← Back to blog
AI & Automation

EU AI Act phase 2: what 2 August 2026 means for SMEs that deploy AI

By Zarioh Digital Solutions4 min read
Share
EU AI Act phase 2: what 2 August 2026 means for SMEs that deploy AI

On 2 August 2026, the second major phase of the EU AI Act enters into force. Obligations for high-risk AI systems, governance requirements and penalties of up to 7% of revenue. What changes concretely, does it apply to your business, and which steps do you take now?

The EU AI Act has been in force since 1 August 2024 and is being implemented in phases. The first phase, the ban on unacceptable AI practices such as social scoring and real-time facial recognition in public spaces, has applied since February 2025. The rules for general-purpose AI models such as GPT and Claude came into effect on 2 August 2025. Now the next major milestone is approaching: 2 August 2026.

On that date, the obligations for high-risk AI systems, governance structures, and enforcement powers of supervisory authorities become fully active. For SMEs that deploy AI, whether via Microsoft 365 Copilot, their own agent, or an external SaaS tool, this means that the era of non-commitment is over.

What changes on 2 August 2026?

Three main categories of obligations become active. First, the rules for high-risk AI systems, such as AI in recruitment and selection, credit scoring, educational assessments, critical infrastructure, and law enforcement. Providers and users of such systems must maintain a risk management system, keep technical documentation, arrange human oversight, and be able to explain how the system works.

Second, the governance structure. National supervisors receive full powers, in the Netherlands the Dutch Data Protection Authority as coordinator together with sectoral regulators. The European AI Board and the AI Office in Brussels become operational.

Third, the penalties. Fines can reach up to 35 million euros or 7% of global annual revenue for violations of prohibited practices, and up to 15 million euros or 3% for breaches of obligations around high-risk systems. For SMEs and start-ups, the lower of the two applies.

Does this apply to my business?

Most SMEs do not deploy AI as a high-risk system, but the classification is more subtle than often assumed. A few examples where you need to be alert. Do you use AI to filter CVs or score job applicants? That falls under high-risk. Do you assess creditworthiness with an AI model, even indirectly via a SaaS tool? Same. Do you use AI to monitor employee behaviour or performance? Also high-risk.

For the broader use of AI, such as Copilot for productivity, chatbots for customer service, or content generation, a lighter transparency obligation applies. You must make clear to users that they are interacting with AI and that AI-generated content is recognisable as such. For deepfakes and manipulated media, a specific labelling obligation applies.

What is the AI literacy obligation?

An often-overlooked obligation, in force since February 2025, concerns AI literacy. Employers deploying AI must ensure that employees working with AI have sufficient knowledge and skills to use the systems responsibly. From August 2026 onwards, enforcement of this obligation tightens.

Concretely this means you must be able to demonstrate internal training, policy, or an awareness programme. For an SME, this does not need to be a formal certification track, but something must exist: a document, a session, an instruction. Anyone deploying AI without any underlying preparation runs a risk if an incident occurs or an inspection takes place.

Which steps do you take now?

Five concrete actions every SME should carry out in the next three months. First, inventory which AI systems are in use within your organisation. Think more broadly than you currently do: Copilot in Microsoft 365, translation tools, recruitment platforms, marketing AI, content generation, customer-service bots. Make a list.

Second, classify each system. Is it prohibited, high-risk, transparency-bound, or low-risk? The European Commission has published a classification tool that helps. For most SME tools, you end up at low-risk with transparency obligation.

Third, draft an AI policy. This does not need to be elaborate, but should describe which AI tools are approved, what rules apply to entering company data, who is responsible for oversight, and how employees report incidents.

Fourth, organise AI literacy. A short internal training, an online course, or a session provided by your IT partner suffices in most cases. Document that employees have completed the training.

Fifth, build a dependency register. Which suppliers provide AI functionality to you? Which contractual agreements exist around compliance? For high-risk systems, the provider bears primary responsibility, but as a user you are co-responsible for correct deployment.

What if I do nothing?

The risk is twofold. Directly financial via fines, but for most SMEs the indirect risk is greater: reputational damage, contractual liability towards customers who must themselves be compliant, and exclusion from tenders where AI compliance becomes a requirement. From the second half of 2026, we see this requirement increasingly appearing in procurement conditions of larger companies and government.

For most organisations, the AI Act is not a reason to deploy AI less, but to do so consciously and in a structured way. Want help drafting an AI policy, inventorying your systems, or rolling out AI literacy within your team? Contact Zarioh for a no-obligation conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share