The EU AI Act just changed. On May 7, the Council and Parliament agreed to the “Digital Omnibus” — a package of amendments that deferred the biggest compliance deadlines by over a year. If you’ve been hearing “August 2, 2026” as the date everything kicks in, that’s now only partially true.

Here’s what actually applies when, what got pushed back, and what a small business needs to do about it — written for someone who doesn’t have a legal department and doesn’t plan to hire one.

Aug 2, 2026
Transparency obligations take effect
Dec 2, 2027
High-risk obligations (deferred from Aug 2026)
7%
Maximum fine — percentage of global annual turnover

What actually happened on May 7

The EU acknowledged what everyone already knew: the technical standards and guidance documents that companies need to comply aren’t finished. So they pushed the hardest requirements back.

What got deferred. High-risk AI system obligations (risk management, conformity assessments, logging, human oversight) moved from August 2, 2026 to December 2, 2027 — a 16-month extension. AI embedded in regulated products pushed from August 2027 to August 2028. Regulatory sandbox requirements delayed to August 2027.

What did not get deferred: Transparency obligations (Article 50) still apply August 2, 2026. If you operate a chatbot, generate AI content, or use deepfake technology — you have requirements in 60 days. AI literacy (Article 4) has been enforceable since February 2, 2025. If you haven’t started, you’re already technically noncompliant. Prohibited practices have been enforceable since February 2, 2025. Certain uses of AI are flatly banned — no deferral, no exemption.

The Omnibus didn’t reduce what you have to do. It changed when. And two of the three immediate requirements are already live.

Does this apply to your business?

Short answer: probably.

The EU AI Act has extraterritorial reach — deliberately modeled on GDPR. It applies to any company that places an AI system on the EU market, deploys an AI system in the EU, or is located outside the EU but the output of its AI system is used in the EU.

That last one is the catch. A 20-person US company with no EU office, no EU employees, and no EU servers is in scope if its AI-generated output reaches EU users. A customer service chatbot accessible from Europe. Marketing copy generated by AI and published on a website that EU residents visit. An automated email system that reaches EU inboxes.

There is no blanket SME exemption. Every company, regardless of size, must comply with applicable obligations. What SMEs get is proportionality — simplified documentation, lower fine caps, priority sandbox access, and reduced assessment fees. The obligations themselves are the same.

What you need to do right now

01
AI Literacy Training — Already Required

This one surprises people. Article 4 became enforceable February 2, 2025. It requires every organization using AI to ensure that "staff and other persons dealing with the operation and use of AI systems on their behalf" have a sufficient level of AI literacy.

The AI Office's guidance calls this "the structural foundation on which all other AI Act obligations depend." It's also reportedly the first document national authorities will request in an investigation — training records.

What this means for a 20-person business: Identify everyone who uses AI — not just the people who chose the tools. Document the training as an ongoing program calibrated to each person's role. Keep records of who was trained, when, on what, at what level. You don't need a training company. You need a documented program covering what AI tools your team uses, what they can and can't do, what the limitations are, what data handling rules apply, and who to escalate to when something goes wrong. Run it quarterly. Log it. That's the baseline.
02
Transparency Obligations — August 2, 2026

Article 50 hits in 60 days and applies to most businesses using AI in any customer-facing capacity.

If you deploy a chatbot: Users must be informed they're interacting with an AI system. This applies to any automated conversational interface — customer service bots, sales chatbots, scheduling assistants, support ticket responders. The exception is when it's "obvious from the circumstances" — but regulators have signaled they interpret this narrowly. Default to disclosure.

If you generate AI content: Any AI-generated or manipulated image, audio, or video must be labeled as artificially generated. This includes marketing materials, social media content, product images, and video. The labeling must be done "in a machine-readable format" and be "detectable as artificially generated or manipulated."

If you publish AI-generated text on public-interest topics: Text produced by AI that informs the public on matters of public interest must be disclosed as AI-generated. Blog posts, press releases, industry reports, public statements — if AI wrote it and it's published publicly, label it.

Key detail: The EU Commission has published draft guidelines and a draft Code of Practice on transparency for AI-generated content. Final versions are expected in the coming weeks. If you use emotion recognition or biometric categorization in permitted contexts, the individuals affected must be informed.
03
Confirm You're Not Doing Anything Prohibited — Already Enforceable

Article 5 prohibitions have been live since February 2, 2025. Most small businesses aren't anywhere near these, but it's worth a quick gut check because the penalties are the steepest — up to €35 million or 7% of global annual turnover.

Workplace emotion recognition is banned. Using AI to read employees' facial expressions, voice tone, or body language to assess engagement, productivity, or emotional state. This catches some "employee wellness" and "meeting analytics" tools that advertise sentiment analysis features.

Social scoring is banned. Rating employees or customers based on behavior patterns, social conduct, or personal characteristics in a way that leads to detrimental treatment.

Subliminal manipulation is banned. AI techniques that influence decisions through means the person isn't aware of, causing or likely to cause harm.

The most realistic risk for a small business: An HR or "people analytics" tool that includes emotion recognition or behavioral scoring features. Read the feature list. If it mentions sentiment analysis, engagement scoring, or emotion detection applied to employees — that functionality is prohibited in the EU.

What you don't have to do yet

The Omnibus deferral bought real time on the most complex requirements. These are now December 2, 2027 deadlines:

Risk management systems. Continuous, iterative risk identification and mitigation for high-risk AI systems. This requires documented processes throughout the AI system's lifecycle.

Conformity assessments. Formal evaluation demonstrating your AI system meets all regulatory requirements before it can be placed on the EU market.

Technical documentation. Comprehensive records covering intended purpose, design specifications, data sources, testing methods, and risk management processes. The Commission is developing simplified documentation forms for SMEs.

Logging and record-keeping. Automatic event logging over the AI system's lifetime — when it was used, what data it processed, what decisions it made, who verified the results.

Human oversight requirements. Designated individuals with documented training and authority to override AI outputs, with specific procedures for when and how to intervene.

CE marking and EU database registration.

Who this applies to. These obligations target "high-risk" AI systems. For most small businesses, the relevant categories are: employment (AI that screens resumes, scores candidates, evaluates performance), credit and insurance (AI credit scoring, loan decisions), and education (AI for admissions, grading, or exam monitoring). If you use AI-assisted hiring software or AI-based lending tools, you're likely deploying a high-risk system. Start planning now. Don't start panicking now.

The US isn't waiting for the EU

While you're tracking the EU timeline, state-level AI regulation in the US is accelerating independently. In 2025 alone, 145 AI-related bills were enacted across all 50 states — with over 1,500 more introduced in 2026 so far.

Colorado rewrote its landmark AI law in May 2026 (SB 26-189). The new version takes effect January 1, 2027 and focuses on four duties: notify users of AI interaction, disclose adverse automated decisions within 30 days, correct inaccurate personal data on request, and provide meaningful human review.

California has multiple AI laws effective since January 2026, including the Transparency in Frontier AI Act requiring risk frameworks and safety incident reporting.

Illinois amended its Human Rights Act to prohibit employer use of AI that discriminates against protected classes.

Texas enacted its Responsible Artificial Intelligence Governance Act effective January 2026.

There is no comprehensive federal AI legislation. The states are the primary drivers of binding regulation, and they're not coordinating with each other. If you operate in multiple states, you're tracking multiple compliance frameworks with different requirements and different timelines.

The penalties

The EU AI Act uses a three-tier penalty structure:

Violation Maximum fine
Prohibited AI practices (Article 5) €35 million or 7% of global annual turnover — whichever is higher
Other obligations (high-risk, GPAI) €15 million or 3% of global annual turnover — whichever is higher
Supplying incorrect information to authorities €7.5 million or 1% of global annual turnover — whichever is higher

SME relief: For small and mid-size businesses, the calculation flips — it's whichever is lower, not higher. A meaningful difference if your annual turnover is under €15 million.

No penalties have been issued yet. Enforcement through 2026 is expected to be "mainly supportive" — information, guidance, warnings. But supervisors have signaled that flagrant non-compliance with already-enforceable obligations (AI literacy, prohibited practices) could trigger action after August 2026.

04
A 30-Day Compliance Sprint

You don't need a consultant for this. You need someone on your team to own it and 30 days of focused work.

Week 1 — Inventory. List every AI tool your business uses. Include the obvious ones (ChatGPT, Claude, Copilot) and the embedded ones (AI features inside your CRM, email platform, scheduling software, hiring tools). For each: who uses it, what data goes into it, who sees the output, and whether any output reaches EU users or customers.
Week 2 — Classify. Map each tool against the risk categories. Most will be minimal risk (no mandatory obligations). Flag anything touching hiring, lending, or education as potentially high-risk. Flag all customer-facing AI interfaces for transparency obligations.
Week 3 — Implement transparency. Add AI disclosure labels to chatbots, AI-generated content, and automated communication systems. Review marketing materials for AI-generated images or video that need labeling. This is the August 2 deadline — handle it now.
Week 4 — Document AI literacy. Write a one-page AI usage policy. Run a team training session covering: which tools are approved, what data can and can't be entered, when human review is required, and where to escalate concerns. Document who attended and what was covered. Schedule the next session for Q3.

That's the minimum viable compliance package for a 20-person business as of June 2026. It handles everything that's enforceable today and everything coming in August. The high-risk system requirements are a December 2027 problem — start scoping them in Q4 2026.

The Honest Take

The EU AI Act is not going to shut down small businesses. The Omnibus deferral was a direct acknowledgment that the implementation timeline was unrealistic — even for large companies with dedicated compliance teams. The regulators know this.

But "the big requirements got pushed back" is not the same as "you don't have to do anything." AI literacy has been required for 16 months. Transparency obligations hit in 60 days. Prohibited practices have been enforceable since February 2025. If a national authority investigates your business tomorrow, the first thing they'll ask for is training records. The second is your AI tool inventory. The third is evidence of transparency disclosures.

None of that is hard. It's just work nobody told you to do — because the AI regulation conversation has been aimed at enterprises, legal teams, and compliance professionals. Not at the 20-person business that's been using ChatGPT for a year and didn't know the rules already applied.

Now you know. Start with the inventory. Write the policy. Run the training. Document everything.

The bar for compliance at a small business is lower than you think. The consequence of ignoring it entirely is higher than you'd like.

Ostlii Agency evaluates AI tools and helps businesses implement them with proper governance from day one. Every engagement includes AI policy documentation and compliance mapping as standard deliverables. We're not lawyers — this article is informational, not legal advice.

Sources: EU AI Act Official Text (OJ L, 2024/1689) · AI Act Service Desk Implementation Timeline · Council of the EU, Digital Omnibus Agreement Press Release (May 7, 2026) · Orrick, "EU's Digital Omnibus on AI — 7 Key Changes" (May 2026) · Mishcon de Reya, "EU AI Act Simplified: Unpacking the AI Omnibus Agreement" (May 2026) · VerifyWise, "EU AI Act Omnibus — What Changed" (May 2026) · artificialintelligenceact.eu — Articles 2, 4, 5, 14, 50, 99 and Annex III · EU AI Act Small Businesses' Guide · AI Office Guidance on AI Literacy · Consumer Finance Monitor, "Colorado Rewrites Its Landmark AI Law" (May 2026) · Cooley, "State AI Laws — Where Are They Now?" (April 2026) · Future of Privacy Forum, "Enacted U.S. AI Laws 2023-2025" · Orrick US AI Law Tracker · Stephenson Harwood, "EU AI Act Enforcement Overview" · European Parliament Think Tank, "Enforcement of the AI Act" (March 2026)