Affiliate Disclosure: Some links on this page are affiliate links. If you purchase through them, we may earn a small commission — at no extra cost to you. These recommendations are independent and based on our own research.
The EU AI Act is no longer a distant threat in the official journal. As of May 2026 it is a live regulation with binding deadlines, growing case law and a first wave of formal decisions from the European Commission and the national market surveillance authorities. For small and medium-sized businesses the question is no longer whether the rules apply, but which of them apply to which of your systems, and what proof you would produce if a letter from the Bundesnetzagentur landed on your desk tomorrow morning. This guide rewrites the regulation for operators with 10 to 250 employees who want a working answer rather than a law-firm memo.
Short answer
EU AI Act 2026: why SMBs can no longer look away
For most of 2024 and 2025 the EU AI Act was treated by SMBs the same way GDPR was treated in 2016: a problem for next year, a problem for bigger firms, a problem that would soften once lobbying kicked in. None of that happened. The regulation entered into force on 1 August 2024, the first wave of duties became binding on 2 February 2025, and the second wave on 2 August 2025. In parallel the European AI Office in Brussels has staffed up to roughly 140 people, Germany designated the Bundesnetzagentur as lead market surveillance authority in late 2025, and the Länder data protection authorities have been granted explicit co-competence for AI systems that process personal data. The result is a dense regulatory net that no longer has obvious gaps for firms in the 10-to-250-employee range.
What has changed in the past six months is the tone. The first warning letters landed in January 2026, mostly targeting missing chatbot disclaimers and deepfake labelling in marketing. The first formal fines followed in March and May 2026 and confirmed that authorities are reading the regulation the way it was written: not as a framework for big tech, but as a compliance baseline for every operator of an AI system in the Union. The word operator matters here, because the regulation distinguishes between providers (those who develop and place a system on the market) and deployers (those who use it professionally). The vast majority of SMBs are deployers — and deployers carry meaningful duties, in particular around AI-literacy, transparency, human oversight and incident reporting. If you use ChatGPT Team, Claude for Work, Microsoft Copilot, Gemini in Workspace, or a customer-support bot from a European vendor, you are a deployer under Article 3(4).
The good news is that the regulation is proportional by design. The riskier your AI use case, the stricter the rules; the more routine the use case, the lighter the burden. Roughly eight out of ten SMB applications land in the lowest two risk tiers, where the duties are essentially documentation and transparency. Only a small minority of SMBs — those running automated HR screening, credit scoring, biometric access control, education assessment or certain critical-infrastructure systems — face the heavy high-risk regime that starts biting on 2 August 2026. For a fuller view of how AI sits inside an SMB operating model, the parent piece on AI for Small Businesses 2026 — 7 Use Cases with ROI pairs well with this legal guide.
The four risk classes at a glance: what applies to your SMB?
The AI Act uses a four-tier ladder that determines everything else: obligations, documentation depth, audits, fines. The classification is not abstract. Each of your AI systems must be mapped to exactly one class, and that mapping must be written down and kept current. The following table summarises the logic in the way that actually matters for a 50-person firm.
| Risk class | Typical SMB examples | Core duties | Documentation depth |
|---|---|---|---|
| Unacceptable (Art. 5) | Social scoring, emotion recognition at work, untargeted face-scraping | Full prohibition | Not applicable — do not deploy |
| High (Annex III) | Recruiting screening, credit scoring, exam grading, safety components | Risk management, data governance, human oversight, conformity assessment, EU database registration | Formal technical file (40–120 pages) |
| Limited (Art. 50) | Customer chatbots, AI-generated content, deepfakes, emotion or biometric categorisation | Transparency and disclosure to users | Short notice plus content log (2–5 pages) |
| Minimal | ChatGPT for drafting, DeepL for translation, GitHub Copilot, Jasper for marketing | No specific duties beyond general law | Tool register entry (one row) |
Two subtleties matter. First, the same physical tool can sit in different classes depending on how you use it. ChatGPT used by a marketer to draft newsletters is minimal risk; the same ChatGPT instance used via API to automatically score job applications is high risk. The system is classified by purpose, not by vendor. Second, a minimal-risk tool can jump into limited risk the moment you expose it to customers as a chatbot — because the transparency duty in Article 50 attaches to the interaction, not to the underlying model.
Unacceptable risk: which applications are fully banned from 2026
Article 5 of Regulation (EU) 2024/1689 defines eight categories of prohibited practices. They have been unenforceable since 2 February 2025, and the first enforcement cases in 2026 confirm that the Commission reads the list expansively rather than narrowly. The categories most relevant to SMBs — because they can be stumbled into accidentally — are social scoring, emotion recognition in the workplace or in education, biometric categorisation based on sensitive traits, and manipulative techniques that exploit vulnerabilities.
Social scoring became the poster case for enforcement in March 2026 when a German municipality had to retire a pilot that aggregated behavioural data from welfare recipients into a single trust score. The provider, a mid-sized software firm with 80 employees, received a correction order and a €45,000 fine — well below the theoretical maximum, but enough to make the point. Emotion recognition at work is the category most SMBs are unaware of: if you deploy a call-centre analytics tool that flags agents for “stress” or “anger” based on voice patterns, you are very likely operating a prohibited system under Article 5(1)(f). The same applies to classroom or exam tools that infer student emotions.
“AI systems that infer emotions of a natural person in the areas of workplace and education institutions” are prohibited “except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.” — Article 5(1)(f) of Regulation (EU) 2024/1689.
The practical SMB checklist is short. Do you run a tool that scores employees, customers or citizens on a general trustworthiness dimension? Do you infer emotions from faces or voices at work or in education? Do you use biometric categorisation to classify people by race, political views, union membership, sexual orientation or religion? If yes to any of these, stop deploying and seek advice immediately. The remaining Article 5 categories — untargeted scraping of facial images, real-time remote biometric identification in public spaces, predictive policing based solely on profiling, manipulative subliminal techniques — are almost never relevant to SMBs, but if they are, the answer is the same.
High-risk systems: why HR, credit scoring and education are particularly affected
The high-risk category is where the AI Act has real teeth, and where most SMB compliance budgets will be spent in 2026 and 2027. Annex III lists eight domains, and three of them hit SMBs hard: employment and workforce management, access to essential private and public services (credit, insurance, social benefits), and education and vocational training. If your firm uses AI for CV screening, applicant ranking, performance review, creditworthiness scoring, exam grading or admission decisions, you are inside Annex III from 2 August 2026 onwards.
What this means concretely is a new operating model. A high-risk system requires a risk management process maintained over the full lifecycle (Article 9), data governance with documented training, validation and testing data sets (Article 10), detailed technical documentation (Article 11 and Annex IV), automatic event logging (Article 12), transparent information for deployers (Article 13), human oversight measures (Article 14), appropriate accuracy, robustness and cybersecurity (Article 15), a quality management system (Article 17) and registration in the EU database (Article 49). Most of these duties fall on the provider, but deployers carry their own set under Article 26: ensuring human oversight is actually exercised, monitoring the system in operation, keeping the automatically generated logs for at least six months, and performing a fundamental rights impact assessment where required by Article 27.
For SMB HR use cases the interplay with works-council law matters as much as the AI Act itself. In Germany, any algorithmic assessment of employees triggers co-determination rights under §87(1) No. 6 of the Betriebsverfassungsgesetz, and the Federal Labour Court has confirmed in several 2025 decisions that an AI Act classification does not replace the works-council agreement. In practice that means two parallel documents: the AI Act technical file and a works-council agreement that governs the concrete deployment, error-correction routes and employee access to the logic. Our companion piece on AI in HR and recruiting for SMBs walks through that dual compliance in more depth.
Credit scoring is the second SMB pain point. Any AI system used to evaluate the creditworthiness of natural persons, or to establish their credit score, falls under Annex III Point 5(b). The exception for fraud detection in Article 6(3) is narrow and cannot be used as a general escape hatch. For a mid-sized regional bank or a fintech partner to an SMB, the practical consequence is that every model used for loan decisions — whether developed in-house or provided by a vendor — needs a conformity assessment from a notified body or a self-assessment based on harmonised standards, plus registration in the EU database.
Limited risk: transparency duties for chatbots, deepfakes and AI content
Limited risk is where almost every customer-facing SMB lives. Article 50 requires that natural persons be informed when they are interacting with an AI system, unless that is obvious from the context. It requires deployers of emotion-recognition or biometric-categorisation systems to inform the people exposed. It requires providers of synthetic audio, image, video or text to mark the output in a machine-readable way. And it requires deployers of deepfakes to disclose that the content has been artificially generated or manipulated.
The transparency duty for chatbots is the single most frequent compliance gap in SMB environments. A one-line “I am an AI assistant — for binding answers a staff member will step in” is enough, but it has to be visible at the start of the interaction, not buried in a privacy policy. The German Bundesnetzagentur issued its first warning letters for missing chatbot disclaimers in January 2026, and the pattern was clear: firms that responded within 30 days with a corrected notice and a short documentation received a warning without fine; firms that argued jurisdictional technicalities received fines in the €5,000 to €20,000 range. The customer support rollout guide contains the concrete bot-config checklist.
Deepfake labelling is the second hot area. If your marketing team produces AI-generated images of products, people or scenes that a reasonable viewer might mistake for real photography, Article 50(4) requires a clear disclosure. Provenance metadata (C2PA) is the emerging industry standard, and the Commission’s May 2026 notice on a political-campaign provider explicitly named C2PA compatibility as a compliant path. For SMBs that means two parallel habits: machine-readable metadata in the file, and a visible “AI-generated” badge in the published output when the content could be mistaken for documentary.
Minimal risk: why 80% of SMB use cases land here
The minimal-risk class is the silent majority of SMB AI. It covers productivity AI that assists humans without making binding decisions about them: ChatGPT for drafting emails, Claude for long-document analysis, Gemini for meeting summaries, DeepL for translation, Copilot for code, Jasper for marketing copy, Notion AI for internal knowledge, Grammarly for editing. None of these trigger specific AI Act duties, provided they are used as assistants rather than as decision-makers.
“Minimal risk” does not mean “no obligations at all.” The general law still applies: GDPR for personal data, copyright law for training data and outputs, competition law for pricing AI, product liability for AI-enabled products, and sector law where relevant. The AI-literacy obligation in Article 4 also applies — regardless of risk class — to every operator who puts AI systems into service. So even for minimal-risk tools you need a tool register entry, a short staff briefing and a clear responsibility assignment. What you do not need is a technical file, a notified-body assessment, or EU database registration.
The practical mental model for an SMB is this: start from the assumption that every new AI tool is minimal risk until proven otherwise, then test the assumption against three questions. Does the tool make or materially support decisions about individuals (hiring, firing, grading, pricing, creditworthiness, access)? Does the tool interact directly with customers or citizens? Does the tool generate synthetic content that could be mistaken for real? If all three answers are no, the tool is minimal risk and a single row in the register is enough. If any answer is yes, the tool is at least limited risk and needs a transparency layer; if the first answer is yes in a regulated domain, you are in high-risk territory.
Key deadlines: what takes effect when (February 2025 to August 2027)
The AI Act is a phased regulation. The deadlines matter because each one triggers a concrete operational action. The following table is the one we recommend printing and pinning above the compliance officer’s desk.
| Date | Article | What applies | SMB action |
|---|---|---|---|
| 2024-08-01 | Entry into force | Regulation published in the OJ | No immediate action |
| 2025-02-02 | Art. 5, Art. 4 | Prohibited practices; AI-literacy obligation | Retire prohibited systems; run documented briefing |
| 2025-08-02 | Chapter V | General-purpose AI model obligations | Check vendor documentation; record GPAI use |
| 2026-02-02 | Governance | National competent authorities designated | Note the contact at Bundesnetzagentur |
| 2026-08-02 | Annex III | High-risk systems obligations fully enforceable | Finish technical files; register in EU database |
| 2027-08-02 | Remaining articles | High-risk systems already regulated under sector law | Align sector-specific conformity routes |
The 2 August 2026 deadline is the one that matters most for SMBs in regulated workflows. Any Annex III system already in operation must be fully compliant by that date; new systems placed on the market after that date must be compliant at launch. The transitional provisions in Article 111 give grandfathered systems until 2 August 2027, but only under strict conditions that rarely apply to SMB deployments. Treat the August 2026 date as the real deadline.
General-purpose AI models: what obligations apply to ChatGPT, Claude, Gemini users?
Since 2 August 2025, Chapter V of the AI Act governs general-purpose AI (GPAI) models — the large foundation models from OpenAI, Anthropic, Google, Mistral, Meta and others. The key point for SMBs is that most of the duties fall on the providers, not on the users. OpenAI, Anthropic and Google must publish a summary of training data, respect EU copyright law, provide technical documentation to downstream deployers, and — for models above the 10^25 FLOPs systemic-risk threshold — perform model evaluations, adversarial testing and incident reporting.
As an SMB deployer, your GPAI duties are indirect but real. You need to know which foundation models sit behind the tools you use, and you need to document that you rely on provider documentation for the model layer. If you fine-tune a GPAI model on your own data — for example, a custom GPT with company documents, or a fine-tuned Claude for legal drafting — you may move into provider territory yourself under Article 25, and carry a share of the GPAI duties. The threshold in practice is whether you substantially modify the model or merely configure it; retrieval-augmented generation and prompt engineering generally stay on the deployer side, while genuine fine-tuning on proprietary data often crosses the line.
The other GPAI-adjacent duty is output management. Any synthetic content generated by a GPAI system must be machine-readable as such, under Article 50(2). In practice that means the tools you use should embed provenance metadata (C2PA is the de facto standard), and your own output pipelines should not strip that metadata before publication. The Commission has signalled that starting in late 2026 it will audit GPAI providers on metadata compliance, which will cascade down to deployer tools over the following year.
Penalties in practice: first EU Commission decisions in May 2026
The statutory maximum penalties under Article 99 of the AI Act are high enough to be quotable. For prohibited practices the ceiling is €35 million or 7% of worldwide annual turnover, whichever is higher. For breaches of the high-risk regime and the GPAI transparency obligations the ceiling is €15 million or 3%. For supplying incorrect, incomplete or misleading information to the authorities the ceiling is €7.5 million or 1.5%. The table captures the three tiers together with the SMB-specific cap introduced by Article 99(6).
| Breach category | Statutory maximum | SMB cap (Art. 99(6)) | Typical first-offence 2026 |
|---|---|---|---|
| Prohibited practices (Art. 5) | €35m or 7% turnover | Lower of the two | €20,000–€80,000 |
| High-risk, GPAI, transparency | €15m or 3% turnover | Lower of the two | €5,000–€30,000 |
| Incorrect information to authorities | €7.5m or 1.5% turnover | Lower of the two | €2,500–€10,000 |
The May 2026 enforcement wave confirmed a pattern that matches GDPR practice from 2018 and 2019. The first wave targets clear-cut breaches, low-hanging compliance gaps, and political or symbolic cases. Firms that cooperate, show a documentation package, and correct the issue within the statutory deadline receive either a warning or a fine at the bottom of the range. Firms that contest basic facts or cannot produce any documentation receive fines at the middle of the range plus a correction order. Multi-million fines remain reserved for intentional breaches, repeat offenders and systemic failures at large providers.
For SMBs the financial exposure is therefore more limited than the headlines suggest, but the operational cost of a penalty procedure is significant. A mid-range fine of €15,000 typically pulls 60 to 120 hours of management time, 20 to 40 hours of external counsel and an unquantifiable reputational hit. The right strategy is to avoid the procedure in the first place by having a coherent documentation package ready.
SMB compliance checklist: the 8 steps for a 50-person company
A 50-person SMB with a mixed AI portfolio — say, ChatGPT Team, Copilot, a customer chatbot, an email triage model and a CV-screening add-on in the HR system — can reach defensible compliance in roughly 40 to 60 hours of work spread across a quarter. The following eight steps are the operational sequence we recommend.
Step one is the tool register. Create a single spreadsheet with one row per AI system and columns for name, vendor, purpose, risk class, data categories, responsible person, classification date and review date. Populate it in an afternoon by walking through the subscription invoices and interviewing team leads. Step two is the AI-literacy briefing under Article 4: a 60 to 90 minute session that covers what AI is, which tools are approved, where the boundaries sit (no personal data without a DPA, no confidential contracts into public models) and who to ask when unsure. Keep the attendance list, the slides and a signed acknowledgement from each participant for at least five years.
Step three is the transparency review. Every customer-facing AI system needs a visible disclosure that the user is interacting with AI, plus a deepfake label on any AI-generated image or video that could be mistaken for documentary. Step four is the data protection alignment. For each AI system, check whether it processes personal data, whether a data processing agreement (DPA) is in place, whether EU data residency applies, and whether a DPIA is needed under GDPR Article 35. Step five is the human oversight design. For each AI system that materially influences a decision about a person, name the human who reviews the output, document the override process and log the overrides.
Step six is the high-risk triage. Walk through the tool register and flag any system that could fall under Annex III. For each flagged system, either plan a full Annex III compliance package before 2 August 2026, or retire the system, or reconfigure it so that the human decision remains genuinely in control and the AI is advisory only. Step seven is the incident playbook. Write a one-page procedure for what happens if an AI system malfunctions, produces a harmful output, or becomes the subject of a supervisory inquiry; nominate an incident owner and a deputy. Step eight is the annual review. Put a calendar entry for the same week every year — ideally early January — to refresh the register, repeat the AI-literacy briefing and re-check the high-risk triage.
A realistic cost band for a 50-person SMB doing this without a dedicated compliance officer is between €3,500 and €12,000 in year one. The lower end assumes in-house execution with light legal review; the upper end assumes a boutique AI compliance firm running the setup as a package. Ongoing cost from year two sits between €1,500 and €4,000 per year in external support plus roughly two hours a month of internal upkeep. These numbers are consistent with the figures reported by the Bitkom SMB panel in February 2026 and with the cost observations from the first Bundesnetzagentur sandbox cohort.
Documentation duties and the interplay with GDPR
The AI Act does not replace the GDPR; it adds a second compliance layer on top. For any AI system that processes personal data — which is most of them — you operate under both regimes simultaneously. The mapping matters because the two regulations use different vocabularies for overlapping concepts. A “data controller” under GDPR Article 4(7) is often but not always the “deployer” under AI Act Article 3(4). A “data processor” under GDPR is often but not always the “provider” under the AI Act. Keep the two sets of roles explicitly documented for each system.
The most important interlock sits between GDPR Article 22 (automated individual decisions) and the AI Act high-risk regime. Article 22 already prohibits fully automated decisions with legal or similarly significant effects on the data subject, unless one of three exceptions applies (contract necessity, explicit consent, or EU/Member State law with safeguards). Most SMB high-risk AI deployments — HR screening, credit scoring, insurance pricing — are subject to Article 22 in addition to Annex III. The practical consequence is that you need a genuine human-in-the-loop for any decision above the “similarly significant” threshold, and you need a procedure by which the data subject can contest the decision and receive a human review. A pure AI Act conformity assessment does not satisfy GDPR Article 22; the two must be designed together.
A minimal documentation template that works for both regimes, for a limited-risk system, looks like this:
AI system: Company Support Bot v2.3
Vendor: Tidio GmbH (EU data residency)
Purpose: First-level customer support, out-of-hours triage
Risk class (AI Act): Limited (Art. 50(1))
Personal data: Chat messages, email addresses
Lawful basis (GDPR Art. 6): 6(1)(b) contract performance
DPA: Signed 2025-06-12, reviewed 2026-01-15
Transparency notice: "I am an AI assistant — staff takes over for binding issues."
Human oversight: Escalation to human agent on keyword list and sentiment threshold
Incident owner: Anna Schulz (Head of Support)
Log retention: 6 months (AI Act Art. 12) / 12 months (billing disputes)
Review date: 2026-07-01For a high-risk system the template expands to 30 to 80 pages and mirrors Annex IV. For a minimal-risk system it can shrink to a single row in the tool register. The point is that the same information architecture scales across all risk classes, and that compliance fatigue is minimised by reusing categories across GDPR, AI Act and sector law.
In Germany, the works-council dimension adds a third layer for any HR-adjacent AI. The §87(1) No. 6 co-determination right applies to every technical system suitable for monitoring employee behaviour or performance, and the Federal Labour Court has extended this to AI systems that process employee data in meaningful ways. A works-council agreement is therefore not optional; it is the operational vehicle that turns AI Act compliance into something the workforce can live with. Running the works-council consultation in parallel with the AI Act classification — rather than sequentially — saves three to six months in most SMB deployments.
Case study: a machine-builder implements the transparency duty
A specialty machine-builder in southern Germany, 110 employees, €28 million turnover, runs a customer portal where business clients can configure machines, request quotes and submit service tickets. In late 2025 the firm added a chatbot based on a European vendor’s Claude-powered offering to handle first-level service requests. By March 2026 the chatbot was answering roughly 40% of incoming tickets without human intervention and shaving four hours a day off the service team’s load. Then the compliance officer read the AI Act Article 50 disclosure requirement and flagged three gaps.
The first gap was the disclaimer. The welcome message read “Welcome to our service portal — how can I help you today?” with no indication that the respondent was an AI. The fix was a one-line change to “Welcome to our service portal. You are chatting with our AI assistant — for binding quotes or warranty questions our service team will step in.” Deployment took 20 minutes. The second gap was the deepfake-adjacent scenario: the chatbot occasionally sent AI-generated diagrams to illustrate machine parts, and these were not marked as synthetic. The fix was a provenance-metadata plug-in from the vendor plus a visible “AI-generated illustration” caption under each image. Deployment took two hours.
The third gap was the documentation. The firm had no tool register, no AI-literacy briefing record and no DPA check for the chatbot vendor. Closing this gap took the bulk of the effort: 14 hours for the register and classification of all eight AI systems in use, three hours for a recorded AI-literacy briefing for the 22 customer-facing staff, and six hours for the DPA and DPIA review with external counsel. Total project cost: 28 hours of internal time plus €2,400 of external legal review. The firm passed a spot check from the regional data protection authority in May 2026 without findings, and the compliance officer now spends roughly 90 minutes a month on register upkeep and incident review.
The lesson from this case is that AI Act compliance for a limited-risk SMB deployment is a finite project, not a continuous burden. The bulk of the work sits in the initial classification and documentation; steady-state upkeep is modest. The firms that struggle are those that let the backlog accumulate across multiple tools for multiple years; the firms that do well are those that do one clean pass and then keep it current as each new tool is onboarded.
Verdict and decision flowchart
The EU AI Act is not a reason to stop using AI, and it is not a reason to panic. It is a proportional regulation that asks SMBs to do what good operators already do: know which systems are running, know what they do, know who is responsible, and be honest with the people affected. For eight out of ten SMB use cases the total compliance burden is a tool register, a documented AI-literacy briefing, a chatbot disclaimer and a yearly review — forty hours of one-off work and two hours a month of upkeep. For the remaining two out of ten, where HR screening, credit scoring, education assessment or safety components are involved, the burden is materially higher and the 2 August 2026 deadline is real.
The decision path for a new AI tool can be compressed into five questions asked in order. Does the tool fall under any Article 5 prohibition? If yes, do not deploy. Does the tool fall under Annex III high-risk? If yes, plan a full compliance package before deployment or before 2 August 2026, whichever is earlier. Does the tool interact directly with customers or generate synthetic content? If yes, add the transparency layer and document it. Does the tool process personal data? If yes, run the GDPR checks in parallel (lawful basis, DPA, DPIA, Article 22 if automated decisions are involved). If none of the above, add a row to the register and move on.
The biggest mistake SMBs make in 2026 is not over-compliance; it is postponement. The firms that started their classification work in summer 2025 are cruising through 2026 with mid-four-figure annual budgets and clean audit trails. The firms that are starting now, three months before the high-risk deadline, are paying rush rates to external counsel and still risking a warning letter. If your firm has not yet built the tool register, the single highest-leverage action this week is to open a spreadsheet, list every AI tool the company pays for, assign a responsible person to each, and schedule a 90-minute AI-literacy briefing for the calendar month. Everything else follows from there.
Sources and further reading
Statutory citations and classifications rely on primary sources: the consolidated EU AI Act text (Regulation 2024/1689), the European Commission’s official AI Act page for enforcement timelines, and the Bundesnetzagentur’s AI market-surveillance page for German implementation guidance.
For SMB use-case context this guide pairs with the hub AI for Small Businesses 2026 — 7 Use Cases with Concrete ROI. For the HR high-risk deep-dive: AI HR & recruiting for SMBs. For the marketing-content angle (EEAT and transparency labelling): AI marketing content workflows.
Update note (as of 13.04.2026)
This compliance guide is reconciled every 4–6 weeks with new EU Commission enforcement decisions, Bundesnetzagentur warning letters and Annex III implementation guidance. Particular attention goes to the 2 August 2026 high-risk deadline and the first wave of regulatory sandboxes in Germany and France. Next review: late May 2026.
Related articles
Our central articles on Artificial Intelligence at a glance — sorted chronologically.
practice-use-casesAI for Small Businesses 2026 — 7 Use Cases with Concrete ROI
Which AI applications pay off for small and medium businesses in 2026? Seven proven use cases with time savings, cost and implementation effort.
guides-tutorialsAI Image Generation 2026: Market Overview, Models and Pro Workflow
The complete overview of AI image generation in 2026: Midjourney v7, Stable Diffusion, DALL·E 3, Flux and Ideogram compared — with workflow recommendations and license notes.
guides-tutorialsAI Audio Tools 2026: Speech Synthesis, Transcription and Dubbing Overview
The complete overview of AI audio tools in 2026: speech synthesis (TTS), speech recognition (STT), voice cloning and dubbing — with tool recommendations, pricing and GDPR guidance.
guides-tutorialsPrompt Engineering 2026 – The Complete Guide for Professional AI Use
The practical guide to Prompt Engineering 2026 — techniques, frameworks, examples and templates for ChatGPT, Claude and Gemini.
Frequently Asked Questions
Is the EU AI Act already fully in force in 2026?
Yes for the key categories. Since August 2024 prohibited practices are banned (social scoring etc.), since February 2025 the AI literacy obligation applies to operators, since August 2025 the general-purpose AI rules. High-risk duties per Annex III kick in August 2026 — by end of 2026 everything is relevant.
Which risk classes does the AI Act define?
Four classes: (1) unacceptable risk = prohibited. (2) High risk = strong documentation and audit duties. (3) Limited risk = transparency obligation (user must know it's AI). (4) Minimal risk = no specific duties.
What concretely counts as high-risk AI?
Annex III lists domains: biometric identification, critical infrastructure, education (admission, exam scoring), labor market (recruiting screening, performance review), essential services (credit, insurance), law enforcement, asylum/migration, administration of justice.
Does ChatGPT Plus or a marketing chatbot count as high-risk?
Normally no. Content generation, customer support, translation, productivity assistance are minimal or limited risk. Only if your chatbot makes binding decisions (e.g. grants credit) does it become high-risk.
What does 'AI literacy obligation' mean for me as an SMB?
Since February 2025: every company using AI must ensure users have sufficient AI literacy. That means: internal training, documentation of deployed tools, clarified responsibilities. No certificate required, but must be demonstrable.
How high are penalties under the EU AI Act in 2026?
Up to €35m or 7% of global annual turnover (whichever is higher) for prohibited practices. For high-risk breaches: up to €15m or 3%. For false information to supervisory authorities: up to €7.5m or 1.5%. SMBs receive reduced rates.
Do I have to document every AI use?
Yes — at least an AI-usage catalog: which tools, which purpose, which data processing, who's responsible. Minimal and limited risk: a simple table suffices. For high risk: formal risk management system plus conformity assessment.
Are there SMB concessions in the AI Act?
Yes — reduced penalty ranges for SMBs, access to regulatory sandboxes (AI testing environments without full regulation), simplified conformity proofs, prioritized advice from supervisory authorities. SMB definition: under 250 employees and <€50m turnover.
