← Blog
  • ai act
  • regulation
  • small business

What the EU AI Act really means for your small business

5 min read

The EU AI Act is now in force. A plain-English guide to what really applies to a small business, what got delayed this summer and what to do next.


The EU Artificial Intelligence Act — the "AI Act" — has been in the headlines for months, and the tone is almost always ominous: huge fines, endless paperwork, one more regulatory weight on the small business. Here's the reassuring part: if you use AI the way most small businesses do — answering messages, drafting emails, putting together quotes — what you actually have to comply with is far more manageable than the scare stories suggest. And this summer the timeline got lighter. Let's walk through it without the jargon: what the law is, what changed a few weeks ago, and what you should actually do.

The AI Act in two minutes

It's the world's first comprehensive law regulating artificial intelligence, and it's European. It entered into force on 1 August 2024 and applies in phases through 2027. The core idea is simple: it classifies uses of AI by risk, not the technology itself.

  • Unacceptable risk: banned uses, such as manipulating people or social scoring of citizens. Prohibited since February 2025.
  • High risk: AI that makes serious decisions (hiring, credit, access to essential services). Heavy obligations around documentation and oversight.
  • Limited risk: mainly a transparency duty. This is where a chatbot or an agent that handles your customers sits.
  • Minimal risk: everything else. No new obligations.

The takeaway for you: almost everything a small business does with AI falls under "limited" or "minimal" risk, not "high risk".

This summer's news: the timeline eased up

In November 2025, the European Commission proposed a simplification package (the Digital Omnibus on AI) to lighten and delay parts of the law. It crossed the finish line a few days ago: on 29 June 2026 the Council of the EU gave its final green light, after the European Parliament approved it on 16 June.

What changes in practice?

  • Obligations for stand-alone high-risk systems move from 2 August 2026 to 2 December 2027. Those embedded in regulated products (medical devices, lifts and the like) shift to August 2028.
  • A new ban was added on apps that generate fake nudes (so-called "nudifiers") and on child sexual abuse material.
  • But note: the transparency rules still start on 2 August 2026, exactly as planned. That part wasn't delayed.

You can read the official announcement in the Council of the EU press release.

What actually affects you as a small business

Tune out the noise and hold on to three concrete things.

1. Transparency: say it's an AI. If a customer talks to your agent on WhatsApp or your website chat, they have the right to know they're talking to a machine, not a person. Likewise, any AI-generated content you publish should be identifiable as such. This kicks in on 2 August 2026, and meeting it is as easy as one line at the start of the conversation: "Hi, I'm the virtual assistant for [your business]."

2. AI literacy. Since February 2025, the law expects anyone using AI in your business to have a basic grasp of what it does and where it falls short. This isn't an official course or a certificate — it's common sense. Don't let anyone on your team use a tool blind, without understanding what it decides and what it doesn't.

3. No prohibited uses. Manipulating, deceiving or scoring people is off the table. For a normal small business this is rarely an issue, but it's worth knowing the line exists.

When you do step into "high-risk" territory

Here's the important nuance — the "when NOT to relax" part. Most small-business uses aren't high risk, but some are. If you use AI to screen CVs and decide who to hire, to assess a customer's creditworthiness, or for similar calls that directly affect someone's life, you're in the high-risk category, with considerably heavier obligations (now applicable from December 2027).

By contrast, an agent that answers questions, books appointments or drafts a quote is not high risk. The dividing line is whether the AI decides something sensitive or merely prepares the work for you to decide.

And an honest caveat: this is a guide, not legal advice. If you have a use that might be high risk, talk to a specialist before diving in.

What you can do today, without the stress

You don't need a compliance department. These steps more than cover what a small business does:

  1. Flag that it's an AI on your automated channels. One sentence does it.
  2. Keep a human in the loop. Let the AI prepare, and have you (or your team) approve before anything important goes out.
  3. Pick reputable providers that comply with GDPR and explain clearly what they do with your data.
  4. Jot down on a single page which AI tools you use and what for. If anyone ever asks, you've got it to hand.
  5. Don't put AI in charge of delicate decisions (hiring, lending) without pausing to ask whether that's high risk.

In short

The AI Act wasn't designed to smother small businesses, and this summer made that even clearer by pushing back the heaviest part. For you, compliance almost always boils down to two ideas: be transparent, and keep a human in control. As it happens, that's also simply the best way to use AI.

At Yaqbot we build it that way by default: our AI receptionist introduces itself as what it is and escalates to you whatever needs your judgement. You approve, it executes — and complying with the law stops being a headache.