On August 2, 2026, the EU AI Act imposes concrete obligations on companies that use AI systems in sensitive processes. If you use an AI tool to recruit, score customers, or evaluate teams, you have 69 days to comply — without necessarily spending a single euro.
According to the Bpifrance IA 2026 report, 68% of French SMBs with fewer than 250 employees haven't yet inventoried their AI usage. Most have no action plan for the August 2026 deadline.
This guide is for SMBs acting as deployers — those using third-party AI tools in their processes — with a 5-step action plan illustrated by a fictional case.
À retenir — Key Takeaways
- Deadline: 2 August 2026 for high-risk AI systems — 68% of French SMBs unprepared (Bpifrance 2026)
- Your likely role: deployer (you use a third-party AI tool) → reduced but real obligations: human oversight, usage register, operator training
- High risk: AI-based recruiting (Workable, HireVue), credit scoring, automated employee performance scoring
- Limited risk: chatbots, summarisation tools → a visible "automated processing" notice is sufficient
- Compliance cost: €0 in software for a standard SMB deployer — 8 hours of internal work spread over 3 weeks
- Next deadline: 2 August 2027 for Annex I high-risk products (machinery, medical devices)
What the AI Act Actually Changes for European Businesses
EU Regulation 2024/1689 has been entering into force progressively since August 1, 2024. Three dates structure the timeline.
February 2025 — Prohibition of banned AI practices: social scoring, psychological manipulation, non-consensual biometric recognition. Already applicable for 6 months. If your SMB operates in these zones, the urgency is immediate, not August.
August 2, 2026 — Obligations for high-risk AI systems and general-purpose AI models (GPAI). This is the deadline that concerns the majority of SMBs using HR, scoring, or evaluation tools.
August 2, 2027 — Full application for certain high-risk products listed in Annex I (machinery, medical devices). Out of scope for most service SMBs.
Provider, Deployer, or End User: Where Does Your SMB Fit?
The AI Act distinguishes three roles with very different obligations.
Provider: you develop or commercialize an AI system. Maximum obligations — CE marking, complete technical documentation, registration in the EU database.
Deployer: you integrate a third-party AI system into your business processes. This describes the majority of SMBs. Lighter but real obligations: human oversight, usage log, operator training.
Simple end user: your employees use ChatGPT to draft emails or generate summaries. Minimal obligations — no specific formalities as long as the AI output doesn't enter a decision affecting third parties.
Identifying your role is the first decision to make — it conditions everything that follows.
The 4 Risk Levels: Are You in the High-Risk Zone?
| Category | Concrete Examples | SMB Deployer Obligation |
|---|---|---|
| Prohibited | Social scoring, psychological manipulation, non-consensual biometrics | Immediate stop — applicable since February 2025 |
| High risk | AI recruitment, credit scoring, employee evaluation, critical infrastructure access | Mandatory compliance before 08/02/2026 |
| Limited risk | Chatbots, text generators, summarization tools | Visible "automated processing" notice for end users |
| Minimal risk | Spam filters, content recommendations, spell checkers | No specific obligation |
How to Know if Your Tool Is Classified High-Risk
You're in the high-risk zone if your SMB uses an AI tool for any of the following:
The quick test: if your AI tool produces a score, grade, or ranking that directly influences a decision about a person — you're in high-risk territory.
If you use Workable, BambooHR, HireVue, or any automatic CV matching tool: ask your provider in writing whether their system is classified as high-risk under the AI Act. Their answer (or silence) tells you everything.
Fictional Case: Full Compliance in 3 Weeks — Cost: €0
Here's how a typical 45-employee e-commerce SMB could approach its AI Act compliance.
Initial situation:
Week 1 — Inventory and identification (2 hours of work)
The team listed all active AI tools in 2 hours on a Google Sheet: tool name, provider, exact business use, personal data processed, estimated monthly volume.
The credit scoring module was immediately identified as a high-risk system. A written email (to create a paper trail) was sent to the provider requesting the technical documentation and user notice — mandatory for any provider of a high-risk AI system targeting EU deployers.
Week 2 — Documentation and adjustments (1h + provider response)
Documentation arrived within 5 business days. Two parallel actions:
An "automated processing" notice was added to the T&Cs for the customer service chatbot (30 minutes of development). The CFO was designated as internal AI officer — no recruitment, no cost, just an internal formality documented by email.
Week 3 — Registry and procedure (1h)
Creation of the AI usage log (Google Sheets, 5 columns: tool name, business use, deployment date, deactivation date if applicable, internal officer). CFO training on the credit scoring module: 30 minutes, provided free of charge by the provider.
Internal procedure established: the CFO manually validates all decisions exceeding €5,000 generated by the scoring module. This human validation is precisely what the AI Act requires for high-risk systems.
Result: SMB compliant for the August 2, 2026 deadline. Total cost: €0 in software or external providers, 8 hours of internal work spread over 3 weeks.
Neuraweb offers a free AI Act compliance audit for SMBs — risk assessment and action plan in 48h. Request an audit →
The 5-Step Action Plan: Complete Before August 2, 2026
Step 1 — Inventory all your AI tools (2h)
List everything that integrates AI in your company on a Google Sheet: tool name, provider, exact business use, personal data processed (employees, customers, candidates), estimated monthly volume.
Don't forget AI modules embedded in your existing SaaS tools — AI features in HubSpot, Salesforce, Zendesk, or your ERP fall within scope if they process personal data in a decision-making process.
Step 2 — Classify the risk of each tool (1h)
For each tool on the list, ask one question: does this system produce scores, rankings, or decisions that directly affect natural persons?
If yes → classify as provisionally high-risk and move to Step 3.
If no → identify whether there's direct interaction with end users (limited risk, notice required) or none (minimal risk, no action).
Step 3 — Request documentation from the provider (1 email, 5 to 10 days)
Send a written email to each provider of a high-risk classified system. Explicitly request:
The written email creates a paper trail — essential in case of an audit. If the provider refuses or cannot provide this documentation: this is a serious red flag. A compliant provider is legally required to make it available. Switch tools if necessary.
Step 4 — Implement human oversight (2h)
The AI Act requires that a qualified human supervise and be able to challenge decisions made by high-risk systems. Three concrete actions:
Designate an internal AI officer (existing team member, no recruitment needed). Train them on how the tool works — your provider is required to offer this training. Document the procedure: who validates what, within what timeframe, with what traceability.
The oversight procedure is the centerpiece of your compliance file.
Step 5 — Create and maintain the usage log (1h setup, 15 min/month)
Deployers of high-risk systems must maintain a usage log. Five columns are sufficient:
This log is your proof of compliance. Update it with every new AI tool deployed or retired.
Responsibility Allocation: You vs. Your SaaS Provider
This is the most common grey area in SMBs: "our SaaS provider handles AI Act compliance for us, right?"
Partially. The SaaS provider is responsible for the compliance of their system — technical documentation, CE marking, EU registration. You, as a deployer, remain responsible for:
This allocation must be clarified by a contractual amendment with your provider before August 2026. If your current contract doesn't mention the AI Act: send an email explicitly requesting clarification of respective responsibilities. The response (or absence of one) is informative.
What SMBs Should Do Based on Their Situation
You use no AI tools in HR, credit, or evaluation processes — minimal risk. Still do the 2-hour inventory: you'll be clear for 12 months and prepared for any potential checks.
You use a recruitment or evaluation tool with automated scoring — immediate priority. Start with the email to your provider this week. Response and documentation delays can take 2 to 3 weeks.
You're developing an AI feature for your own customers — you're a provider, not just a deployer. Obligations are significantly heavier: complete technical documentation, compliance analysis, potentially CE marking. Consult a specialist AI lawyer.
You operate in healthcare, finance, or infrastructure — additional sector-specific obligations apply beyond the AI Act. A specialist legal review is recommended before August 2026.
---
Further Reading
Neuraweb conducts your AI Act audit for free — risk assessment, 48h action plan, and compliance guidance. Request the audit →
Let’s discuss your project
30-min discovery call: ask your questions, we sketch a concrete first plan with rough numbers.
30 min · no commitment
Book a meetingAI integration on your site
Chatbot, recommendations, semantic search: turn your site into a conversion machine.
Discover the service