EU AI Act SME Compliance Finale 2026: Complete August Readiness Checklist
Post #5 in the sota.io EU AI Act SME Compliance 2026 Series
Nine weeks. That is the time remaining before August 2, 2026 — the date when the EU AI Act's core obligations take full legal effect across the European Union.
For SMEs with fewer than 250 employees, the previous four posts in this series covered the foundational questions: which obligations apply to your company, how to access regulatory sandboxes, how to classify your AI systems, and what documentation you actually need. This finale post pulls everything together into a single, structured checklist you can work through before the August deadline.
The checklist is built around what the Act actually requires — not maximalist interpretations designed for large enterprises. Where the Act grants SME-specific accommodations, this guide notes them explicitly.
The August 2, 2026 Deadline: What It Covers
August 2, 2026 is not the Act's full entry-into-force date — the regulation entered into force on August 1, 2024. What August 2, 2026 marks is the application date for the provisions that affect most AI systems in active use:
- Article 50 transparency obligations apply to all providers and deployers of AI systems that interact with natural persons, generate synthetic content, or perform emotion recognition
- GPAI model provider obligations under Chapter V apply to any company that places a general-purpose AI model on the EU market
- High-risk AI system obligations (Articles 9–21) apply to providers of systems listed in Annex III
- Prohibitions (Article 5) — social scoring, real-time biometric surveillance in public spaces, subliminal manipulation — have been prohibited since February 2, 2025
The good news for most SMEs: if your AI system is neither general-purpose nor Annex III high-risk, your mandatory obligations under the Act reduce to Article 50 transparency requirements and the general duty not to deploy prohibited systems.
Phase 1: Classification (Weeks 1–2)
Before anything else, you need to know which category your AI systems fall into. This is the most consequential determination you will make.
Checklist: Classification
- List every AI system your company provides or deploys — include internally-developed tools, third-party APIs with significant AI components, and any AI-driven features embedded in your product
- Apply the Article 6 high-risk test to each system: does it fall into any Annex III category? Annex III covers systems used in critical infrastructure, education, employment, essential services (credit, insurance), law enforcement, migration, and administration of justice
- Apply the prohibited-use test: does any system perform social scoring, real-time biometric identification in public spaces, emotion recognition in workplaces or educational institutions, or manipulate users through subliminal techniques? If yes, cease operation immediately — prohibition applies now
- Identify GPAI components: does your product include or rely on a general-purpose AI model (large language model, multimodal foundation model, etc.)? If you built or fine-tuned the model yourself and distribute it, you may have GPAI provider obligations
- Identify Article 50 systems: does any AI system in your product interact directly with natural persons (chatbots, voice assistants, conversational interfaces)? Generate synthetic images, audio, or video? Perform emotion or biometric categorisation?
- Document classification rationale — write down why each system falls into its category, even if that category is "minimal risk, no obligations." This record protects you if questioned later
SME note: Article 62 directs national authorities to provide SMEs with priority access to regulatory sandboxes and simplified guidance. If you are uncertain about a classification, the sandbox route allows you to test the determination with regulatory oversight rather than guessing.
Phase 2: Article 50 Transparency (Weeks 2–4)
Article 50 applies to every AI system that interacts with natural persons or generates synthetic content — regardless of risk level. For many SMEs, this is the primary August 2026 obligation.
Article 50 Obligations by System Type
Chatbots and conversational AI (Article 50(1)): When a user is interacting with an AI system, they must be informed that they are interacting with an AI — in a clear, unambiguous manner, at the start of the interaction. Exception: it is obvious from context that the user is talking to an AI.
Emotion recognition and biometric categorisation (Article 50(2)): If your system categorises people based on inferred emotions or classifies biometric data, you must inform affected persons of the operation before exposing them to it.
AI-generated content (Article 50(4)): If your system generates synthetic audio, images, video, or text intended to inform the public on matters of public interest, outputs must be machine-readable marked to indicate their AI-generated nature. This applies primarily to media and public communication use cases — most SaaS productivity tools are out of scope.
Deployers of deepfake systems (Article 50(5)): If your system generates deepfakes — realistic AI-generated images or video of real persons — you must disclose the artificial nature of the content, with exceptions for satire and art that is clearly labelled.
Checklist: Article 50
- Audit every user-facing AI touchpoint — list every place where an AI system interacts with an end user
- Add AI disclosure language to chatbot interfaces: "You are speaking with an AI assistant" or equivalent, displayed before the first AI response
- Update terms of service and privacy notices to reflect AI processing where required by GDPR's Article 13/14 interaction with Article 50
- For emotion/biometric systems: implement pre-use disclosure mechanisms and record that consent or notice was delivered
- For synthetic content pipelines: implement C2PA metadata, invisible watermarking, or equivalent machine-readable signals if you are generating public-facing synthetic media
- Test disclosure flows — verify that disclosures render correctly on mobile, in accessibility modes, and across localised versions of your product
Phase 3: High-Risk Obligations (Weeks 3–7, if applicable)
If any of your systems landed in Annex III during Phase 1, the full provider obligation stack applies. This is substantial work — eight weeks is tight if you have not started.
Summary of High-Risk Provider Obligations
Article 9 — Risk management system: A documented, iterative risk management process covering known and reasonably foreseeable risks. For SMEs, a simplified written risk register with review cadence satisfies the spirit of the requirement.
Article 11 — Technical documentation: A comprehensive documentation dossier covering system description, architecture, intended purpose, training data characteristics, validation methodology, accuracy metrics, and known limitations. The full Annex IV content list applies.
Article 12 — Record-keeping: Automatic logging of system operation to the degree technically feasible. Logs must allow post-market monitoring.
Article 13 — Transparency to deployers: Instructions for use that enable deployers to make informed decisions about the AI system, including its capabilities, limitations, accuracy ranges, and expected maintenance.
Article 14 — Human oversight: Design measures ensuring human operators can understand, oversee, and — where necessary — stop the AI system.
Article 15 — Accuracy, robustness, cybersecurity: Performance metrics specified and tested for accuracy, resilience to adversarial input, and cybersecurity controls appropriate to the risk.
Article 16 — Provider obligations summary: Register in the EU database (Article 49), affix CE marking, draw up the EU declaration of conformity (Article 47), complete the conformity assessment procedure (Article 43).
Article 17 — Quality management system: A documented QMS covering design procedures, data governance, post-market monitoring, and complaint handling.
Checklist: High-Risk Providers
- Complete Annex IV technical documentation dossier
- Establish Article 9 risk management system with written risk register and review schedule
- Implement Article 12 logging — determine what is technically feasible for your architecture and document the decision
- Prepare Article 13 instructions for use for deployers
- Document Article 14 human oversight measures — how can a human intervene, monitor, and stop the system?
- Run Article 15 accuracy and robustness tests — document methodology and results
- Establish Article 17 QMS — at minimum: design control procedures, data governance policy, post-market monitoring plan, incident escalation path
- Complete conformity assessment under Article 43 — for most Annex III systems this is internal (no notified body required), but must be documented
- Draft EU Declaration of Conformity under Article 47
- Register in EU AI database under Article 49 before August 2, 2026
- Affix CE marking where required
SME accommodation: Article 62(2) grants SMEs simplified access to regulatory sandbox participation, which can substitute for certain pre-market testing requirements. Article 62 also grants SMEs reduced administrative burden where national authorities have implemented the SME-specific guidance.
Phase 4: GPAI Provider Obligations (Weeks 2–5, if applicable)
If your company develops, fine-tunes, or distributes a general-purpose AI model, Chapter V obligations apply from August 2, 2026.
Key GPAI Obligations
Technical documentation: Model providers must prepare and maintain documentation covering training data, training compute, architecture, intended uses, and evaluation benchmarks.
Usage policy: A policy specifying acceptable and prohibited uses of the model, communicated to downstream developers.
Copyright transparency: A summary of training data used, sufficient for rights holders to assess compliance with copyright law.
Systemic risk classification: Models exceeding 10^25 FLOPs training compute are classified as GPAI models with systemic risk and face additional requirements (adversarial testing, incident reporting, cybersecurity measures).
SME reality: Most SMEs are GPAI deployers, not GPAI providers. If you use OpenAI, Anthropic, Mistral, or similar APIs and build applications on top, you are a downstream deployer — not subject to GPAI provider obligations. The GPAI provider is the model developer who placed the model on the EU market.
Checklist: GPAI Providers
- Determine if you are a GPAI provider or deployer — are you placing a foundation model on the EU market, or building on an existing model?
- If provider: prepare technical documentation including training data summary, architecture description, and evaluation results
- Publish usage policy accessible to downstream integrators
- Prepare copyright transparency summary
- Calculate training compute — if above 10^25 FLOPs, systemic risk obligations apply and you must notify the AI Office
Phase 5: Internal Processes and Governance (Weeks 4–8)
Even for minimal-risk AI systems with no mandatory obligations, the companies that navigate EU AI Act scrutiny best are those with documented internal processes. This phase covers governance infrastructure.
Checklist: Governance
- Designate an AI compliance owner — even if informal, someone responsible for monitoring regulatory developments and maintaining your AI inventory
- Create and maintain an AI system inventory — all AI systems used internally and in your product, with classification, risk level, and compliance status
- Establish a model change process — when an AI system is significantly modified (new training data, new intended purpose, expanded deployment context), trigger a reclassification review
- Document your Article 5 prohibited-use review — written record that you evaluated your systems against the prohibited-use list and found no prohibited applications
- Integrate AI compliance into procurement — when buying SaaS products with AI components, contractually verify that the supplier's AI systems meet Article 50 and (if Annex III) high-risk obligations
- Set up Article 73 incident monitoring — if you operate a high-risk system, serious incidents must be reported to market surveillance authorities. The timeline is: 15 calendar days for serious incidents, 2 days for death or serious harm, 10 days for fundamental rights violations. (These are days, not hours — a common misquote.)
The August Readiness Scorecard
Use this scorecard to assess your current compliance posture:
| Area | Minimal Risk | Limited Risk | High Risk |
|---|---|---|---|
| Classification documented | Required | Required | Required |
| Article 50 disclosure | — | Required | Required |
| Article 11 technical docs | — | — | Required |
| Article 9 risk management | — | — | Required |
| EU database registration | — | — | Required |
| CE marking | — | — | Required |
| QMS (Art.17) | — | — | Required |
Minimal risk (no Annex III, no Art.50 triggers): document your classification rationale. No other mandatory actions.
Limited risk (Art.50 applies — chatbots, synthetic content, emotion recognition): implement transparency disclosures. Update terms. Test flows.
High risk (Annex III): the full checklist in Phase 3 applies. Eight weeks is achievable for a focused team, but requires starting now.
Resources and Next Steps
The national competent authorities designated under the EU AI Act are the primary point of contact for SME compliance guidance. Article 62 mandates that they provide:
- Dedicated guidance and support for SMEs and startups
- Priority access to regulatory sandboxes for SMEs
- Awareness-raising activities
- Standardised templates for technical documentation (where available)
The EU AI Office (at the European Commission) publishes guidance documents, codes of practice for GPAI providers, and regulatory sandbox frameworks. The current GPAI Code of Practice — published in final form ahead of the August deadline — sets practical standards for model providers and serves as useful benchmark reading even for non-GPAI actors.
For SMEs operating on EU-sovereign infrastructure, the compliance surface is simplified: no data transfers to non-GDPR jurisdictions, no CLOUD Act exposure, and a cleaner data governance story for Article 10 (data and data governance) obligations.
Series Summary
This five-post series covered:
- Which obligations apply to companies under 250 employees — the SME-specific accommodations and the universal minimums
- Article 62 support mechanisms — regulatory sandboxes, testing facilities, and how to access SME priority channels
- Risk classification — the four-tier system and the 5-question checklist for determining your AI system's category
- Documentation requirements — what Annex IV mandates, what is actually needed for non-high-risk systems, and the minimal documentation checklist
- This post — the complete August readiness checklist, phase by phase
August 2, 2026 is a legal effective date, not a suggested deadline. For companies operating in the EU or serving EU users, the obligations in this checklist are enforceable from that date. The penalties under Article 99 scale to company revenue — SMEs are not exempt from penalties, though Article 99(5) directs authorities to consider company size when setting fines.
Start with classification. Everything else follows from knowing which category your systems fall into.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.