
On 2 August 2026, the largest part of the EU AI Act becomes fully applicable. For many SME leaders, this European regulation on artificial intelligence stays fuzzy: does it really concern a company that just uses ChatGPT or Copilot? The short answer is yes, but not in the way most people assume. Here is what concretely changes on that date, and the checklist to run before the deadline.
In short
- On 2 August 2026, the bulk of the EU AI Act becomes applicable, including the rules on high-risk systems and the Commission's power to sanction general-purpose AI.
- Fines reach up to EUR 35M or 7% of worldwide turnover for prohibited uses, and EUR 15M or 3% for breaches on high-risk systems.
- For an SME, the cap applied is the lower of the two amounts, a proportionality clause set out in Article 99.
- Most SMEs are users (deployers), not providers: their obligations are lighter, but real (transparency, human oversight, training).
- Each Member State must open at least one regulatory sandbox to test AI in a supervised setting.
The AI Act, in one sentence
The EU AI Act is the European regulation that governs artificial intelligence by its level of risk. It sorts uses into four tiers: unacceptable risk (banned), high risk (heavily regulated), limited risk (transparency duties) and minimal risk (no constraints). Adopted in 2024, it applies in stages. The 2 August 2026 date marks the entry into force of the bulk of the framework.
1 August 2024
Entry into force
2 February 2025
Prohibited uses
2 August 2025
Generative AI and sanctions
2 August 2026
Main application
2 August 2027
High risk integrated
What actually changes on 2 August 2026
Three shifts matter for a company.
First, the rules on high-risk systems become applicable. A high-risk system is an AI used in a sensitive domain: recruitment, credit assessment, biometrics, product safety, education, or critical infrastructure. If your SME uses AI-based CV screening or automated customer scoring, you are concerned, even without having built the tool yourself.
Next, the European Commission gains the power to impose fines on providers of general-purpose AI models (large models such as GPT, Claude, Gemini or Mistral). This does not target SMEs directly, but holds your suppliers accountable, which strengthens traceability downstream.
Finally, each Member State must have made operational at least one regulatory sandbox. This is a test environment supervised by the authority, where a company can experiment with innovative AI without immediate risk of sanction. A useful lever for SMEs that want to innovate without flying blind.
The key point for an SME
You are most likely a deployer (user) rather than a provider (developer) of AI. Your obligations exist, but stay proportionate: transparency toward affected people, human oversight and training for your teams.
Provider or deployer: the distinction that changes everything
The AI Act distinguishes the provider (who develops and places a system on the market) from the deployer (who uses it in a professional setting). The vast majority of SMEs are deployers. This nuance radically changes the compliance load.
Provider
Deployer (most SMEs)
Beware: an SME can slip into provider status without knowing it. For example, if you heavily customise a model, place it on the market under your brand, or substantially modify a high-risk system, you inherit the provider's obligations.
The fines scale
The penalty regime, in force since 2025, reaches its full potential with the main application. Three levels exist, under Article 99 of the regulation.
| Type of breach | Cap (the higher figure) |
|---|---|
| Prohibited use (Article 5) | EUR 35M or 7% of worldwide turnover |
| High-risk system breach | EUR 15M or 3% of worldwide turnover |
| Incorrect information to authorities | EUR 7.5M or 1% of worldwide turnover |
A nuance protects small structures. For an SME or start-up, the fine applied is the lower amount between the fixed cap and the turnover percentage, not the higher. A proportionality clause written in black and white in the regulation.
Worth qualifying
These caps are maximums, not automatic fines. The regulator's aim is compliance, not systematic punishment. But the order of magnitude justifies treating the topic seriously.
The SME checklist before 2 August 2026
No need to overhaul everything. A five-step approach covers most SMEs.
Inventory
Classify
Document
Inform
Train
This mapping often overlaps with another project: reining in shadow AI, meaning the undeclared use of AI tools by employees. Tackling both together saves time.
FAQ
My company only uses ChatGPT or Copilot, am I concerned?
Yes, but lightly. As a deployer of a limited-risk tool, your main duties relate to transparency and use in line with the instructions. The regulatory weight falls first on the model's provider, not on you.
What fines does an SME realistically face?
Caps range from EUR 7.5M to EUR 35M depending on severity, but for an SME the fine applied is always the lower amount between the fixed cap and the turnover percentage. The goal remains compliance, not punishment.
What is a high-risk AI system?
It is an AI used in a sensitive domain: recruitment, credit scoring, biometrics, education, product safety or critical infrastructure. These systems face reinforced requirements for documentation, oversight and risk management.
What if I have prepared nothing before 2 August 2026?
Start with an inventory of your AI tools and their classification. Most SMEs discover they only use limited-risk systems, which makes compliance fast. What matters is having a documented approach.
Conclusion
2 August 2026 is not a wall for SMEs, but a step to prepare calmly. The good news: most companies are AI users, not providers, and their obligations stay proportionate. An honest map of your tools, a bit of transparency and a training effort cover the essentials. To go further on AI governance internally, browse our other LUWAI Mag resources or our customer stories.


