EU AI Act for European Businesses: the 2026 operational guide

The EU AI Act came into force on 1 August 2024. Since then, European SMEs have been receiving emails from AI consultants raising the spectre of fines up to 7% of turnover. The operational reality is far calmer: for 90% of SMEs, direct obligations are few and manageable.

This is the honest map: what actually changes for your business, the 4 concrete steps you should take before 2026, and how specific sectors (HR, finance, marketing, support) are affected.

The 4 AI Act risk categories

The regulation classifies AI systems into 4 risk levels. The level determines the obligations. Understanding where each of your systems sits is the starting point.

Unacceptable risk (prohibited)

Systems banned throughout the EU from February 2025:

• Social scoring in the style of China (evaluating people based on social behaviour).
• Subliminal manipulation causing harm.
• Exploitation of vulnerabilities of specific groups (minors, people with disabilities).
• Real-time biometric identification in public spaces (with exceptions for law enforcement).
• Biometric categorisation based on race/religion/orientation.

Does this affect your SME? Probably not. Systems at this level are not used in ordinary business operations.

High risk (heavy obligations)

Systems that can have a significant impact on people’s rights, safety, and opportunities:

• Recruitment and HR (CV screening, candidate assessment, promotion decisions).
• Consumer credit scoring (banks, fintech).
• Diagnostic healthcare systems.
• Critical infrastructure (energy, transport, traffic).
• Education (access, student assessment).
• Law enforcement (with specific exceptions).
• Migration/asylum management.

Does this affect your SME? Yes, if you operate in recruitment, HR, finance, or healthcare. For other sectors: only if you build a system that falls specifically into this category.

Limited risk (transparency)

Systems that interact directly with individuals:

• Customer-facing chatbots.
• Content generation systems (AI that writes emails to customers, AI that generates images).
• Emotion recognition systems (in non-prohibited contexts).

Main obligation: transparency. Users must know they are interacting with AI or that content is AI-generated.

Does this affect your SME? Yes, if you have a frontline chatbot, if you send AI-generated emails to customers, or if you generate AI images for marketing.

Minimal risk (residual obligations)

Everything else: spam filters, recommendation systems, internal process optimisation, use of ChatGPT/Copilot for office productivity.

Obligations: general principles of transparency and fair use. No heavy compliance required.

Does this affect your SME? Yes — for the majority of everyday use cases. Good news: zero bureaucracy required.

Summary table

What changes by sector

Recruitment & HR (high risk)

If you use AI to decide or significantly influence hiring, promotion, or performance evaluations:

• Documented risk assessment of the system.
• Full logging of decisions (input + output + criteria applied).
• Human oversight on edge cases.
• Disclosure to candidates that AI is involved in the process.
• Record retention for 6 years.

In practice in Soraia recruitment projects:

• The AI agent filters and ranks candidates, but the human recruiter always signs off on the final decision.
• We maintain an immutable audit log for every decision, reconstructable over 6 years.
• DPIA document generated as a sprint deliverable.
• The agent does not produce legally binding outputs without human review.

This positioning keeps us between high (assisted) and limited (human-in-the-loop). For safety, we operate at the high-risk level.

Finance & Accounting (minimal risk if done right)

Agents that read invoices, perform OCR, validate VAT, and generate reports → minimal risk. Internal automation, no autonomous decisions impacting individuals.

Main obligation: internal transparency (the finance team must know the agent is AI-driven).

Exception: if the agent makes credit decisions involving third parties or automatically influences customer invoicing → it may fall into the limited/high risk level. Requires case-by-case assessment.

Sales & Marketing (limited risk)

Agents performing personalised outreach, lead scoring, email drafting → limited risk.

If the output goes to an external customer (e.g. an automated follow-up email):

• Indication that the email was generated with AI assistance (where appropriate, in a non-intrusive way).
• Ability for the recipient to request human intervention.

If the output stays internal (e.g. lead score for the sales team, not communicated to the customer):

• Minimal risk. Internal transparency only.

Customer Support (depends)

Frontline customer-facing chatbot → limited risk. Obligation: inform the user they are talking to AI (even discretely at the bottom of the chat).

Internal routing + response drafting (human approves and sends) → minimal risk. The human acts as the final check; the system is “assisted”.

Education & Training

If your SME provides external training that uses AI for student assessment → high risk. If AI is used only to generate learning materials → limited risk. If AI is purely a productivity tool for internal trainers → minimal risk.

The 4 concrete steps for SMEs

Regardless of risk level, here are the 4 practical things to do before 2026. This is the minimum. Full stop.

Step 1 — Internal AI policy (1 page)

A 1-page document stating:

• What is permitted when using AI in the business (using ChatGPT for standard tasks, etc.).
• What is prohibited (inputting sensitive personal data without a DPA, using personal accounts for company tasks, producing legally binding AI output without review).
• How to report issues (dedicated internal channel).
• Who is responsible for AI governance (designated manager).

Supports internal governance, is an implicit best-practice requirement, and satisfies the accountability principle.

Step 2 — Audit log for agent decisions

Every agent in production must log every decision:

• Timestamp.
• Input received (anonymised where necessary).
• Rules/prompt applied.
• Output produced.
• Human escalation flag (yes/no/when).

For high-risk systems this is a regulatory requirement. For others it is smart regardless: debugging, accountability, continuous improvement.

Standard 2026 tooling: Langfuse, OpenLLMetry, custom systems on S3 + metadata. Cost: ~€100–300/month for an average SME.

Step 3 — Human oversight on critical cases

Define upfront: when the agent decides autonomously, and when it escalates to a human.

Examples:

• Recruitment: agent filters and ranks; human always signs the final offer.
• Accounting: agent processes invoices below €X; human reviews anomalies above €10k.
• Support: agent handles standard requests; human manages negative or complex escalations.

Documenting the “automatic cases / escalation cases” matrix is the most direct and most powerful compliance deliverable.

Step 4 — DPA with the vendor

If you use an external provider (Soraia, OpenAI direct, Anthropic, Microsoft, Google), you need a Data Processing Agreement under Art. 28 GDPR.

• OpenAI has a standard DPA available for download.
• Anthropic has a standard DPA.
• Microsoft (Copilot) has a DPA included in the Business tenant.
• Google has a standard DPA.
• Soraia (and any serious agency) includes it in the sprint contract.

Without a DPA, every input of personal data is a GDPR violation. The most direct step — and the one most often skipped in a rush.

Timeline 2025–2026: what expires when

Key dates to plan your compliance:

• February 2025 ✓ already in force — prohibition of unacceptable AI practices.
• August 2025 ✓ already in force — obligations for general-purpose AI models (mainly affects vendors like OpenAI/Anthropic, not end users).
• August 2026 — main obligations for high-risk systems. If you have recruitment AI, accounting AI with impact on individuals, etc., this is the operational deadline for compliance.
• August 2027 — obligations for high-risk systems embedded in regulated products (medical devices, machinery).

For most SMEs: August 2026 is the date to mark in the calendar. At time of writing, you have 14 months.

Fines: how they actually work

Scaremongering emails throw around figures like “up to 7% of turnover”. True, but misleading. Maximum fines are for serious violations involving prohibited systems or for providing false information to authorities.

Operational summary:

For an average European SME (turnover €5–20M), the real risk of a fine is low if you:

• Do not use prohibited systems.
• Have the 4 basic steps above implemented.
• Cooperate with authorities if approached.

Minor sanctions (warnings, requests for remediation) are far more likely and manageable.

What NOT to do (scaremongering red flags)

When an AI consultant tells you these things, it is a red flag:

“You are legally required to appoint an AI Officer.” False for SMEs. The AI Act does not mandate the appointment of a dedicated role.

“You need €50,000 worth of compliance work to be covered under the AI Act.” For most SMEs, the 4 basic steps cost €2–5k in one-off consulting — not €50k.

“The AI Act bans the use of ChatGPT in business.” False. Business use of ChatGPT is minimal risk; an internal policy is enough.

“Automatic fines from 2025 with no warning.” False. Enforcement is progressive; authorities request remediation before sanctioning.

“Only certified vendors are acceptable.” False. There is no mandatory “AI Act certification” for vendors (voluntary certifications exist but are not a prerequisite).

The Soraia advantage for compliance

Full disclosure: this guide is written by Soraia, an AI agency. Our sprints include by default:

• Immutable audit log for every agent decision.
• DPIA template already drafted for recruitment / finance / people-related processes.
• AI policy 1-pager customised for the client’s team.
• EU hosting for personal data (no unauthorised extra-EU data transfers).
• Art. 28 GDPR DPA pre-included in the contract.

Not because we are heroic, but because without these things we cannot do the work in regulated sectors at all.

Want an assessment of your specific situation under the AI Act? Do the 3-minute check-up to understand where you stand, or talk to Daniel for 20 minutes to walk through your current AI systems and real obligations together.