Three weeks out from 2 August 2026, a lot of small businesses believe they dodged a bullet. Brussels spent the spring rewriting its own rulebook: the Digital Omnibus was agreed politically on 7 May, endorsed by Parliament on 16 June, and given final Council sign-off on 29 June. Headlines duly announced a delay. But the EU AI Act deadline has not disappeared — it has been split in two, and the half that still bites in August is the half most small companies are least prepared for.
What the EU AI Act deadline actually changed
Under the original timetable, 2 August 2026 was the binding enforcement date for high-risk AI obligations: Articles 9–17 for providers and Article 26 for deployers. The simplification package pushes much of that back. Annex III high-risk systems — the ones used in employment, credit, education and essential services — get roughly a 16-month postponement for new or substantially modified systems. AI embedded in regulated products (medical devices, machinery, toys, radio equipment) gets around 12 months.
What did not move is Article 50: the transparency obligations. If your business deploys a chatbot, generates synthetic media, or produces AI-written content that a customer could mistake for human output, you are expected to disclose it — from August, not from 2027.
The SME carve-out got bigger
One genuinely good piece of news: the simplified compliance regime for smaller companies has been widened to firms with up to 750 employees and €150 million in annual revenue. That brings simplified documentation templates, reduced fines, regulatory sandbox access and lighter guidance to a far larger slice of the market than the original SME definition allowed.
Why “delayed” is the wrong word to act on
Two forces make waiting expensive. The first is procurement. Your enterprise clients are not waiting for 2027 — they are pushing AI questionnaires down the supply chain now, and a consultant or agency who cannot describe how their AI tooling works will lose bids to one who can.
The second is scale. Agent deployment is accelerating far faster than oversight: research this year suggests around 72% of enterprises are already running agentic AI in production while roughly 60% have no formal governance, and Gartner expects a meaningful share of autonomous agents to be demoted or decommissioned after governance failures surface in production. We wrote about that acceleration in the shift from AI pilots to production agents. Every month of drift adds systems you will later have to document retrospectively — the most expensive kind of compliance there is.
The five-item checklist for August
- Build an AI inventory. List every tool, model, agent and automation touching your business — including the ones a team member signed up for on a personal card. You cannot govern what you have not counted.
- Classify each entry. Is it prohibited, high-risk, limited-risk (transparency), or minimal? Most small-business use — drafting, summarising, scheduling, marketing — lands in limited or minimal. Hiring and credit tools do not.
- Fix disclosure now. Label AI chat agents on your site. Mark AI-generated imagery and content where a reasonable customer could be misled. This is the August obligation.
- Name an owner. One person accountable for AI behaviour, in writing. Survey data suggests fewer than 10% of organisations have this, which is precisely why incidents escalate.
- Write down what your automations do. A one-page description per workflow — inputs, model, human checkpoint, failure path — satisfies most client due-diligence and is the raw material for any later filing. It is also just good operating practice, as we argued in our guide to back-office AI automation.
Governance is a sales asset, not a tax
Treating this as paperwork misses the commercial point. In a market where most vendors cannot answer basic questions about their models, data handling and human oversight, being the one who can is a differentiator you can put in a proposal. The same logic applies to how your content and data are exposed to third parties — see the AI crawler rules small businesses can’t ignore.
The Act’s simplification bought European businesses time, not absolution. Firms that use the next 16 months to build a modest, real governance layer — an inventory, a classification, a named owner, disclosure where it is due — will meet the 2027 dates as a formality. Firms that read “delay” as “ignore” will meet them as a crisis, and they will pay consultants a premium to fix in six weeks what could have been built in six months.