EU AI Act for SMBs: Which Automations Are Affected and How to Prepare Before August 2026

A pragmatic guide to the EU AI Act for SMBs: the 4 risk categories, where your real automations land, concrete obligations and a checklist to be ready by August 2026.

The EU AI Act for SMBs has stopped being a Brussels debate and turned into a calendar with very specific deadlines. The European AI Regulation entered into force on 1 August 2024 and is being phased in. The milestone that matters most to the average company arrives on 2 August 2026: from that date, the bulk of obligations for systems classified as “high-risk” become enforceable.

The good news is that not every automation you have running falls under the regulation — far from it. The bad news is that some common ones, like a CV-screening filter or a customer credit-scoring system, are squarely inside it. This article is a pragmatic, jargon-free guide so you can understand which automations in your business are affected and what to do before the summer of 2026.

We’re writing this from the trenches: we deploy AI automations for small and mid-sized companies in Spain and review real cases through this lens every week. What follows is what a CEO, an operations manager or an IT lead needs to know — not a legal team.

The 4 risk categories of the EU AI Act explained for SMBs

The regulation classifies AI systems by their impact on fundamental rights and safety. Each tier triggers very different obligations:

  • Unacceptable risk (banned). Systems forbidden in the EU since February 2025: China-style social scoring, subliminal manipulation, real-time mass biometric identification, purely profile-based predictive policing. SMBs rarely cross paths with these.
  • High risk. The core of the regulation. It covers systems affecting employment, education, access to essential services, credit, insurance, justice and critical infrastructure. This is the tier most SMBs underestimate and where they get it wrong.
  • Limited risk (transparency obligations). Chatbots, content generators, deepfakes. Main duty: warn the user they’re interacting with an AI or that the content is AI-generated.
  • Minimal risk. 80-90% of typical business automations: invoice OCR, product recommenders, spam filters, predictive maintenance. No new obligations beyond a voluntary code of conduct.

Where common SMB automations fall

To make the categories concrete, here’s what we see in real projects:

  • Automated CV screening and candidate ranking: high risk (Annex III, employment area). If your ATS scores, sorts or rejects candidates with AI, you’re a deployer of a high-risk system.
  • Credit-risk scoring, payment-default scoring, insurance underwriting decisions: high risk. It applies even if you only use it internally to set customer payment terms.
  • AI-based evaluation of employees (productivity, promotions): high risk.
  • Customer-service chatbot on your website or WhatsApp: limited risk. You must disclose it’s an AI.
  • AI assistant that drafts email replies which a human reviews before sending: minimal risk. No new obligations.
  • Invoice OCR feeding your ERP, bank reconciliation, expense classification: minimal risk.
  • E-commerce recommenders, predictive maintenance, anomaly detection: minimal risk.
  • AI-generated images or text published without labelling: limited risk. You must mark synthetic content as such.

A useful mental shortcut: if the AI’s output decides something about a person (hiring them, lending them money, evaluating them, monitoring them), prepare for high risk. If the output is administrative data a human uses to work faster, it’s almost always minimal risk.

What you actually have to do if you operate a high-risk system

It matters whether you’re a provider (you build and sell the system) or a deployer (you use it inside your company). Most SMBs are deployers of third-party tools, and their obligations are lighter but still real:

  • Use the system according to the provider’s instructions and keep records of its use.
  • Assign effective human oversight: a person with real authority to correct or shut down the system.
  • Make sure input data is relevant and representative for the intended use case.
  • Inform workers and their representatives before deploying a high-risk system in the workplace.
  • Report serious incidents to the provider and, when applicable, to the national authority.
  • Run a fundamental-rights impact assessment when applicable (typical for banking, insurance, public sector).
  • Keep the system’s logs for at least six months.

Maximum penalties reach €35M or 7% of global turnover for the most serious breaches. For SMBs there are proportional caps, but the regime is serious.

Key dates 2025-2027

  • 2 February 2025: prohibitions and the “AI literacy” obligation for staff operating AI systems become enforceable.
  • 2 August 2025: obligations for general-purpose AI models (GPAI) and the start of national authorities plus the European AI Office.
  • 2 August 2026: general application. This is when obligations for high-risk Annex III systems (employment, credit, education, essential services, etc.) kick in.
  • 2 August 2027: obligations for high-risk systems embedded in regulated products (Annex I: machinery, medical devices, toys, lifts and so on).

Compliance checklist for an SMB

  1. Inventory. List every system or automation that uses AI, including Copilot, embedded ChatGPT, SaaS tools and in-house projects built with n8n or RPA.
  2. Classify each one into one of the four categories. Document the reasoning.
  3. Train your team. The “AI literacy” duty has been enforceable since February 2025 and applies to anyone operating or affected by AI systems.
  4. Label chatbots and generated content on websites, emails and social media.
  5. Ask your providers for technical documentation, declaration of conformity and CE marking for their high-risk systems.
  6. Design human oversight where required: roles, authority to stop the system, audit trails.
  7. Update internal policies: supplier contracts, AI usage policy, worker information notices, GDPR alignment.

Does it make sense to act now?

Yes — but with focus. Most SMBs will find that their actual automations are minimal-risk and that the real work concentrates on two or three specific tools. Having that quick map ready before August 2026 is far better than after.

At AIPROCESSIA we run that audit with a process mindset, not a paperwork one: we identify which automations you actually have, classify them, suggest technical changes when something can be downgraded by redesigning it (for example, keeping a “human in the loop” on a decision affecting people) and leave you with an actionable plan.

Contact us and we’ll analyse your case for free →


Jose A. Parra - CEO and founder of AIPROCESSIA

About the author


CEO & Founder of AIPROCESSIA — 30 years as IT consultant for Spanish SMBs.

For three decades I’ve been deploying ERP systems, integrations and — since 2023 — AI agents, RPA and OCR in real-world flows for invoicing, maintenance and customer service. My focus: automate 5 key processes for under €100/month and give back 20-40 hours per week to the team — no one gets replaced.

Certified Generative AI Expert · UDIA · 2026.

LinkedIn →
Personal site →



Leave a Reply

Your email address will not be published. Required fields are marked *