Three months until the deadline. From August 2, 2026, the central obligations of the EU Regulation on Artificial Intelligence (EU AI Act or AI Regulation for short) will be binding for small and medium-sized enterprises (SMEs). Anyone who still assumes that "we only use ChatGPT or Microsoft Copilot, that's up to the provider" could face an unpleasant and expensive learning curve in the coming weeks.
First, the situation: The AI Act was published in the Official Journal of the EU on July 12, 2024 and came into force on August 1, 2024 (Regulation, EU 2024/1689). Since then, a staggered start date has applied.
What already applies now:
Art. 4 of the AI Regulation is the most exciting obligation for SMEs because it applies without controversy: Anyone who allows employees to use ChatGPT, Claude, Copilot or Midjourney must train these employees "to a sufficient extent" according to the regulation. Content and formats are not prescribed - the leeway is intentional, but also creates uncertainty. The EU Commission first published an FAQ on this on May 7, 2025 (see overview by IHK Munich).
Three blocks of obligations will become operational on the cut-off date
The trilogue negotiations on the so-called "Digital Omnibus" ended on April 28 and 29, 2026 after a twelve-hour meeting without an agreement (Börse-Express). The point of contention: the integration of the AI regulation with existing EU safety standards for medical devices, vehicles and machines. The German government demanded exemptions for mechanical engineering. Despite the standstill, the timetable remains unchanged: August 2, 2026 is and remains the relevant date for high-risk obligations and transparency rules.
What the planned reform will bring for SMEs, however, if it is passed: Easier internal self-assessments (instead of expensive external audits) and an extension of the SME definition to include "small mid-caps" with an annual turnover of up to €200 million. The calculation of fines will also be more favorable for SMEs: instead of "the higher of the fixed amount or the percentage of turnover" , the lower amount will apply in future. Important: Do not rely on the omnibus. The original text of the regulation will apply until it is adopted. If you wait, you are taking a risk.
So far, the formal legal situation. For SMEs, however, the real question lies elsewhere.
Three points are often overlooked in the public debate:
The Bitkom AI Study 2026 (604 companies with 20 or more employees, CATI methodology) shows that 41% of German companies actively use AI, with a further 48% planning to use it. Compared to 2024 (17%) , this is a doubling within two years (mybusinessfuture analysis of Bitkom data). At the same time, 40% of companies assume that their employees are using private AI tools for professional purposes - without official approval. An IBM report from 2025 estimates that around 20 percent of all data protection breaches are now related to shadow AI applications.
In concrete terms: if the accountant pastes client key figures into a private ChatGPT account, if the marketing manager runs competitive analyses with Gemini or if HR runs application documents through an unapproved AI tool, the company is operating AI within the meaning of the AI Act - without knowing it. In terms of the GDPR, data processing is also taking place without a legal basis, without a data processing agreement (DPA) in accordance with Art. 28 GDPR and in many cases without a data protection impact assessment (DPIA) in accordance with Art. 35 GDPR.
The AI Act regulates the "how". The GDPR regulates the "who may do what with personal data". However, neither of the two legal acts answers a third, at least equally important question: in which jurisdiction does the data end up as soon as it passes through an AI model?
Microsoft Copilot, ChatGPT (both OpenAI and Azure OpenAI), Google Gemini and Anthropic Claude run on US infrastructure and are subject to the US CLOUD Act regardless of the EU data centers. This is not academic: a study commissioned by the Federal Ministry of the Interior (BMI) confirmed in detail the extraterritorial access to data stored in the EU at the end of 2025. So anyone who allows employees to work with M365 Copilot formally fulfills Art. 4 of the AI Regulation through training, but at the same time risks a GDPR conflict.
You can find a detailed analysis of why the risk is not abstractin our article on the recall function in Windows 11 and on kill switch and blackout risks from US providers.
The transparency obligations under Art. 50 of the AI Regulation will not be postponed by the omnibus. From August 2, 2026, every marketing team that generates images, revises texts or produces videos with AI must establish machine-readable labeling. Without documented training, a clear policy and suitable tools, this will not work reliably - and it is precisely this process setup that can take longer than three months if it is not initiated quickly now.
Four measures are already feasible without major effort:
1. AI inventory in 30 minutes. Create a lean table: Which AI tools are used in the company - officially and unofficially? Which employees use which tools for which tasks? Is there a DPA for each tool? In which jurisdiction does the provider process data? Which data types are included? This inventory is the basis for any further measures.
2. document training in accordance with Art. 4 AI Regulation. Contents and formats are not prescribed. It is important to prove that employees can use AI responsibly. In many cases, the training is eligible for up to 100 percent funding via the Qualification Opportunities Act (QCG). The point of contact for SMEs are the approximately 30 SME Digital Centers of the Federal Ministry for Economic Affairs and Energy (BMWE) - including free advice (SME Digital Center Focus on People).
3. internal AI guideline. A lean policy is enough to start with: Which tools are approved and which are not? Which data categories may be entered where? What labeling requirements apply internally? Who is the contact person for AI-related questions? This is an hour's work for the management - and experience has shown that it eliminates around 80 percent of the operational risk.
4. provider selection with an eye to sovereignty. Replacing ChatGPT with Aleph Alpha, Mistral or a cleanly hosted open source solution for sensitive workflows mitigates AI Act compliance, GDPR compliance and third country risk in one step. This applies in particular to law firms, tax consultancies, clinics, banks and public authorities.
SMEs that are now looking at how they can set up AI workflows in a legally compliant manner need three things: a secure location for the data that circulates between AI tools and employees; a clear legal space that avoids the CLOUD Act conflict; and an architecture that enables training, documentation and audit trails.
SecureCloud offers precisely this foundation: 100 percent German hosting on its own hardware at noris network AG in Nuremberg, certified according to BSI C5 and ISO 27001, without a US parent company and without third-country access. The SecureCloud products SecureShare, SecureWork and SecureSign cover the data flows that typically collide with AI tools: secure data exchange with external parties, collaborative document work with traceable rights and versions, and legally compliant digital signatures for AI-supported processes. Setting up the use of AI in-house on a sovereign platform not only reduces the risk of fines, but also the operational follow-up costs for audits, data protection impact assessments and supplier inquiries.
The AI Act 2026 is no longer a compliance exercise for large corporations. It will affect every SME that uses AI - and according to Bitkom, 41% are now actively doing so, with a further 48% planning to use it. The task is manageable if it is approached in a structured way: Inventory, training, policy, choice of provider. The risks are manageable if data sovereignty is considered from the outset. If you haven't started three months before August 2, 2026, you should start today - not tomorrow.
Want to know where your company stands in terms of parallel preparation for NIS2 and the AI Act? Our NIS2 readiness quick check provides an initial assessment in two minutes - and is a good starting point for the parallel AI compliance discussion.