EU AI Act: Three obligations already apply — the fourth hits you on 2 August

The EU AI Act has been in force since 1 August 2024. That does not mean all obligations apply immediately: they phase in over several years. The bulk of them become binding on 2 August 2026.

The part that affects you most directly as a website operator is Article 50: the transparency obligations. At its core, this means one simple, hard rule: when a person interacts with your AI, they must know it.

Every chatbot that interacts with users from 2 August 2026 must disclose that it is an AI — regardless of how long it has been running. There is no grandfather clause.

This applies not only to chatbots. It also covers AI-generated text, images, audio, and video. Anyone who produces content with generative AI must label it in machine-readable form; anyone who publishes deepfakes must make the artificial origin visible to people. Four paragraphs, four distinct obligations — and all four take effect on the same day.

In parallel, obligations for high-risk AI under Annex III take effect on 2 August 2026. Annex III lists eight areas in which AI is classified as high-risk — including staff recruitment, creditworthiness assessment, and access to education. If you use AI to pre-screen applicants or assess credit ratings, you are directly affected: you must ensure human oversight and retain automated logs for at least six months. A Fundamental Rights Impact Assessment (FRIA) is required on top of that — but only for certain deployers: public bodies, providers of public services, and operators using AI for creditworthiness and insurance risk assessments.

This is where it gets uncomfortable, because most people overlook this part. Whilst everyone focuses on August, three tiers of the AI Act already apply:

For you as an SME, the second is the most uncomfortable, because it truly affects everyone. Art. 4 — AI literacy — applies not from August but since 2 February 2025.

Every business that uses AI systems must ensure that the staff who operate them or use their outputs have sufficient AI literacy — regardless of the risk category.

This is the lowest-threshold breach in the entire law, and precisely for that reason the most dangerous: it affects anyone who uses Copilot, ChatGPT, or any AI tool in their business. No high-risk system required, no exemption for small teams.

The good news is also your most effective lever: any business that has trained its staff with a documented record is in a far stronger position with any regulator. And "documented" means nothing bureaucratic — a simple log with the date, attendees, and topics covered is usually sufficient. The training not only fulfils the obligation; it also protects you if things go wrong.

At this point many people make an error that causes unnecessary worry. They read "AI providers must do X" and assume all the obligations fall on them.

The strictest obligations do apply to providers — those who develop and place an AI system on the market. But the vast majority of SMEs are not providers; they are deployers: they buy a ready-made tool and use it. And deployer obligations are considerably lighter.

In practice, this means: you do not need to certify the algorithm. You need to know what you are deploying, train your staff, label transparently, and — for high-risk applications — ensure oversight and logging. That is achievable — provided you do not wait until 1 August to start.

Let us look at the numbers — they explain why this is not a minor issue. The AI Act scales its fines:

A missing AI disclosure on a chatbot is not a trivial offence. It falls in the same fine bracket as a serious DSGVO breach — up to €15 million.

There is some relief for SMEs and start-ups: Article 99 explicitly gives the supervisory authority discretion to set lower rates, and whichever of the two values is lower applies. But do not assume that "lower" means "harmless". The DSGVO showed us how seriously that discretion is exercised.

An honest note to close this section: the EU is currently negotiating a so-called "Digital Omnibus" intended to extend certain high-risk obligations — there is talk, for example, of pushing back the deadline for employment-related systems. Nothing has been decided. Until the Omnibus is formally adopted before 2 August 2026, the current timetable stands — word for word. Planning around a postponement that has not yet been agreed is not a plan. It is a bet.

Three things I strongly recommend to every business using AI:

All three steps have one thing in common: they are not specialist tasks but a matter of documentation, labelling, and training. Anyone who works through them calmly and in order will be ready for the deadline — without panic and without external consultants.

1. EU Artificial Intelligence Act — Article 50 (transparency obligations)

2. EU Artificial Intelligence Act — Implementation Timeline

3. European Commission — Regulatory framework on AI

4. TÜV Rheinland Consulting — Transparency obligations in the EU AI Act (Art. 50)

5. DLA Piper — Digital AI Omnibus: deferral of high-risk AI obligations