Who it affects
Almost any company that touches AI, from using ChatGPT at work to selling a product with AI inside. What changes is not whether it applies, but how much.
EU AI Act
A European law about how AI can be built and used, in force since August 2024 and phasing in through 2028. If you run a small business, your duties are almost certainly modest and manageable. Here is what it is, who it affects, and what to actually do.
What it is
A single EU-wide rule for how AI is built, sold and used. It sorts AI by how risky the use is, not by the technology, so most everyday tools carry light obligations or none.
Almost any company that touches AI, from using ChatGPT at work to selling a product with AI inside. What changes is not whether it applies, but how much.
Like GDPR: one EU-wide, risk-based law that also reaches companies outside the EU when they serve people inside it.
The four risk levels
The Act sorts AI into four levels. Most everyday tools sit in the bottom two.
A defined set of sensitive uses, such as AI that screens job applicants or scores creditworthiness. Real obligations apply, but they reach a small minority of businesses and are not due until December 2027 (pending official publication).
Screening job applicantsCredit scoringWhat you have to do
For most small businesses that simply use AI tools, this is a short, achievable list, not a compliance programme.
Where things stand
Updated July 2026
The AI Act enters into force
The regulation becomes EU law. The countdown to each set of duties starts here.
Banned AI practices and the AI literacy duty apply
A short list of AI uses is prohibited outright, and any organisation whose staff use AI at work must keep them basically literate in how it works and where it fails.
Rules for general-purpose AI models, plus governance and penalties, apply
Duties begin for the general-purpose models behind tools like ChatGPT, along with the EU bodies that oversee the Act and the framework for penalties.
Transparency duties apply (chatbots and AI-generated content)
People must be told when they are dealing with AI or looking at AI-generated content. Confirmed, and not delayed by the Digital Omnibus reform.
Stand-alone high-risk systems (the eight high-risk categories) apply
The core rules for high-risk AI, such as hiring or credit-scoring tools sold on their own, apply from this date. Moved from the original 2 August 2026 date by the reform, and pending official publication.
High-risk AI built into already-regulated products applies
High-risk AI embedded in products that already carry EU safety rules, like medical devices or machinery, applies from this date. Pending official publication.
The Digital Omnibus package delays only the high-risk dates (to December 2027 and August 2028). The August 2026 transparency duties do not move, whatever happens.
In context
Almost certainly, in some capacity. If your team uses AI tools at work, or you build or sell anything with AI in it, and you have customers or users in the EU, the Act applies. For most small businesses that only use AI tools, the duties are light. The Exposure Check tells you exactly which ones apply to you.
The duties that are already live, like AI literacy, are real legal obligations even though no fines have been issued for them so far. The bigger near-term item for most SMEs is the transparency duties from August 2026, and for a few, the high-risk rules later. Doing a little now, like a short internal AI-use note, is far cheaper than catching up under pressure.
The shape is similar: one EU-wide, risk-based law that also reaches companies outside the EU serving people inside it. But the AI Act is about how AI systems are built and used, not about personal data as such, and its duties scale with how risky the use is.
It can. The Act reaches you if you place an AI system on the EU market, or if the output of your AI is used by people in the EU, wherever your company is based. A UK or US company with EU customers is often in scope. If you have no EU link at all, treat this as good practice rather than a legal duty.
For a small business that simply uses AI tools, the core steps are a matter of hours: write a short internal AI-use note and check that any customer-facing AI is clearly labelled. Building high-risk AI is a bigger project, but that affects very few SMEs. The Exposure Check gives you a realistic, personal list.
Let's talk
Tell us what you need and we'll say exactly how we can help. If it isn't a fit, we'll save you the time.
This page is general information, not legal advice. For an answer specific to your business, take the Exposure Check or book a call.