EU AI Act 2026: The Complete Compliance Checklist for DACH SMEs

The EU AI Act is no longer a future prospect: it is already applicable law for every company using AI. The first obligations have applied since 2 February 2025; the next major deadline is 2 August 2026. Companies that have not built an AI inventory, classified risk levels, and demonstrated AI literacy by then will be caught in the first wave of market surveillance.

This guide clears up the most common misconceptions, puts the deadlines shifted by the Digital Omnibus into context, and provides a practical checklist that DACH SMEs can work through directly. It does not replace legal advice, but it gives you a reliable starting point.

In brief

The EU AI Act (Regulation (EU) 2024/1689) applies directly in all member states without a national implementing act. Since February 2025, prohibited AI practices are banned and the AI literacy obligation (Art. 4) is active. From 2 August 2026, transparency requirements, the penalty regime, and market surveillance come into force (in Austria: the AI Service Centre of the RTR). The Digital Omnibus of June 2026 postponed the strict high-risk obligations but left the core architecture intact. Violations can result in fines of up to 35 million euros or 7% of global annual turnover. For SMEs, the lower of the two amounts applies. The 9-point checklist in this article shows what needs to be done now.

Table of Contents

• 01 What is the EU AI Act, and why now?
• 02 The Digital Omnibus: What changed in 2026
• 03 Who is affected? Providers, deployers, importers, distributors
• 04 The four risk categories explained
• 05 All key dates at a glance
• 06 AI literacy under Article 4: the underestimated obligation
• 07 Transparency requirements from August 2026
• 08 Penalties: What a violation costs
• 09 Supervision in the DACH region
• 10 AI Act vs. GDPR: Where the difference lies
• 11 The 9-point checklist for SMEs
• 12 Common mistakes in practice
• 13 How long does implementation take, and what SME relief exists?
• 14 Case study: 35-person service company
• 15 FAQ
• 16 Sources

What is the EU AI Act, and why now?

The EU AI Act, officially Regulation (EU) 2024/1689 of 13 June 2024, is the world's first comprehensive regulatory framework for artificial intelligence. It entered into force on 1 August 2024 and becomes applicable in staggered stages. Unlike a directive, an EU regulation requires no national implementing act: it applies directly and immediately in Austria, Germany, and all other 26 member states.

The decisive difference from everything most SMEs have known from regulation so far: the AI Act is product-oriented, not data-oriented. It treats AI systems as products with defined risks, rather than focusing primarily on the protection of personal data. This creates an additional layer of obligations on top of the GDPR, with its own documentation, transparency, and competency requirements.

Also important is the risk-based approach: what is regulated is not the technology itself, but the specific purpose of deployment. One and the same language model can mean "minimal risk" in one application or qualify as a high-risk system in another. An AI chatbot answering opening hours is an entirely different matter from the same provider algorithm pre-sorting job applicants.

"Why now?" can be answered in one sentence: because the first obligations already apply and the next stage, the most tangible for SMEs, goes live in early August 2026. Those who wait until "everything is clear" will miss exactly the window in which preparation is still calm and cost-effective.

The Digital Omnibus: What changed in 2026

This is the most important update compared to older guides, and also the most common mistake in circulating checklists. By the end of 2025, AI Act implementation was visibly behind schedule: harmonised standards and guidelines were missing, and supervisory structures were still being built. The European Commission therefore presented the "Digital Omnibus on AI" on 19 November 2025, a package of targeted amendments.

After difficult negotiations, the EU institutions reached a political agreement on 7 May 2026, and the European Parliament voted on 16 June 2026. The Council's formal adoption is expected before 2 August 2026. Important: until formal publication in the Official Journal, the new deadlines are not yet legally binding. Plan with a buffer rather than on the wire.

The package primarily postpones the strict high-risk obligations, but deliberately leaves the core architecture of the AI Act (the risk-based approach, the governance structure, the core obligations) intact. The key changes:

• High-risk systems under Annex III (e.g. recruitment, credit scoring, education): postponed from 2 August 2026 to 2 December 2027.
• High-risk AI in regulated products under Annex I (medical devices, machinery, vehicles): postponed to 2 August 2028.
• Watermarking obligation for providers of generative AI (machine-readable marking): postponed for existing systems to 2 December 2026.
• New prohibition in Article 5: AI that generates non-consensual intimate image depictions ("nudifiers") or depictions of child sexual abuse.
• AI literacy (Art. 4) is softened: the focus shifts to support measures by the Commission and member states rather than an unspecific obligation on businesses. However, the obligation for deployers of high-risk AI to train their staff for human oversight (Art. 26) remains.

The central message from supervisory authorities is nonetheless clear: the postponement is time to prepare, not time to stop. Standards and guidelines are expected to be finalised only shortly before the new deadlines. Those who start only then will have no room for manoeuvre.

Who is affected? Providers, deployers, importers, distributors

The AI Act distinguishes four roles, each with its own obligations:

1. Provider: Anyone who develops an AI system or places it on the market under their own name or brand. Note: anyone who substantially modifies a purchased system or operates it under their own brand can also become a provider.
2. Deployer: Anyone who uses an AI system under their own responsibility. This is the role of the vast majority of SMEs. You use ChatGPT, Microsoft Copilot, a CRM with AI functions, or a recruitment tool from a third-party provider.
3. Importer: Anyone who brings an AI system from a third country (e.g. the USA) onto the EU market.
4. Distributor: Anyone who makes an AI system available in the supply chain without being a provider or importer.

Two points are regularly underestimated:

Extraterritoriality. The AI Act also applies to companies outside the EU if the AI output is used in the EU. Swiss companies with EU customers therefore fall indirectly under it, as does every DACH mid-market company whose US-hosted model delivers results for the EU market.

Indirect AI use counts. You also fall under deployer obligations if AI is merely "built in", for example via a CRM with predictive functions, an ERP with AI forecasting, or an office suite with an integrated assistant. There is no general SME exemption from the core obligations.

The four risk categories explained

The AI Act divides AI systems into four categories based on their purpose of use. Each has its own obligations:

Risk category	Examples	Obligations	Applies from
Unacceptable risk (prohibited)	Social scoring, subliminal manipulation, exploitation of vulnerability, untargeted scraping of facial images, emotion recognition in the workplace or education, real-time remote identification in public spaces (narrow exceptions)	Complete prohibition	2 February 2025
High risk (strictly regulated)	AI in recruitment (CV screening!), credit scoring, insurance underwriting, critical infrastructure, medical devices, education, law enforcement, migration, justice (Annex III)	Risk management, data governance, technical documentation, logging, human oversight, conformity assessment	2 December 2027 (Annex III) / 2 August 2028 (Annex I)
Limited risk (transparency)	Chatbots, voice agents, deepfakes, AI-generated text/images/audio/video	Labelling and disclosure requirements (Art. 50)	2 August 2026
Minimal risk (free)	Spam filters, AI in video games, simple recommendation systems	No obligations (voluntary codes of conduct recommended)	n/a

For most SMEs, categories 2 and 3 are most relevant. The classic case: AI-assisted applicant pre-selection. Any company using automated CV screening (whether in Personio, an HR module, or its own tool) operates a high-risk system. Trusting the provider is not enough: the deployer must be able to reliably demonstrate conformity.

A misconception that becomes costly: "The tool comes from a major provider, so it should be fine." Responsibility as a deployer cannot be fully transferred to the manufacturer.

All key dates at a glance

The roadmap as it currently stands (including the Digital Omnibus, subject to final adoption by the Council):

Date	What applies	Status
1 August 2024	AI Act enters into force, deadline countdown begins	Done
2 February 2025	Prohibited AI practices (Art. 5) + AI literacy obligation (Art. 4)	In force
2 August 2025	Obligations for GPAI models (e.g. GPT, Claude, Gemini), governance structures, penalty regime established	In force
2 August 2026	Transparency requirements (Art. 50), enforcement powers, market surveillance (in AT: RTR)	Next deadline
2 December 2026	Watermarking for existing generative systems + compliance with new Art. 5 prohibition	Upcoming
2 December 2027	High-risk obligations for standalone Annex III systems (postponed)	Upcoming
2 August 2028	High-risk obligations for Annex I systems in regulated products (postponed)	Upcoming

Note: Even though the strict high-risk obligations only apply from late 2027, most transparency requirements under Art. 50 still come into force on 2 August 2026. Only the technical watermarking obligation for providers has been postponed. The labelling obligations that affect most SMEs are therefore coming in August.

AI literacy under Article 4: the underestimated obligation

Article 4 is the broadest single obligation in the entire AI Act and at the same time the most frequently overlooked. It requires providers and deployers to "take measures to ensure, to their best extent, a sufficient level of AI literacy" for their staff and all persons who work with AI systems on their behalf. This applies regardless of risk category, so even if your team "only" uses ChatGPT or Copilot.

What does this mean in practice?

• "Sufficient" is context-dependent. A receptionist who occasionally uses a chatbot needs a different level than a data analyst managing a scoring model. Training must be proportionate to the role, the risk, and the deployment context.
• No certification requirement. No specific examination or accredited programme is prescribed. You choose the format and depth yourself. A practical foundation module of typically four to six hours plus role-specific deepening is considered a common minimum.
• Documentation is key. There is no obligation to measure the competency level, but you should be able to demonstrate which training sessions were conducted: attendance confirmations, LMS tracking, training concept documentation.
• No standalone fine, but a multiplier. Art. 4 has no independent penalty amount. However, missing AI literacy acts as an aggravating factor for other violations and, since August 2025, can give rise to civil liability if untrained staff cause harm with AI.
• Enforcement from August 2026. Supervision and enforcement of the literacy obligation formally begins on 2 August 2026. Anyone with nothing to show by then is already exposed.

In practice, this means: a documented training concept is the cheapest first step towards AI Act readiness, and the documentation feeds directly into deeper obligations (human oversight under Art. 14, deployer obligations under Art. 26, transparency under Art. 50). In Austria, the WKO and WIFI (including the "KI-Führerschein") offer ready-made training modules.

Transparency requirements from August 2026

From 2 August 2026, Article 50 comes into effect. For SMEs, three rules are in focus:

1. Chatbot disclosure. Anyone operating a chatbot or voice agent that interacts with natural persons must clearly inform those persons that they are communicating with an AI system. A hidden footnote is not sufficient. The standard is a clearly visible notice before the first message exchange.
2. Labelling of AI-generated content. Texts, images, audio, or video that were generated or manipulated with AI must be labelled when published or made accessible to a broad audience.
3. Deepfake and information labelling. Deepfakes and AI-generated texts serving to inform the public on matters of public interest must be explicitly labelled.

The purely technical, machine-readable marking ("watermarking") by providers of generative systems has been postponed for existing systems to 2 December 2026. The visible labelling obligations for deployers, however, remain at August 2026.

Penalties: What a violation costs

The penalty regime (Art. 99) is, as with the GDPR, deliberately structured to deter:

Violation	Maximum penalty
Prohibited practices (Art. 5)	up to 35 million euros or 7% of global annual turnover
Violations of other obligations (incl. high-risk, deployer and literacy obligations)	up to 15 million euros or 3%
False or misleading information to authorities	up to 7.5 million euros or 1%

For SMEs there is an important relief: the lower of the two amounts applies (Art. 99 para. 6). Nevertheless, even the lower amount can be existentially threatening. Beyond fines, authorities can order remediation or prohibit the operation of an AI system if there is an acute risk. Reputational damage adds to this if a violation becomes public.

Supervision in the DACH region

Who is in charge? Responsibilities differ by country:

Austria. The central point of contact is the AI Service Centre at the RTR (Rundfunk und Telekom Regulierungs-GmbH). It has been established as the national contact and advisory body since 2024/2025 and takes over the role of market surveillance and supervisory authority from 2 August 2026. Sector-specific authorities remain in place: the Data Protection Authority (DSB) for GDPR aspects, the FMA for AI in finance and insurance, the BASG for medical AI, and the Labour Inspectorate in the employment context. The Federal Chancellery coordinates national implementation. SMEs should contact the AI Service Centre early and, for high-risk cases involving personal data, the DSB.

Germany. The Federal Network Agency (Bundesnetzagentur, BNetzA) is designated as the central market surveillance authority, supplemented by data protection authorities and the BSI for cybersecurity aspects.

Switzerland. As a third country, the AI Act does not apply directly, but it takes effect indirectly when accessing the EU market or if AI output is used in the EU.

Practical tip for cross-DACH teams: a compliance programme adopted from Germany cannot be copied 1:1 to Austria. The escalation chains and leading authorities differ.

AI Act vs. GDPR: Where the difference lies

The most common misconception: "We are GDPR-compliant, so we should be fine." That is not correct. The AI Act and the GDPR complement each other but do not replace each other:

• The GDPR protects personal data. The AI Act regulates AI systems as products, including systems that do not process any personal data at all.
• AI inventory, risk classification, and AI literacy training are AI Act obligations in addition to GDPR documentation.
• The good news: those who have implemented GDPR properly have a solid starting point. Records of processing activities, data processing agreements (DPAs), and data protection impact assessments (DPIAs) overlap with AI Act requirements. However, a DPIA under Art. 35 GDPR does not automatically cover the Fundamental Rights Impact Assessment (FRIA) under Art. 27 of the AI Act.

In short: GDPR is the groundwork, not the substitute.

The 9-point checklist for SMEs

This sequence has proven effective in practice. Work through it from top to bottom.

1. Create an AI inventory. List all AI systems in the company, including "shadow AI" in marketing, sales, HR, and IT. This includes ChatGPT, Claude, Copilot, Midjourney, CRM AI functions, chatbots on the website, lead research tools, and meeting transcription. For each system, document: provider, purpose, affected data categories, and the responsible person.

2. Determine your role. Are you the deployer, provider, importer, or distributor for each system? For most SMEs, the answer is "deployer", but as soon as you operate a system under your own brand or substantially modify it, this can change.

3. Classify the risk category for each system. Which tool falls into which category? Recruitment and scoring tools are often high-risk; marketing and office tools are usually limited or minimal risk. The classification has liability implications. If uncertain, seek external advice or contact the AI Service Centre.

4. Build AI literacy (Art. 4). Create a documented training concept: a foundation module for all employees with AI contact, role-specific deepening for power users and those responsible. Plan for regular refresher training. Demonstrate completion via attendance confirmations or LMS tracking.

5. Introduce transparency notices. Label chatbots, AI texts, and AI images: on the website, in emails, in customer communications. Prepare this now so it is ready for 2 August 2026.

6. Synchronise data protection (GDPR + AI Act). Update DPAs with AI providers, update the records of processing activities, conduct DPIAs and FRIAs where necessary. A DPA update with OpenAI, Anthropic, Microsoft, and Google is mandatory as soon as personal data is involved.

7. Clarify governance and responsibilities. Who is responsible for AI internally? How do approval processes work? What escalation paths apply in cases of hallucinations or bias? The AI Act does not require a formal "AI Officer", but clear ownership structures are the foundation of any robust compliance.

8. Conduct a vendor review. Check your AI providers: EU hosting? Is your data used for model training? Is an EU declaration of conformity or AI Act statement available? Contact providers proactively and document the responses. Providers such as Anthropic have published their own AI Act statements, a good reference point for your own inquiry.

9. Maintain on an ongoing basis. AI compliance is not a one-off project. Inventory, training, and policies change monthly. Best practice: a quarterly review with a clear owner.

Checklist to tick off

• ☐ AI inventory complete (incl. shadow AI)
• ☐ Role determined for each system (deployer/provider)
• ☐ Risk category documented for each system
• ☐ AI literacy training concept active and documented
• ☐ Transparency notices for chatbots and AI content prepared
• ☐ DPAs with AI providers updated, records of processing activities supplemented
• ☐ Internal AI policy and responsibilities defined
• ☐ Vendor review completed (EU hosting, training policy)
• ☐ Quarterly review scheduled

Common mistakes in practice

• Mistake 1: Treating the AI Act as a pure IT topic. The leverage is in HR, marketing, and sales, exactly where AI is used daily. IT often sees only a fraction of the shadow AI.
• Mistake 2: Ignoring shadow AI. Employees use private ChatGPT accounts with customer data, a direct GDPR violation and AI Act risk. An honest employee survey typically uncovers two to three times as many AI tools as IT has on its radar.
• Mistake 3: Creating an inventory once and forgetting it. Reality: it changes monthly. Without a quarterly review, it becomes outdated immediately.
• Mistake 4: Transparency notices that are purely formal. Authorities check whether labelling is practically effective, not just whether a notice appears somewhere.
• Mistake 5: Not recognising recruitment tools as high-risk. Applicant data is particularly sensitive; the consequences of audits are correspondingly severe.
• Mistake 6: Forgetting the vendor review. Anyone who does not check DPAs and provider conformity has an open flank, including the question of who is liable for hallucinations.
• Mistake 7: Relying on outdated deadlines. Many circulating checklists still cite the pre-Omnibus dates or even claim that the prohibitions and the literacy obligation only start in 2026. Both have applied since February 2025.

How long does implementation take, and what SME relief exists?

A realistic implementation timeline for a complete AI Act baseline setup in a mid-market company is 8 to 12 weeks, from inventory through risk classification to documented governance. Sole traders and small teams can do it faster; larger mid-market companies with complex IT landscapes are more likely to need 16 to 20 weeks.

The AI Act explicitly keeps SMEs in view: they are mentioned dozens of times in the legislative text. The most important reliefs:

• Free, priority access to regulatory sandboxes, where high-risk systems can be developed under supervision.
• Simplified documentation templates provided by the European Commission.
• Capped fines (the lower of the fixed or percentage amount applies).
• Reduced fees for conformity assessments.
• Dedicated information and training offerings, in Austria via the WKO, WIFI, and the RTR AI Service Centre.

Case study: 35-person service company in the DACH region

A typical case: a service company with 35 employees, headquartered in Austria, with EU-wide client business. AI tools in use: Microsoft Copilot for Office, ChatGPT Teams in marketing, a CRM with AI scoring in sales, a tool for applicant pre-selection in recruitment, and a lead research service. The initial stocktake uncovered three additional shadow tools in marketing that had never been formally approved.

Approach: a one-day quick-scan with management, IT, the marketing lead, and the HR lead. The result was a table with eleven AI systems, of which one was high-risk (applicant pre-selection), three had transparency obligations (website chatbot, AI images, automated emails), and seven fell into minimal risk. The prioritised roadmap focused first on the high-risk tool: contact the provider, request a conformity proof, document the internal review process, define human oversight. In parallel, AI literacy training launched as a mandatory module for all employees with AI contact.

The key lesson: the greatest risks were not in the official IT landscape, but in shadow AI and in the false assumption that a purchased recruitment tool was "the provider's responsibility".

FAQ: Frequently asked questions about the EU AI Act

When exactly does the EU AI Act apply? In stages: prohibited practices and AI literacy since 2 February 2025, GPAI obligations since 2 August 2025, transparency requirements and enforcement from 2 August 2026. The strict high-risk obligations were postponed by the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).

Does my sole-trader business or small SME have to comply with the AI Act? Yes. As soon as you use AI in a professional context, even just ChatGPT for customer communication, transparency and AI literacy obligations apply. There is no general SME exemption, but capped penalties and reliefs are available.

What does a violation cost? Up to 35 million euros or 7% of global annual turnover for prohibited practices, up to 15 million or 3% for other obligation violations, up to 7.5 million or 1% for false statements. For SMEs, the lower amount applies in each case.

Who is in charge of supervision in Austria? The AI Service Centre at the RTR takes over market surveillance from 2 August 2026. In addition, the DSB (data protection), FMA (finance), BASG (medical), and the Labour Inspectorate are responsible in their respective sectors; the Federal Chancellery coordinates. In Germany, the Federal Network Agency (Bundesnetzagentur) takes the lead.

Is my existing GDPR documentation sufficient? No. The AI Act and the GDPR complement each other but do not replace each other. AI inventory, risk classification, and AI literacy training are separate obligations. Those who have implemented GDPR properly, however, have done good groundwork.

Did the Digital Omnibus "defuse" the AI Act? No. It postponed deadlines and clarified individual obligations, but left the core architecture intact. The postponement is preparation time, not a free pass. Until formal adoption by the Council and publication in the Official Journal, the new dates are not yet legally binding.

What does AI literacy have to do with tool selection? Quite a lot: the more transparent and EU-oriented your tools are, the easier the vendor review becomes. Tools with EU hosting, a clear "no training on customer data" policy, and visible AI labelling noticeably reduce the documentation burden.

Sources and further reading

• Regulation (EU) 2024/1689 (EU AI Act), Official Journal of the EU
• European Commission, "AI Act", Shaping Europe's digital future: digital-strategy.ec.europa.eu
• European Commission, "AI Literacy: Questions & Answers": digital-strategy.ec.europa.eu
• AI Act Service Desk of the EU, Implementation Timeline: ai-act-service-desk.ec.europa.eu
• Article 4 (AI literacy) full text: artificialintelligenceact.eu/article/4
• RTR, AI Service Centre (Austria): rtr.at
• RTR, Information on the Digital Omnibus on AI: rtr.at
• WKO, "AI Act: Obligations for companies": wko.at
• Gibson Dunn, "EU AI Act Omnibus Agreement: Postponed High-Risk Deadlines": gibsondunn.com
• Travers Smith, "EU agrees to delay key AI Act compliance deadlines": traverssmith.com

---

This post is for informational purposes and does not constitute legal advice. For high-risk applications (Annex III), we strongly recommend validation by specialist lawyers in IT and data protection law. As of: June 2026.

Want to use AI in your business without leaving the compliance flank open? timelit.ai is an AI productivity copilot built natively on Microsoft 365, hosted securely in Europe, and does not use your data for model training, exactly the points you need to tick off in your vendor review anyway. Book a demo.