healthcare (diagnosis, treatment suggestions)
• Education (grading, admission)
• Law enforcement or migration

If YES: high-risk. Start preparing documentation and risk management system.

Question 2: Does AI manipulate emotions or psychology?

Does AI monitor employees' mood at workplaces or schools, or exploit psychological vulnerabilities? If YES: prohibited per Article 5. Stop usage immediately.

Question 3: Is it a chatbot, AI agent, or media generator?

Does the AI system talk directly with humans, or generate images, video, or audio shown to humans? If YES: limited risk. Add transparency disclaimer ("You're chatting with AI" or similar).

Question 4: GPAI model internally without customer contact?

Do you use ChatGPT, Claude, Gemini, or similar internally for productivity, coding, or analysis without the end customer meeting the AI? If YES: minimal risk for you as a deployer. Provider obligations sit with the model companies (OpenAI, Anthropic, Google).

Question 5: None of the above?

Then your system is minimal risk. No specific EU AI Act requirements, but still document which systems you use for internal overview and possible future audit.

Sanctions: what does non-compliance cost?

Sanctions for EU AI Act violations are regulated in Article 99 and are substantial. Prohibited practices cost up to EUR 35 million or 7 percent of global turnover, other violations up to EUR 15 million or 3 percent, and misleading information to authorities up to EUR 7.5 million or 1 percent.

• Violation of prohibited AI practices (Article 5): up to EUR 35 million or 7 percent of global annual turnover. The higher of the two.
• Violation of other obligations (Articles 16, 22, 23): up to EUR 15 million or 3 percent of turnover.
• Misleading information to authorities: up to EUR 7.5 million or 1 percent.

For SMBs, however, an important exception applies. According to Article 99(6), the fine for small and medium-sized enterprises (including startups) shall be set at the lower of amount and percentage, not the higher as for large companies. This is intentional to not crush innovation at smaller players.

Concrete calculation example: an SMB with 5 million EUR in turnover violating prohibited practices risks 7 percent of turnover (350,000 EUR), not EUR 35 million. For other violations, the cap is 3 percent of turnover (150,000 EUR). The sanctions are still heavy, but proportionality for small companies is built into the law.

It should be added that the market surveillance authority (in Sweden likely PTS or IMY depending on the case) can demand measures beyond fines: enforcement order to stop the AI system, recall requirements, or temporary ban on placing the product on the market. For many SMBs, it's the downtime that becomes the heavy cost, not the fine amount.

Who is the supervisory authority for the EU AI Act?

The Swedish supervisory authority for the EU AI Act has not been formally decided as of May 2026. Sweden is shaping its national implementation law based on the SOU 2025:101 inquiry from October 2025. PTS is proposed as primary coordinator, IMY gets responsibility for prohibited practices and biometrics, and Finansinspektionen for the financial sector.

SOU 2025:101, the inquiry submitted to the Swedish government on October 6, 2025, proposes the following division:

• PTS (Swedish Post and Telecom Authority) as primary coordinator and market surveillance authority
• IMY (Swedish Data Protection Authority) for prohibited practices, biometrics, law enforcement, and areas overlapping with GDPR
• Finansinspektionen (Financial Supervisory Authority) for the financial sector (credit assessment, insurance)
• Other sector authorities for specific industries (Medical Products Agency, Transport Agency, and similar)

IMY has confirmed that they are preparing the role of supervisory authority within their areas of responsibility, but stress that "no decisions yet" on the final structure. PTS publishes ongoing guidance on their website.

For SMBs, the recommendation is: keep an eye on both IMY's and PTS's official channels for updates during summer 2026. Other EU member states have their own national supervisory authority — check the relevant authority in your country.

What are the most common misconceptions about the EU AI Act?

Many SMBs believe the EU AI Act is more extensive and stricter than it actually is. We meet four misconceptions daily: that all AI usage requires EU approval, that internal ChatGPT use must be reported, that all AI-generated content must be labeled, and that the high-risk delay means nothing needs to be done. All four are wrong.

Misconception 1: "All AI usage requires approval from the EU"

Wrong. No AI system requires formal approval, not even high-risk. High-risk systems require registration in the EU database and documentation, but no authority "approves" the system before use. The responsibility for correct classification and documentation lies with you as a company.

Misconception 2: "We use ChatGPT so we must report to the EU"

Wrong. Using a GPAI model (ChatGPT, Claude, Gemini) internally for productivity counts as minimal risk for you as a deployer. It's OpenAI, Anthropic, and Google that have the provider obligations to report and document the model.

Misconception 3: "We must label all AI-generated content on the website"

Partly wrong. Article 50 requires labeling of AI-generated content in the public interest, but there is a clear exception. If a human edits the text and takes editorial responsibility, no special labeling is required. Marketing and blog content with editorial review is usually OK without disclaimer.

Misconception 4: "High-risk systems are delayed, so we don't need to do anything"

Wrong. Prohibited practices (Article 5) have applied since February 2025. GPAI rules (Article 53) have applied since August 2025. AI literacy (Article 4) has applied since February 2025. Only high-risk provisions are on the way to being delayed, and only provisionally.

Which five steps should SMBs take now?

SMBs should take five concrete steps for EU AI Act compliance: inventory all AI systems, classify them by risk category, add transparency disclaimers on chatbots and AI agents, start documentation if you have high-risk systems, and train staff in AI literacy. Here's the action plan based on recommendations from PwC, Deloitte, and Vinge.

Step 1: Inventory all AI systems you use

List each system: AI agents, chatbots, customer service automation, internal productivity AI (Copilot, ChatGPT, Claude), predictive analytics, marketing AI. Include AI built into SaaS tools you already use (CRM, HR systems, accounting software).

Step 2: Classify each system into one of the four categories

Use the quick test above or our free checklist (link below). Note which article in the law governs your specific case.

Step 3: Add transparency disclaimers on chatbots and AI agents

For all systems falling under limited risk: ensure users are informed about AI at first contact. A simple sentence suffices. Example: "You're chatting with an AI assistant. If you need to reach a human, type 'human agent'."

Step 4: If you have high-risk systems, start documentation now

Even if the high-risk deadline is likely postponed to December 2027, documentation and risk management requirements are extensive. Starting six months in advance is the minimum to avoid stress.

Step 5: Train staff in AI literacy

The AI literacy requirement per Article 4 has applied since February 2, 2025. This means staff using AI systems must have sufficient knowledge to understand its capabilities and limitations. For SMBs, basic training suffices: an hour-long internal training on basic AI concepts goes a long way.

How can Eteya help you navigate the EU AI Act?

Eteya has implemented over 100 AI systems for SMBs with compliance focus from day one: transparency where required, documentation as standard, and architecture that's easy to update when rules change. We help you map your systems, classify them against the EU AI Act, and build right from the start.

Need help with mapping, classification, or implementation? Book a free 30-min strategy meeting and we'll go through your systems together.

Frequently asked questions