EU AI Act 2026: Compliance Remains the Sticking Point

Three months until the deadline. From August 2, 2026, the central obligations of the EU Regulation on Artificial Intelligence (EU AI Act or AI Regulation for short) will be binding for small and medium-sized enterprises (SMEs). Anyone who still assumes that "we only use ChatGPT or Microsoft Copilot, that's up to the provider" could face an unpleasant and expensive learning curve in the coming weeks.

First, the situation: The AI Act was published in the Official Journal of the EU on July 12, 2024 and came into force on August 1, 2024 (Regulation, EU 2024/1689). Since then, a staggered start date has applied.

What already applies now:

• February 2, 2025: Prohibited AI practices under Art. 5 of the AI Regulation - social scoring, real-time biometric surveillance in public spaces and some other categories are prohibited throughout the EU.
  
  
• February 2, 2025: Obligation for AI competence according to Art. 4 AI Regulation. This regulation affects practically every company that uses AI -including pure users, i.e. "operators" within the meaning of the regulation (TUV Consulting).
  
  
• August 2, 2025: Rules for general purpose AI models (GPAI) - i.e. the large language models behind ChatGPT, Claude, Copilot or Gemini.
  
  
• High-risk AI systems in accordance with Annex III: Operators must introduce risk management, data governance, technical documentation, human supervision and logging. Particularly relevant for SMEs: Applicant management (e.g. HireVue or other AI-supported HR tools), credit scoring and AI in education (see Sage analysis).
  
  
• Transparency obligations under Art. 50 of the AI Regulation: Chatbots must disclose themselves as AI. AI-generated content - text, images, audio, deepfakes - must be labeled as machine-readable. These rules apply to every marketing team that uses AI for image generation or text creation. The Digital Omnibus is not intended to postpone this.
  
  
• Regime of fines under Art. 99 of the AI Regulation: Up to EUR 35 million or 7 percent of annual worldwide turnover for violations of prohibited practices; up to EUR 15 million or 3 percent for high-risk violations; up to EUR 7.5 million or 1 percent for false statements to authorities (Kopexa overview). The higher amount is decisive in each case - lower upper limits are currently provided for SMEs.

Art. 4 of the AI Regulation is the most exciting obligation for SMEs because it applies without controversy: Anyone who allows employees to use ChatGPT, Claude, Copilot or Midjourney must train these employees "to a sufficient extent" according to the regulation. Content and formats are not prescribed - the leeway is intentional, but also creates uncertainty. The EU Commission first published an FAQ on this on May 7, 2025 (see overview by IHK Munich).

What will be added on August 2, 2026

Three blocks of obligations will become operational on the cut-off date

Digital omnibus: relief - but no postponement

The trilogue negotiations on the so-called "Digital Omnibus" ended on April 28 and 29, 2026 after a twelve-hour meeting without an agreement (Börse-Express). The point of contention: the integration of the AI regulation with existing EU safety standards for medical devices, vehicles and machines. The German government demanded exemptions for mechanical engineering. Despite the standstill, the timetable remains unchanged: August 2, 2026 is and remains the relevant date for high-risk obligations and transparency rules.

What the planned reform will bring for SMEs, however, if it is passed: Easier internal self-assessments (instead of expensive external audits) and an extension of the SME definition to include "small mid-caps" with an annual turnover of up to €200 million. The calculation of fines will also be more favorable for SMEs: instead of "the higher of the fixed amount or the percentage of turnover" , the lower amount will apply in future. Important: Do not rely on the omnibus. The original text of the regulation will apply until it is adopted. If you wait, you are taking a risk.

The real SME trap: where the AI Act, GDPR and US CLOUD Act come together

So far, the formal legal situation. For SMEs, however, the real question lies elsewhere.
Three points are often overlooked in the public debate:

1. shadow AI has long been a reality

The Bitkom AI Study 2026 (604 companies with 20 or more employees, CATI methodology) shows that 41% of German companies actively use AI, with a further 48% planning to use it. Compared to 2024 (17%) , this is a doubling within two years (mybusinessfuture analysis of Bitkom data). At the same time, 40% of companies assume that their employees are using private AI tools for professional purposes - without official approval. An IBM report from 2025 estimates that around 20 percent of all data protection breaches are now related to shadow AI applications.

In concrete terms: if the accountant pastes client key figures into a private ChatGPT account, if the marketing manager runs competitive analyses with Gemini or if HR runs application documents through an unapproved AI tool, the company is operating AI within the meaning of the AI Act - without knowing it. In terms of the GDPR, data processing is also taking place without a legal basis, without a data processing agreement (DPA) in accordance with Art. 28 GDPR and in many cases without a data protection impact assessment (DPIA) in accordance with Art. 35 GDPR.

2 In which jurisdiction does the data end up?

The AI Act regulates the "how". The GDPR regulates the "who may do what with personal data". However, neither of the two legal acts answers a third, at least equally important question: in which jurisdiction does the data end up as soon as it passes through an AI model?

Microsoft Copilot, ChatGPT (both OpenAI and Azure OpenAI), Google Gemini and Anthropic Claude run on US infrastructure and are subject to the US CLOUD Act regardless of the EU data centers. This is not academic: a study commissioned by the Federal Ministry of the Interior (BMI) confirmed in detail the extraterritorial access to data stored in the EU at the end of 2025. So anyone who allows employees to work with M365 Copilot formally fulfills Art. 4 of the AI Regulation through training, but at the same time risks a GDPR conflict.

You can find a detailed analysis of why the risk is not abstractin our article on the recall function in Windows 11 and on kill switch and blackout risks from US providers.

3. the labeling obligation affects every marketing team

The transparency obligations under Art. 50 of the AI Regulation will not be postponed by the omnibus. From August 2, 2026, every marketing team that generates images, revises texts or produces videos with AI must establish machine-readable labeling. Without documented training, a clear policy and suitable tools, this will not work reliably - and it is precisely this process setup that can take longer than three months if it is not initiated quickly now.

What SMEs should do now

Four measures are already feasible without major effort:

1. AI inventory in 30 minutes. Create a lean table: Which AI tools are used in the company - officially and unofficially? Which employees use which tools for which tasks? Is there a DPA for each tool? In which jurisdiction does the provider process data? Which data types are included? This inventory is the basis for any further measures.

2. document training in accordance with Art. 4 AI Regulation. Contents and formats are not prescribed. It is important to prove that employees can use AI responsibly. In many cases, the training is eligible for up to 100 percent funding via the Qualification Opportunities Act (QCG). The point of contact for SMEs are the approximately 30 SME Digital Centers of the Federal Ministry for Economic Affairs and Energy (BMWE) - including free advice (SME Digital Center Focus on People).

3. internal AI guideline. A lean policy is enough to start with: Which tools are approved and which are not? Which data categories may be entered where? What labeling requirements apply internally? Who is the contact person for AI-related questions? This is an hour's work for the management - and experience has shown that it eliminates around 80 percent of the operational risk.

4. provider selection with an eye to sovereignty. Replacing ChatGPT with Aleph Alpha, Mistral or a cleanly hosted open source solution for sensitive workflows mitigates AI Act compliance, GDPR compliance and third country risk in one step. This applies in particular to law firms, tax consultancies, clinics, banks and public authorities.

Sovereign infrastructure as the basis for compliance

SMEs that are now looking at how they can set up AI workflows in a legally compliant manner need three things: a secure location for the data that circulates between AI tools and employees; a clear legal space that avoids the CLOUD Act conflict; and an architecture that enables training, documentation and audit trails.

SecureCloud offers precisely this foundation: 100 percent German hosting on its own hardware at noris network AG in Nuremberg, certified according to BSI C5 and ISO 27001, without a US parent company and without third-country access. The SecureCloud products SecureShare, SecureWork and SecureSign cover the data flows that typically collide with AI tools: secure data exchange with external parties, collaborative document work with traceable rights and versions, and legally compliant digital signatures for AI-supported processes. Setting up the use of AI in-house on a sovereign platform not only reduces the risk of fines, but also the operational follow-up costs for audits, data protection impact assessments and supplier inquiries.

Conclusion: Three months is enough - if you act quickly

The AI Act 2026 is no longer a compliance exercise for large corporations. It will affect every SME that uses AI - and according to Bitkom, 41% are now actively doing so, with a further 48% planning to use it. The task is manageable if it is approached in a structured way: Inventory, training, policy, choice of provider. The risks are manageable if data sovereignty is considered from the outset. If you haven't started three months before August 2, 2026, you should start today - not tomorrow.

Want to know where your company stands in terms of parallel preparation for NIS2 and the AI Act? Our NIS2 readiness quick check provides an initial assessment in two minutes - and is a good starting point for the parallel AI compliance discussion.