EU AI Act August 2026 Deadline: Your 90-Day Action Plan for SMEs
EU AI Act August 2026 Deadline: Your 90-Day Action Plan for SMEs
August 2, 2026. That’s when the EU AI Act’s prohibited practices provisions take effect. If your business uses any AI system that falls into the prohibited categories — and more businesses do than realize it — you need to stop, now.
This isn’t a future concern. The deadline is 60 days away. The fines are up to €35 million or 7% of global annual turnover (whichever is higher). And the national authorities are already hiring enforcement staff.
Here’s your action plan, in order, with specific steps for each.
What Happens on August 2, 2026
The first enforcement milestone of the EU AI Act takes effect on August 2, 2026. Specifically:
- Prohibited AI practices become illegal — Article 5’s list of banned AI systems must be discontinued
- AI literacy requirements begin — Article 4 requires organizations to ensure their staff has sufficient AI literacy
- Transparency obligations start — Article 50’s requirements for AI-generated content labeling take effect
The high-risk classification system (Articles 6–49) doesn’t take effect until August 2, 2027. But the prohibited practices and transparency rules are enforceable in 60 days.
Step 1: Audit Your AI Systems (Week 1)
Before you can comply, you need to know what AI you’re using. Create an inventory:
AI Inventory Template
| System | Purpose | AI Type | Data Processed | Vendor | Hosting |
|---|---|---|---|---|---|
| ChatGPT | Email drafting | Generative AI | Customer emails | OpenAI | Cloud |
| Ollama (local) | Document analysis | LLM | Internal documents | Self-hosted | Local |
| Gmail spam filter | Email classification | ML classifier | All incoming email | Cloud | |
| LinkedIn Recruiter | Candidate screening | Recommendation engine | Candidate profiles | Microsoft | Cloud |
| CRM lead scoring | Sales prioritization | Scoring model | Customer data | Salesforce | Cloud |
Check every tool. Many SaaS products include AI features you may not realize:
- Does your email platform use AI for sorting or suggested replies?
- Does your CRM score leads automatically?
- Does your accounting software categorize expenses using ML?
- Does your website use chatbots or recommendation engines?
- Does your HR platform screen resumes?
If any of these fall into a prohibited category, you need to act.
Step 2: Check for Prohibited Practices (Week 1–2)
Article 5 of the EU AI Act bans these AI practices effective August 2, 2026:
Banned AI Practices Checklist
- Social scoring by governments — Using AI to classify people based on social behavior or personality traits for general-purpose scoring (only applies to public authorities; private companies are covered if they do this for public services)
- Manipulative AI — Deploying subliminal techniques or exploiting vulnerabilities (age, disability, socioeconomic situation) to materially distort behavior in harmful ways
- Exploitation of vulnerabilities — Targeting people with disabilities, children, or elderly with AI that exploits their specific vulnerabilities
- Biometric categorization using sensitive traits — Inferring political opinions, trade union membership, religious orientation, race, health, or sexual orientation from biometric data
- Untargeted facial recognition database scraping — Scraping facial images from the internet or CCTV to create facial recognition databases
- Emotion recognition in workplaces and schools — Using AI to infer emotions in employment or education contexts (banned in these contexts only; allowed in therapeutic/medical settings)
- Predictive policing — Using AI to predict criminal behavior based solely on profiling or personality traits
- Real-time biometric identification in public spaces — Live facial recognition in public places (with narrow law enforcement exceptions)
What This Means for Most SMEs
Most SMEs don’t directly use prohibited AI practices. But you might be affected if:
- You use AI-powered recruitment tools — Some resume screening AI infers personality traits, which could fall under “social scoring” or “exploitation of vulnerabilities”
- You have CCTV with AI analytics — If your CCTV system does facial recognition, emotion detection, or people counting with demographic classification, it may be prohibited
- You use AI for employee monitoring — Tools that track keystrokes, infer emotional states, or classify employee behavior patterns are banned in workplaces
- Your CRM does predictive lead scoring — This is fine as long as it doesn’t use protected characteristics (age, disability, ethnicity) as input features
If you find a prohibited practice in your AI inventory, you must discontinue it before August 2, 2026. There is no grace period and no exemption for SMEs.
Step 3: Implement Transparency Requirements (Week 2–3)
Article 50 requires that users of AI systems that generate content must disclose that the content was AI-generated. This applies to:
Content Labeling Checklist
- AI-generated text — Blog posts, emails, reports, marketing copy generated by AI must be labeled
- AI-generated images — Product photos, social media images, marketing visuals created by AI need disclosure
- AI-generated audio — Voice clones, synthesized speech, podcast intros made by AI must be disclosed
- AI-generated video — Training videos, product demos, social media clips with AI-generated elements need labels
- Deepfakes — Any synthetic media that realistically depicts people must be clearly labeled
Practical implementation:
For a blog or content site (like ours):
<!-- Add to every AI-assisted article -->
<meta name="ai-generated" content="partially" />
<!-- At the end of AI-generated content -->
<p class="ai-disclosure">This article was researched and written with AI assistance.
All facts have been verified by human editors. <a href="/ai-policy">Our AI policy</a></p>For emails:
Subject: [AI-Drafted] Monthly report — June 2026For images:
Alt text: "Product photo (AI-generated background)"Step 4: Ensure AI Literacy (Week 3–4)
Article 4 requires that organizations deploying AI systems ensure their staff has “sufficient AI literacy.” This is intentionally vague — the Act doesn’t specify training hours or certifications. For SMEs, we recommend:
Minimum AI Literacy Requirements
| Role | Required Knowledge | Suggested Training |
|---|---|---|
| All staff | What AI is, what it does, what it doesn’t do | 1-hour online module |
| Managers | AI risk categories, prohibited practices, transparency obligations | 3-hour workshop |
| IT/Dev teams | Technical AI literacy, model selection, data handling | 8-hour course |
| Legal/Compliance | EU AI Act requirements, documentation obligations, reporting | 8-hour course |
| Executives | Strategic AI risks, liability, board responsibilities | 3-hour workshop |
Free resources for AI literacy:
- EU AI Act official guidance (europa.eu)
- AESIA (Spain’s AI authority) training materials (aesia.gob.es)
- ISO/IEC 42001 AI Management System overview
- Our EU AI Act compliance guide
Step 5: Document Everything (Week 4–6)
Even though high-risk documentation (Articles 8–15) isn’t required until August 2027, start documenting now:
Documentation You Need Today
- AI System Inventory — What AI you use, where it’s hosted, what data it processes
- Prohibited Practices Audit — Signed statement that you’ve checked and don’t use prohibited AI
- Transparency Policy — How you label AI-generated content
- AI Literacy Records — Training completed, by whom, when
Documentation You’ll Need by August 2027
- Risk Classification — Which of your AI systems are high-risk under Annex III
- Technical Documentation — For each high-risk system (Articles 11–12)
- Data Governance — How training data was collected, labeled, and validated (Article 10)
- Human Oversight Measures — How humans monitor and can override AI decisions (Article 14)
- Accuracy, Robustness, and Cybersecurity — Testing and validation (Article 15)
Step 6: Register with AESIA (Spain Only, Week 6–8)
If you’re operating in Spain, you’ll need to register with AESIA (Agencia Española de Supervisión de la Inteligencia Artificial):
- Create an account at aesia.gob.es
- Register your AI systems — Especially any that process personal data or make decisions affecting individuals
- Submit your prohibited practices audit — AESIA requires a signed declaration
- Designate a compliance officer — For SMEs, this can be an existing team member; you don’t need to hire a dedicated DPO unless you process large volumes of personal data
AESIA contact for SMEs: They have a dedicated SME support line at 900 123 456 and email at pymes@aesia.gob.es.
Cost Estimates for SME Compliance
| Activity | Time | Cost (DIY) | Cost (Outsourced) |
|---|---|---|---|
| AI inventory audit | 8–16 hours | €0 (internal) | €500–1,500 |
| Prohibited practices review | 4–8 hours | €0 (internal) | €300–800 |
| Transparency labeling | 4–8 hours | €0 (internal) | €200–500 |
| AI literacy training | 1–8 hours/person | €0 (free resources) | €50–200/person |
| Documentation | 8–24 hours | €0 (internal) | €1,000–3,000 |
| AESIA registration | 2–4 hours | €0 (free) | €0 (free) |
| Total (DIY) | 27–68 hours | €0 | — |
| Total (Outsourced) | — | — | €2,000–6,000 |
What NOT to Do
Based on questions we’ve received from SMEs:
- Don’t ignore the deadline. The €35M fine is real, and enforcement starts August 3, 2026.
- Don’t over-classify. Most SME AI usage (email drafting, document summarization, translation) is minimal risk under the Act. You don’t need a full conformity assessment for ChatGPT.
- Don’t pay for unnecessary certifications. There is no “EU AI Act certification” that SMEs need to buy. The Act requires self-assessment and documentation, not third-party audits (for most systems).
- Don’t ban AI entirely. The Act regulates AI use, it doesn’t prohibit it. Local AI on your own hardware is the safest path.
- Don’t forget the transparency rules. Even minimal-risk AI requires content labeling. This catches more businesses than the prohibited practices do.
The Local AI Advantage
If you’re running AI locally on your own hardware (which is what we recommend), you have a significant compliance advantage:
| Compliance Area | Cloud AI | Local AI |
|---|---|---|
| Data processing location | Third-party servers (requires DPA) | Your servers (no DPA needed) |
| Cross-border data transfer | Risk of non-EU transfer | None — data stays in your office |
| GDPR Article 28 | Processor agreement required | You’re the sole controller |
| Audit trail | Depends on vendor logging | Full control of logs |
| Transparency | Must verify vendor labeling | You control all labeling |
| Prohibited practices | Harder to verify vendor AI | You control what runs |
Local AI on your own hardware is the fastest path to EU AI Act compliance because you control everything — the model, the data, the logs, and the labeling.
90-Day Timeline
| Week | Action | Status |
|---|---|---|
| Week 1 | Audit AI inventory | ⬜ |
| Week 1–2 | Check for prohibited practices | ⬜ |
| Week 2–3 | Implement transparency labeling | ⬜ |
| Week 3–4 | Complete AI literacy training | ⬜ |
| Week 4–6 | Document compliance | ⬜ |
| Week 6–8 | Register with AESIA (Spain) | ⬜ |
| Week 8–10 | Internal review and gap analysis | ⬜ |
| Week 10–12 | Final verification before August 2 deadline | ⬜ |
Sources
- EU AI Act Full Text
- AESIA (Spain’s AI Authority)
- EU AI Act Prohibited Practices (Article 5)
- EU AI Act Transparency Obligations (Article 50)
- ISO/IEC 42001 AI Management Systems
Need help with EU AI Act compliance? Schedule a 15-minute consultation — we’ll assess your AI inventory, identify prohibited practices, and build your compliance roadmap.