On August 2, 2026, the transparency obligations of the EU AI Act under Article 50 take effect. For small and medium-sized enterprises using AI systems — whether ChatGPT for content creation, AI chatbots in customer service, or automated recommendation engines — the time to act is now.
This guide explains the core requirements, clarifies which obligations actually apply to typical SME use cases, and provides a pragmatic implementation roadmap.
What Is the EU AI Act?
The EU AI Act is the world's first comprehensive regulation for Artificial Intelligence. In force since August 2024, it becomes binding in stages. Its goal: ensuring AI use in the EU is safe, transparent, and respectful of fundamental rights.
The Act does not differentiate by company size but by risk category of the AI system deployed. A ten-person company can be equally affected if it uses AI systems falling under regulated categories.
The Risk Classification Model
The AI Act classifies AI systems into four risk tiers:
Unacceptable Risk (Prohibited)
Since February 2025, certain AI applications are banned in the EU: social scoring by public authorities, subliminal manipulation techniques, real-time remote biometric identification in public spaces (with exceptions). Since March 2026, so-called nudifier apps are also prohibited. Most SMEs are not affected by this category.
High Risk
AI systems in safety-critical domains — medical devices, recruitment, credit scoring, biometric identification — face stringent requirements: risk management systems, conformity assessments, technical documentation, human oversight.
The Digital Omnibus of March 2026 extended high-risk deadlines: Annex III systems to December 2027, Annex I systems to August 2028.
Limited Risk (Transparency Obligations)
This category affects most SMEs. If you deploy AI systems that interact with humans or generate content, the transparency obligations under Article 50 apply from August 2, 2026.
Minimal Risk
AI systems like spam filters, auto-suggestions, or product recommendations fall under minimal risk with no specific AI Act obligations.
Article 50: Transparency Obligations in Detail
For SMEs, Article 50 transparency obligations are the most relevant part of the AI Act. They take effect August 2026 and cover three areas:
AI Interaction Disclosure (Art. 50(1))
If your company deploys AI systems that interact directly with people — chatbots, AI phone assistants, automated advisory systems — users must be informed they are communicating with AI. The disclosure must occur at the start of the interaction and be clear and comprehensible.
AI-Generated Content (Art. 50(2))
AI systems producing synthetic content — text, images, audio, video — must mark their outputs as AI-generated in a machine-readable format. This affects companies using AI tools for content creation that publish the results.
Deepfake Disclosure (Art. 50(4))
Those publishing AI-generated or manipulated text intended to inform the public about matters of public interest must disclose AI generation. For most SMEs, this requirement is less relevant unless actively conducting public communications with AI-generated text.
Typical AI Systems Used by SMEs
In practice, most SMEs deploy AI in these areas: text generation (ChatGPT, Claude, Gemini for articles, emails, social media), customer service (AI chatbots, phone assistants), image generation (Midjourney, DALL-E for marketing materials), and automated recommendations (product suggestions, personalized newsletters). Each requires assessment against the risk classification.
Implementation Roadmap for SMEs
Phase 1: Inventory (2–4 Weeks)
Create an AI inventory covering all systems in use, including tools employees use independently. Classify each by risk tier.
Phase 2: Identify Obligations (1–2 Weeks)
For each inventoried system, document specific obligations. For most SMEs, transparency requirements will predominate.
Phase 3: Implementation (4–8 Weeks)
Deploy required measures: AI disclosure in chatbots and phone assistants, labeling processes for AI-generated content, internal AI usage guidelines, documentation of all compliance measures.
Phase 4: Ongoing Maintenance
New AI systems must be continuously captured and classified. Internal guidelines require periodic updates.
Penalties for Non-Compliance
The AI Act provides for significant fines: up to €35 million or 7% of annual turnover for prohibited practices, up to €15 million or 3% for transparency violations. SMEs benefit from a special provision: the lower amount always applies. Still, penalties can be existential.
SME-Specific Relief Measures
The legislation includes explicit accommodations: reduced conformity assessment fees, simplified documentation forms, access to regulatory sandboxes, training and advisory services through national competence centers. Since the Digital Omnibus of March 2026, these accommodations extend to small mid-cap companies up to 500 employees.
Compliance as Competitive Advantage
The AI Act need not be viewed solely as obligation. Early, transparent implementation signals responsibility to customers and partners. In a market where trust in AI applications is still being built, demonstrable compliance can be a genuine differentiator.
FAQ
Is my SME actually affected? If you deploy AI systems interacting with people (chatbots, phone assistants) or publish AI-generated content — yes. The AI Act classifies by system risk, not company size.
Do I need to appoint an AI officer? The AI Act does not mandate a dedicated AI officer. However, responsibility must be clearly assigned — for example, to IT management or compliance.
How significant is the implementation effort realistically? For typical SMEs with primarily transparency obligations: inventory takes one to two weeks, technical implementation four to eight weeks. Ongoing effort is comparable to GDPR maintenance.
Do I need external consulting? For inventory and risk classification, external support is advisable to avoid oversights. Technical implementation of transparency obligations is manageable independently in most cases.
