EU AI Act Readiness

Are you ready before the EU AI Act deadline?

A clear guide and a short assessment for SMEs: understand your AI uses, your real obligations, and the evidence to prepare before a customer, auditor, or regulator asks for them.

Plan a Quick Scan Take the quick check

Key deadlines

2 Feb 2025 Prohibited practices & AI literacy
2 Aug 2025 Governance & GPAI
2 Aug 2026 Current step General application & transparency
2027-2028* High-risk (conditional postponement)

What it is

The EU AI Act, explained simply.

Regulation (EU) 2024/1689 governs AI by risk: the more an use can affect people, the stronger the obligations. It applies by role (user, deployer, integrator, provider) and also concerns SMEs that merely use AI tools.

Unacceptable

Prohibited practices (Art. 5): harmful manipulation, social scoring, certain biometric or emotion recognition. Banned since 2 February 2025.

High risk

HR, credit, insurance, education, biometrics, critical infrastructure… Heavy obligations (risk management, documentation, human oversight).

Transparency

Chatbots, deepfakes, AI-generated or modified content: users must be clearly informed. Article 50 on 2 August 2026.

Minimal

Low-impact internal uses (text correction, spam filter…). No specific obligation, but good practices remain recommended.

Who is concerned

Even by simply using AI tools, you are concerned.

Your obligations depend on your role in the value chain. A single SME may combine several roles depending on its uses.

User / deployer

You use ChatGPT, Copilot, Gemini, or Claude internally (summaries, writing, support). AI literacy, usage rules, and transparency apply to you.

SaaS integrator

You integrate third-party AI into your product or processes. Supplier due diligence and user information become key.

Provider of an AI feature

You sell an AI feature to your customers: you may be a provider and carry documentation and product-responsibility obligations.

GPAI model provider

You develop or place a model on the market. Rare for an SME: using an LLM does NOT make you a GPAI provider.

Why now

The deadlines not to miss.

Some obligations already apply, others become concrete in 2026, and the high-risk timeline is being postponed — but preparation cannot be improvised.

A past date does not mean “too late”

Prohibited practices, AI literacy, and GPAI obligations have been in force since 2024-2025. If you are not compliant yet, you are already in a state of non-compliance today: it is not only still possible but necessary to regularize. Putting things in order now, while documenting the approach, remains the best protection before an inspection, an audit, or a customer request.

Regularize my situation

1 August 2024 Done

Entry into force

Regulation (EU) 2024/1689 enters into force.

2 February 2025 In force

Prohibited practices & AI literacy

Prohibited uses (Art. 5) are banned and the AI literacy obligation (Art. 4) applies.

2 August 2025 In force

Governance, GPAI & penalties

GPAI model provider obligations, competent authorities, and the penalty regime (except Art. 101).

2 August 2026 To prepare

General application & Art. 50 transparency

General application of the regulation and transparency (chatbots, deepfakes, AI content). AI literacy supervision from 3 August 2026.

2 Dec 2026* Conditional

AI content watermarking

Technical marking of AI-generated content — postponement announced via the AI Omnibus.

2027-2028* Conditional

High-risk systems

Standalone high-risk (2 Dec 2027) and embedded in regulated products (2 Aug 2028) — timeline being postponed.

* Dates from the AI Omnibus political agreement (7 May 2026), still legally conditional until the text is formally adopted and published.

SME obligations

The defensible baseline for an SME in 2026.

The goal is not a heavy dossier, but being able to demonstrate a reasonable, proportionate, and traceable approach. Here is the baseline a Quick Scan puts in place.

AI use inventory / register, including SaaS tools and generic assistants.
Classification of uses: prohibited / potential high-risk / transparency / minimal.
Prohibited-practices screening (Article 5).
AI literacy plan with evidence of training or guidance.
Acceptable AI use policy, known by teams.
Article 50 transparency checklist (chatbots, generated content, deepfakes).
Supplier due diligence: LLM, Copilot, AI SaaS, cloud, data sent.
DPIA / FRIA check for personal data or fundamental rights.
Human oversight rules for sensitive decisions.
Incident escalation and reporting process.
Documentation of classification decisions.
High-risk roadmap 2027/2028 for HR, credit, insurance, health, education, public uses.

Quick check

Should you look at the EU AI Act?

7 questions, one minute. You get an indicative priority index — not a full diagnostic.

This test does not replace a diagnostic, certification, or formal legal advice.

Quick checklist without JavaScript

If you answer yes to several items below, the EU AI Act deserves a structured check.

Do you already use ChatGPT, Copilot, Gemini, Claude, or an AI-powered SaaS tool?
Does AI affect customers, candidates, employees, or external users?
Do you publish text, image, audio, or video generated or modified by AI?
Do you use AI in HR, recruitment, credit, insurance, health, education, or a sensitive domain?
Do you process personal, sensitive, or confidential data with AI tools?
Do you provide an AI feature to your own customers or inside a SaaS product?
Do you already have an AI register, internal policy, AI literacy, or supplier review?

Plan a Quick Scan

Consequences

Non-compliance: the real risk is not only the fine.

Article 99 caps are high, but for an SME the immediate risk is mostly commercial and operational: imposed correction, withdrawal of a use case, contractual blockage, or an individual complaint.

Caps by type of breach (Art. 99)

Prohibited practices (Art. 5)	Up to €35M or 7% of worldwide annual turnover*.
Operator obligations + transparency (Art. 50)	Up to €15M or 3% of worldwide annual turnover*.
Incorrect or misleading information	Up to €7.5M or 1% of worldwide annual turnover*.
GPAI model providers (Art. 101)	Up to €15M or 3% of worldwide annual turnover*.

Beyond the fine

Imposed corrective measures, often within 15 working days.
Restriction, withdrawal, recall, or prohibition of an AI system.
Forced reclassification (Art. 80) if a use is wrongly classified as “non high-risk”.
Formal non-compliance (Art. 83): missing documentation, declaration, or registration.
Commercial blockage: a customer requires an AI Act readiness pack before signing.
Complaint from a candidate, customer, or employee, alongside GDPR.

A fine is never automatic: the authority considers cooperation, measures already taken, harm, and proportionality. Being able to demonstrate a reasonable and traceable approach is the best protection.

Engagements

From a quick diagnostic to durable governance.

Each format is adapted to your size, number of AI uses, and risk level. Pricing is shared after a short scoping call.

Starter Check

An SME that wants to confirm whether the EU AI Act applies to it.

60-90 min scoping interview
Review of 1 to 3 AI uses
Preliminary classification
3-5 page summary note
Debrief call

Quickly know whether the topic concerns you.

Discuss it

Readiness Quick Scan

Most SMEs that already use AI.

Inventory of AI uses
Analysis of 5 to 8 uses + risk classification
Article 50 transparency checklist
AI literacy gap check
Review of AI / LLM / SaaS suppliers
Red flags (HR, scoring, chatbot, generative, sensitive data)
30/60/90-day roadmap + 10-15 page report
60 min management debrief

A clear view and a prioritized roadmap.

Discuss it

AI Governance Starter Pack

An SME that wants to structure durably.

Everything in the Quick Scan
AI Register + Acceptable Use Policy
AI Literacy Plan
Supplier Due Diligence & Transparency checklists
RACI + new-use approval procedure
Debrief + 90 min awareness session

Reusable deliverables and proportionate governance.

Discuss it

SaaS / Provider Readiness Pack

SaaS vendors adding an AI feature.

Role clarification (provider / deployer / integrator)
AI feature analysis + classification
AI System Information Sheet + usage notice
Supplier & model dependency mapping
Product compliance roadmap

An AI product you can defend on compliance.

Discuss it

AI Literacy Workshop

Leadership, business, or product teams.

Pragmatic session per profile
EU AI Act reflexes
Quiz + attendance record

The Article 4 obligation, documented.

Discuss it

Monthly support

After a Quick Scan, to stay in order.

Action follow-up and decisions
Review of new AI uses
Supplier support
Governance updates

Stay in order over time.

Discuss it

Sources

Regulatory references.

Verified on 5 June 2026

What this service is not

The Quick Scan is an operational readiness diagnostic. It is not a certification, not a compliance guarantee, and not formal legal advice. Findings should be validated with your legal advisers when the risk, sector, or contract requires it.

Want to know where you stand?

Let’s schedule a short conversation. We will look at your current AI uses, likely deadlines, and the best way to start without unnecessary overhead.