Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO
EU AI Act · AI Security · Compliance · AI Regulation · AI Pentesting

EU AI Act for SMEs: What to Check Before August 2026

Petr Pospíšil
2 min read
EU AI Act for SMEs: What to Check Before August 2026

SME takeaway

The EU AI Act is not just paperwork. It is a risk-management law.

If your business buys, deploys, or builds AI, you need to know whether the system is prohibited, high-risk, or covered by general-purpose AI rules.

Most SMEs do not need a legal thesis on the EU AI Act. They need a quick answer: what are we using, where is the risk, and what must we control?

The enforcement calendar is already moving. Some rules have applied since 2025, and the main high-risk AI obligations are scheduled for 2026.

The dates that matter

2025

Feb
2025

prohibited practices apply

Emotion recognition at work, manipulative systems, and some biometric uses can be banned outright.

2025

Aug
2025

GPAI rules apply

General-purpose AI providers face transparency, documentation, and model-risk obligations.

2026

Aug
2026

high-risk AI rules apply

Systems in HR, education, essential services, law enforcement, and similar areas need stronger controls.

For SMEs, the first job is classification. Are you using AI for ordinary productivity, or is it affecting people’s jobs, access to services, education, credit, safety, or legal position?

If the system is high-risk, the question changes from “does it work?” to “can we prove it is governed, monitored, documented, and resilient?” That includes data governance, human oversight, logging, accuracy, robustness, and cybersecurity.

AI security also matters below the legal threshold. Prompt injection, data leakage, unsafe tool use, and weak monitoring can still create business risk even when the Act does not classify your tool as high-risk.

What SMEs should do first

Practical AI Act checklist

List every AI tool and vendor
Check for prohibited use cases
Classify high-risk workflows
Ask vendors for AI Act evidence
Test AI systems for abuse cases
Document ownership and oversight

Do not wait until procurement, legal, and IT all disagree in 2026. Start with an inventory, classify the real risks, and test the systems that can affect people or sensitive data.

Treat AI compliance as evidence of good management, not as a folder of documents.

Sources

Found this useful?

Book a call

I work with organisations across Europe on NIS2 compliance, penetration testing, and security strategy. Practical advice, no overselling.

Schedule a Free Call Send a Message
Back to Intel