EU AI Act 2026 for SMEs: obligations, timeline and compliance

Quick answer. Regulation (EU) 2024/1689 (the AI Act) entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026. Prohibited practices and the AI literacy duty (Article 4) have applied since 2 February 2025, and general-purpose AI obligations since 2 August 2025. Sanctions reach EUR 35 million or 7% of worldwide turnover for prohibited practices (Article 99).

By May 2026, the AI Act is no longer an abstract legal file. It enters boardrooms because almost every SME now uses artificial intelligence, often without realising it: ChatGPT assistants, Microsoft 365 Copilot, Mistral for sales drafting, invoice extraction in Pennylane, CRM prospect scoring, CV pre-screening, cash forecasting or automated bank matching.

The right question is no longer "do we use AI?" but "do we know which uses are authorised, who validates them, who owns the error, and can we evidence it during a control?". Regulation (EU) 2024/1689 of 13 June 2024, the AI Act, was published in the EU Official Journal on 12 July 2024. It establishes a horizontal risk-based framework and imposes graduated obligations on providers and deployers across the Union, including non-EU vendors and users when the output of the AI is used in the Union.

At Hayot Expertise we currently support Paris-based SMEs that only discover, during an internal audit or a client questionnaire, that they already operate five to ten AI tools without a formal policy. This guide summarises the framework as it stands in May 2026 and proposes a pragmatic method to manage it without slowing productivity.

The AI Act phases in over four years, which regularly creates confusion among directors.

By 17 May 2026, prohibited practices and the employee training duty have been in force for more than fifteen months. National authorities receive full sanctioning powers on 2 August 2026: for a French SME, the priority is to close out mapping and governance before summer.

The regulation distinguishes several roles, and a single SME can hold several hats depending on the tool. Identifying the role drives the nature and intensity of the obligations.

In 90% of cases, a French SME is only a deployer. Obligations are then significantly lighter than for providers, but they exist: human oversight, logging, information of data subjects, adherence to the provider's instructions for use, and team training.

The AI Act is built around a four-level pyramid. Each level triggers a distinct regime.

For most SMEs, AI sits at minimal risk or specific transparency. Vigilance focuses on three use families that may shift to high-risk: HR recruitment and evaluation, credit scoring or insurance pricing, and any integration into a CE-marked product (health, safety, toys, machinery).

Since 2 February 2025, all providers and deployers must ensure a sufficient level of AI literacy among the people who operate the systems on their behalf, including employees, contractors and subcontractors. Article 4 sets no size threshold: a five-person SME is concerned as much as a large group.

AI literacy does not impose a specific training format. It requires users to understand the capabilities, limits, risks and responsibilities tied to the deployed tools. The European Commission expects a structured approach:

1. inventory AI tools actually used by each team;
2. identify the skills required per role (sales, accounting, HR, executive);
3. organise tailored awareness sessions (45 minutes to 2 hours are enough for standard use);
4. document training (date, content, attendees) in the internal register;
5. update usage charters and the internal rules;
6. revise the training plan annually.

The absence of a literacy plan is one of the easiest breaches for an authority to observe. It is also the first signal that a director is — or is not — managing the AI risk.

The AI Act does not replace GDPR; it adds to it. The CNIL, designated as one of the reference authorities for AI Act enforcement in France, finalised its AI recommendations in July 2025 and publishes practical sector sheets. For any AI processing personal data, GDPR obligations remain fully applicable: legal basis, information, DPIA when the processing presents a high risk, minimisation, retention, security.

GDPR is in fact a prerequisite for AI Act conformity for high-risk systems: the EU declaration of conformity will only be credible if training and inference data processing complies with Regulation (EU) 2016/679. In practice, an SME deploying HR AI will produce two files: a GDPR file (register, DPIA, candidate information) and an AI Act file (provider's instructions, human oversight, user training, logging).

Recently, a 30-person services SME based in Paris asked us to assess its AI Act exposure. After mapping, seven AI tools were in daily use: ChatGPT, Copilot, a HubSpot CRM sales assistant, Pennylane for pre-accounting, Dext for expense receipts, an ATS CV-screening module, and a legal proofreading assistant. None qualified as high-risk except the CV-screening module — which had to move to a purely assistive logic with documented final human decision.

Our conviction: for 90% of French SMEs in 2026, AI Act compliance fits four deliverables — a map of AI tools and their classification, an internal charter consulted with the works council where required, an annual training plan integrated into the skills development plan, and an incident register kept by a single owner (DPO, CISO or CFO depending on organisation). There is no need to overinvest in heavy governance if usage stays on standard minimal-risk SaaS.

The mistake we see most often is pasting sensitive data (trial balance, customer list, contract, payslip) into a consumer tool whose terms allow reuse for training. It is less an AI Act problem than a direct GDPR breach and competitive risk. The fix is simple: approved-tool whitelist, professional accounts with training opt-out, and a "no identifiable client data outside approved tools" rule.

• E-commerce SMEs: use of GPAI for product descriptions or translation. Transparency regime: generated content does not need to be labelled to the public if purely informative, but synthetic visuals and audio deepfakes must be labelled (Art. 50).
• Medical practices and health professions: any diagnostic-aid AI falls under Regulation (EU) 2017/745 on medical devices and shifts to high-risk under the AI Act. CE marking and technical documentation are mandatory.
• SaaS AI startup: provider status — ISO/IEC 42001 quality system recommended, technical documentation per Annex IV, EU declaration of conformity, CE marking for high-risk systems, and registration in the EU database.
• Industrial SME using AI in product safety: high-risk if the AI is a safety component of a product covered by Annex I (machinery, toys, lifts). Coordination with the product's notified body is mandatory.
• Regulated professions (lawyer, chartered accountant): specific deontological rules on top of the AI Act. Professional secrecy often requires a private deployment (EU hosting, no prompt reuse).

Article 99 organises three tiers of administrative fines. For SMEs, the regulation provides that the lower of the two amounts applies (instead of the higher for large groups).

For breaches of Article 4 (literacy) and most procedural duties, the cap sits in the second or third tier. Other EU enforcement records (GDPR, DSA) show that authorities heavily modulate based on cooperation, duration and harm.

1. Confusing AI Act and GDPR: the two frameworks stack, a DPIA does not exhaust AI Act documentation.
2. Believing that SMEs under 50 employees are exempt: only some obligations are eased, none is fully waived.
3. Forgetting Article 4: employee training has been enforceable since February 2025, regardless of size.
4. Treating ChatGPT or Copilot as "neutral": the risk depends on the data entered, not the logo.
5. Overlooking the subcontractor chain: a vendor that uses AI on your behalf exposes your data to its GPAI provider; contractual clauses are required.
6. Underestimating internal credit scoring: an in-house customer score used for credit decisions may flip to high-risk.
7. Stacking tools without ROI measurement: AI maturity is also measured by consolidation and decommissioning.

Our support combines digital transformation of the SME finance function, Paris 8 chartered accounting services and outsourced CFO missions for startups and SMEs. We build on the principles described in our articles accounting AI: automate without giving up expertise and artificial intelligence and accounting. AI compliance is also closely linked to the NIS2 directive and SME cybersecurity in 2026 and to the question whether a DPO is mandatory.

1. Weeks 1-2: executive interview + tool mapping via questionnaire to each manager.
2. Weeks 3-4: use-case classification, identification of HR and finance risks, SaaS contract audit.
3. Weeks 5-6: drafting of the internal AI charter and approved-tool list.
4. Weeks 7-8: AI literacy sessions (one hour per business team).
5. Weeks 9-10: incident register and new-tool approval workflow.
6. Weeks 11-12: executive review, remediation plan, annual follow-up scheduled.

Finance teams looking to industrialise their flows can connect this work to AI-driven pre-accounting in Pennylane and invoice extraction with Dext, while keeping systematic human validation on entries and filings. Startups can map AI, compliance and growth via our tech startups sector page.

2 August 2026 triggers the sanctioning powers of national authorities. In France, the CNIL, ARCOM or DGCCRF (depending on the field) will control and sanction. Our conviction: the first controls will focus on Annex I and III actors (health, large-scale HR, credit scoring). Minimal-risk SMEs will not be the immediate target, but a total lack of documentation will become an aggravating factor in any employee, client or candidate complaint.

Hayot Expertise advice. Do not outsource the AI Act to the CIO alone or the lawyer alone. Build a trio of executive + CFO/CISO + DPO to map in 30 days, formalise a short charter in 30 days and roll out literacy in 30 days. You will be ready before the summer of 2026 without overinvesting.

• The AI Act (Regulation EU 2024/1689) becomes fully applicable on 2 August 2026.
• The AI literacy duty (Article 4) has applied since 2 February 2025, with no size threshold.
• An SME is almost always a deployer; heavy obligations fall on providers and high-risk use cases.
• GDPR stacks with the AI Act: dual documentation for high-risk AI processing personal data.
• Sanctions reach EUR 35 million or 7% of worldwide turnover for prohibited practices, with a more favourable regime for SMEs.
• A 90-day roadmap (mapping, charter, training, register) is enough for most French SMEs.

To move from isolated AI tests to a controlled finance workflow, read AI in accounting 2026: use cases, ROI, risks and the EU AI Act. It helps management decide on tools, sensitive data, human review and ROI.