For a year, the advice to anyone touching the EU market has been “get ready for 2 August 2026.” That date is now two different things. The part that genuinely arrives on 2 August, the Commission's power to enforce the rules for general-purpose AI models with fines included, is real and on schedule. But the part most small businesses were actually worried about, the high-risk obligations for things like AI in hiring or credit decisions, has been pushed to December 2027 under the Digital Omnibus agreed in principle on 7 May. The scary deadline split in two, one half got easier, and the half that's left almost certainly doesn't land on you the way you feared. Here's how to tell which side you're on in ten minutes.
I had this conversation three times last week, so it's worth writing down once. A client who sells into Europe had “2 August — AI Act” circled in red, a vague dread attached to it, and no idea what was actually meant to happen. That's the worst combination: a hard date, a big fine attached, and no clarity on whether any of it applies to you. So let's take the dread apart, because the picture changed in May and most people haven't caught up.
Two things were always bundled into that August date, and they've now come unbundled. The first is enforcement of the rules for general-purpose AI models, the big foundation models from the likes of OpenAI, Anthropic and Google. From 2 August 2026, the European Commission can actually enforce those obligations and levy fines. That's on schedule and it's real (see the AI Act implementation tracker for the live timeline). The second is the high-risk category, AI used in things like recruitment, credit scoring, or access to essential services. That's the bucket most ordinary businesses feared falling into. Under the Digital Omnibus, a package agreed in principle on 7 May 2026, the high-risk deadline for those Annex III systems has been deferred from August 2026 to 2 December 2027.
Why the split matters to you specifically
The point that gets lost in the headlines is this: the August enforcement is aimed at the people who build the big models, not the people who use them. If you're a small business running ChatGPT, Claude or Gemini to draft emails, summarise documents, or answer customer questions, the GPAI obligations land on the model provider, which is their compliance burden, not yours. You are a deployer, and the heavy deployer duties live in the high-risk category that just slipped to the end of 2027.
That doesn't mean the Act ignores you. It means the part that touches you is the lighter, sensible part: transparency. If your customers are talking to an AI, they should know it's an AI. If you publish AI-generated content or images, there are labelling expectations coming. None of that is a crisis. It's the kind of thing a reasonable business would want to do anyway, and it's a world away from the conformity assessments and documentation regimes that the word “compliance” conjures.
The ten-minute self-check
I take clients through four questions. You can do this over a coffee without a lawyer in the room, though if you land on the wrong side of any of them, that's exactly when you get a lawyer in the room.
- Do you sell into, or operate in, the EU or EEA? If you're a purely UK business with no EU customers or users, the EU Act isn't your primary worry, though the UK's own approach is worth watching, and many UK firms adopt the EU standard anyway because their tools are built to it.
- Are you using AI to make or materially influence a decision about a person? Hiring, firing, credit, insurance, access to a service. If yes, you're in or near the high-risk bucket, the one that now has until December 2027, which is breathing room, not a free pass.
- Does a customer ever interact with your AI without knowing it's AI? A chatbot that reads as human, an AI voice on the phone. If yes, transparency is your near-term job, and it's a small one: say so.
- Are you building or fine-tuning your own foundation model? If you have to ask, the answer is no, and the August GPAI obligations aren't pointed at you.
Most small businesses I work with answer “no, no, maybe, no.” That maybe on transparency is the only live action, and it's an afternoon, not a project.
One genuine relief, and one thing not to celebrate too hard
The relief is that the Act explicitly goes easier on smaller firms. Small and medium businesses get simplified technical documentation requirements, and the penalty structure is proportionate. Where a fine is capped at a percentage of turnover, a small firm pays the lower of the percentage or the headline figure, not the eye-watering maximum you see quoted. The Act was not written to bankrupt a twenty-person company over a chatbot. That's worth knowing before the dread sets in.
What I wouldn't do is treat the December 2027 deferral as permission to stop thinking. Deadlines that move once can firm up again, and the high-risk obligations are real work if they apply to you: documentation, human oversight, record-keeping. Sixteen extra months is time to do that properly and cheaply, not time to forget about it until November 2027 and pay a premium to a consultant in a panic. If you're using AI anywhere near a decision about a person, the smart move is to spend a quiet afternoon this autumn writing down what the system does, what data it uses, and where a human checks it. That document is most of the work, and you'll be glad it exists.
What I'd actually do this week
Run the four questions. If you come out “user, not maker, no decisions about people,” then your only near-term job is honesty: make sure anyone talking to your AI knows it's an AI, and label AI-generated content. That's it. Put the December 2027 date in the calendar with a note, and get back to running the business.
The Act is real, the August enforcement is real, and the fines are real. But the version of it that was keeping small business owners up at night was mostly never aimed at them, and the part that might have been just bought everyone sixteen months. Knowing which side of that line you're on is the difference between a calm afternoon and a needless scramble.
Frequently asked questions
Does the 2 August 2026 deadline still apply to my small business?
Almost certainly not in the way the headlines suggest. The August date enforces obligations on general-purpose AI makers (OpenAI, Anthropic, Google and similar). If you use those tools rather than build them, your obligations as a deployer live in a different bucket, and the heavy parts of that bucket just moved to December 2027.
What changed in May 2026 with the Digital Omnibus?
The EU agreed in principle on 7 May 2026 to defer the high-risk obligations for Annex III systems — recruitment, credit scoring, access to essential services and similar — from August 2026 to 2 December 2027. That gives roughly sixteen extra months for businesses that fall into the high-risk category to prepare their documentation, human-oversight processes, and record-keeping.
What are the “transparency” obligations for SMEs?
The short version: if a customer is interacting with an AI, they should be told. If you publish AI-generated content or images, labelling expectations are arriving. These are practical, low-cost changes and align with what most reasonable businesses would do anyway.
What happens if my business does fall into the high-risk category?
You have until 2 December 2027 to comply. Use the time. Write down what the AI system does, what data it uses, where human review happens, and what fallback exists if it gets something wrong. That documentation is the bulk of the work and is worth doing for internal reasons regardless of the regulator.
I'm a UK business with no EU customers. Do I need to care at all?
Not directly. The EU AI Act binds firms placing systems on the EU market or affecting EU users. Many UK firms still adopt the EU standard because their tools and vendors comply with it, and because the UK's own AI rules are still taking shape. Treat it as the floor of good practice, not as a regulatory obligation unless you're selling into the EU.
How big can the fines actually be?
The headline maximums are very large (up to 7% of global turnover for the worst breaches), but the Act caps fines on smaller firms at the lower of the percentage or the absolute figure, so a small business doesn't face the same nominal ceiling as a Fortune 500. That's not a licence to ignore the rules, but it does mean the dread headlines aren't calibrated to a 20-person firm.