Skip to content
Method: every claim tracked, reviewed every 30–90 days, marked Holding, Partial, or Not holding. Drafted by Claude; signed off by Peter. How this works →
OPS-080pub28 May 2026rev28 May 2026read4 mininOperators

The EU AI Act for small businesses: the high-risk deadline moved to 2027, but your 2 August 2026 duties did not

On 7 May 2026 the EU agreed to push the AI Act's heavy high-risk rules out to 2027 and 2028. If you run a small business, the easy read is that there is nothing to do. That read is wrong. The high-risk rules were never the part that applied to you. The parts that do apply, labelling AI-generated content and telling people when they are talking to a bot, still land on 2 August 2026, and the AI literacy duty has applied since February 2025. Here is the 30-minute readiness check using the tools you already have.

Written by ClaudeCurated and signed by Peter4 min read
How this is written
Holding·reviewed28 May 2026·next+44d

On 7 May 2026 the EU agreed to push the AI Act’s heavy high-risk rules out to 2027 and 2028 (Council of the EU, 7 May 2026). If you run a small business, the easy read is that the AI Act got delayed and there is nothing to do. That read is wrong, and it is wrong in a way that could cost you on 2 August 2026.

The high-risk rules that moved were never the part that applied to you. You are a deployer, not a provider. The parts that apply to a deployer did not move.

Provider versus deployer, in one line

A provider builds an AI system and puts it on the market. A deployer uses one in its business. If your company uses ChatGPT, Claude, a bought-in chatbot, an AI image or video tool, or the AI features inside software you subscribe to, you are a deployer. Almost every small business is. The obligations that just got pushed to 2 December 2027 and 2 August 2028 are the heavy ones that fall on providers of high-risk systems. You were probably never inside them. The delay headline is about someone else’s deadline.

What you actually owe on 2 August 2026

The deployer duties live in Article 50, and they still apply from 2 August 2026. For a small business, three of them matter.

If you publish AI-generated or AI-edited image, audio, or video that could pass as real, a deepfake, a synthetic spokesperson, a heavily AI-altered photo, you have to disclose that it is artificially generated. If you run a chatbot or a voice agent that talks to customers, the people talking to it have to be told they are dealing with AI. If you use AI to generate published text on a matter of public interest, you disclose it unless a named person took editorial responsibility. The emotion-recognition and biometric duties exist too, but they rarely touch a small business.

None of these is heavy. All of them are the kind of thing a busy owner skips because the headline said the Act was delayed.

The duty you have already had for over a year

The Article 4 AI literacy duty has applied since 2 February 2025. It requires that the people operating AI on your behalf have a sufficient level of AI literacy. For a small team this is not a training budget. It is being able to show that the people using AI on customer work understand what the tools do, what they get wrong, and what not to feed them. A dated one-page note and a short team conversation is a proportionate way to evidence it. It is the cheapest duty to close and the one almost nobody has closed.

The small mid-cap relief is real but narrow

The Digital Omnibus introduced a small mid-cap category and reduced the administrative burden for smaller organisations, channelling compliance through frameworks that already exist to avoid double-regulation (Taylor Wessing analysis). For a micro-business the practical effect is lighter paperwork, not an exemption. The transparency duties and the literacy duty still apply. Treat the relief as easier edges on the heavier obligations, not as a pass on the near-term ones.

This Monday morning: the 30-minute check

The full version is in the how-to above. The short version is three ten-minute blocks.

Block one: list every place AI makes something a customer sees, and mark the ones that could pass as human-made or human-staffed. Block two: turn on the disclosure for each, the I-am-an-AI setting on the chatbot, a visible note on synthetic media, a named editor on AI-written public-interest copy. Block three: write the one-page AI literacy note, date it, walk the team through it once, and keep all of it in one folder.

That folder is the whole point. If a customer or a regulator ever asks how your business handles AI disclosure, you open the folder. If you never built it, the 7 May delay headline is the reason you will give, and it will not be a good one, because the delay was never about the duties you owed.

What this does not cover

If you use AI in hiring or another use that falls under the high-risk Annex III list, the timing and the obligations are different, and the delay does matter to you, but so do heavier duties; the SMB hiring and Annex III piece is the version for that case. If your concern is where client data and code physically sit, the solo-developer EU residency piece is the residency cut. For a non-EU comparison point, the Colorado AI Act operator brief covers the closest US-state analogue.

The enterprise version of this same reading, for in-house programmes with a high-risk inventory and an audit obligation, is at AM-184. The shape is the same at both scales: the heavy obligation moved, the everyday one did not.

ShareX / TwitterLinkedInEmail

OPS-080holdingsince 28 May 2026SiblingAM-184RegisterReporting

Spotted an error? See corrections policy →

Related reading

Operators

Google Workspace Studio for small teams: when the no-code agent builder in your Google Workspace is the right call, and when Notion or n8n still wins

At Cloud Next 2026 Google shipped Workspace Studio, a no-code agent builder that lets you create automated workflows across Gmail, Docs, Sheets, and Drive by describing them in plain English. If your small team already lives in Google Workspace, this is the lowest-friction place you have ever had to build an internal agent. That is exactly why it is worth being deliberate about it. The deciding question is not which builder can do the most. It is where your data and your workflows already live.

Operators

Agent memory for small teams: what your AI tools remember across clients, and the 30-minute hygiene routine

The memory features in ChatGPT, Claude, Notion AI, and your customer-service bot can carry context from one client into work for another. Most small teams have never checked what their tools retain across engagements. The 30-minute routine below uses settings the tools already ship, no new software required, to bring the team to a defensible client-confidentiality posture on memory.

Operators

The kill-switch for a 5-person team: how to turn off an AI agent when it goes wrong, with no IT department

When your self-built or vendor agent does something wrong on a Friday, can you actually stop it before Monday? For most 1-15 person teams, no. There is a pause button somewhere and a revoke step somewhere else, and almost no team has written down where they are before they need them. This is the no-IT-department containment routine: the per-tool runbook, the 30-minute Friday drill, and the rule that pause is not the same as revoke.

OPS-LEDGER · 36 reviewed