Bunny Honey ClubBunny Honey/blog
Work with us
← back to indexblog / ai / eu-ai-act-2026-small-business-guide
AI

EU AI Act for small business: what changed, what didn't

The EU AI Act's 2026 deadline got pushed to 2027 and 2028. What small businesses actually still have to do now — in plain English, not law-firm language.

AH
Arthur HofFounder, Bunny Honey Club AI
publishedJun 30, 2026
read7 min
EU AI Act for small business: what changed, what didn't

The EU AI Act's August 2026 deadline just moved. Some of it moved to December 2027. Some moved further, to August 2028. If you run a small business and you've been vaguely dreading an AI compliance deadline all year, the honest update is: s

The EU AI Act's August 2026 deadline just moved. Some of it moved to December 2027. Some moved further, to August 2028. If you run a small business and you've been vaguely dreading an AI compliance deadline all year, the honest update is: some of that dread was correctly aimed, and most of it wasn't.

The EU's Digital Omnibus on AI pushed back the compliance timeline for high-risk AI systems. That's real, and it's worth understanding precisely, because the coverage of it has mostly been written for compliance lawyers and enterprise risk teams, not for the plumber running a booking chatbot or the dental practice using an AI phone receptionist. The AI Act delay is real but narrow — it moves the deadline for high-risk-system technical documentation, not the prohibited-practices ban that's already enforceable, and most small businesses were never in the high-risk category to begin with, which means the delay changes almost nothing for the AI tools most small businesses are actually running. This is what actually shifted, what's already been law since February 2025, and the three things worth doing this quarter regardless of the extended runway.

What actually moved, precisely

The EU AI Act is not one deadline. It's a staged rollout across several categories of obligation, each with its own timeline. The Digital Omnibus reportedly delayed two of those categories specifically: certain high-risk AI system requirements now land December 2, 2027, and others August 2, 2028, instead of the original August 2, 2026 date.

High-risk AI systems, under the Act's own classification, are things like AI used in employment decisions (hiring, firing, performance evaluation), credit scoring, law enforcement risk assessment, critical infrastructure safety systems, and medical diagnostic tools. It is a specific, enumerated category — not a general label for "any AI a business uses." The compliance burden for this category is substantial: technical documentation under Article 11 covering design decisions, training data governance, and fundamental rights impact assessments. That's the part that got more runway.

Feb 2025prohibited practices already enforceable
Dec 2027some high-risk obligations, new deadline
Aug 2028other high-risk obligations, new deadline
0change to prohibited-practices enforcement

What didn't move, and is already law

This is the part every small-business owner should actually know, because it's the part that's currently enforceable and most coverage buries it under the delay headline.

Prohibited practices became enforceable in February 2025 and remain fully in force. These are outright bans, not "regulated with a compliance pathway" categories — social scoring systems, real-time remote biometric identification in public spaces (with narrow law-enforcement exceptions), AI systems that infer emotions in workplaces or educational settings, and AI designed to materially distort behavior in ways that cause harm, particularly targeting vulnerable groups.

None of the delay applies here. If your business is doing any of these things with AI, you've been in violation since February 2025, and the Digital Omnibus changed nothing about that. The full text of the prohibited-practices provisions is publicly searchable if you want to check a specific use case against the actual language rather than a summary.

The reassuring part: almost no small business is anywhere near this category. A booking chatbot, a content-generation tool, a marketing-automation workflow, an AI phone receptionist — none of these are social scoring, biometric surveillance, or emotion inference. The prohibited-practices list is narrow and specific, deliberately targeting the most invasive AI applications, not general commercial AI use.

The category most small businesses actually fall into

Here's the thing the delay headlines mostly skip: most small businesses using AI in 2026 aren't deploying high-risk systems at all. They're deploying, in the Act's terminology, either limited-risk systems (chatbots, most customer-facing AI, where the main obligation is a transparency disclosure — telling users they're interacting with AI) or they're deployers of general-purpose AI models built by someone else (ChatGPT, Claude, Gemini) rather than providers of a novel AI system.

The compliance burden for a deployer using an off-the-shelf general-purpose model is fundamentally different from the compliance burden for a provider building a novel high-risk system. As a deployer, you're largely relying on your AI vendor's own conformity work — Anthropic's, OpenAI's, Google's — rather than producing your own technical documentation from scratch. Your obligation is closer to "use the tool within its intended purpose and don't misrepresent what it does" than "produce an Article 11 technical file."

This is the distinction that determines whether the delayed deadline is relevant to you at all. If you're a dental practice using an AI phone receptionist built by a vendor, you're a deployer of (probably) a limited-risk system. The high-risk delay doesn't touch you, but it also never would have applied to you in the first place — you were never in that category.

Why "we have more time" is the wrong takeaway anyway

Even for businesses that genuinely are in a higher-risk category — say, a small HR-tech company building an AI screening tool, or a fintech doing AI-driven credit assessment — treating the delay as permission to slow down is a mistake for a reason that has nothing to do with the regulation itself.

The technical documentation the Act requires — training data governance records, design decision rationale, fundamental rights impact assessments — is the kind of evidence that's dramatically cheaper to produce incrementally, as you build, than to reconstruct retroactively under deadline pressure. A business that starts documenting design decisions now, in July 2026, with 18 months of runway, builds a credible, contemporaneous record. A business that waits until month 20 of a 30-month extension and then tries to reconstruct 2026's design decisions from memory and old Slack messages produces documentation that reads exactly like what it is: retrofitted.

Regulators, when they eventually review this documentation, can generally tell the difference. More importantly, the businesses we've watched go through analogous compliance exercises — GDPR data-processing records, SOC 2 evidence collection — consistently report that the incremental approach costs less total effort than the retroactive scramble, even though it feels like "extra work now" in the moment. The extended deadline is genuine relief on timing pressure. It's not relief on total effort, if you're actually in the affected category.

The three things worth doing this quarter, deadline or not

Regardless of where your business sits on the risk spectrum, three concrete actions are worth taking now rather than waiting for any deadline.

One: run the category check, in writing. Don't just intuit that you're probably fine — write down, in one paragraph, which AI systems your business uses or builds, and which risk category each falls into under the Act's own definitions (prohibited, high-risk, limited-risk, or minimal-risk/general-purpose-deployer). This takes an afternoon and resolves most of the anxiety, because most small businesses will land solidly in limited-risk or minimal-risk territory once they actually check.

Two: audit your AI vendor contracts for their own compliance posture. If you're a deployer relying on a vendor's conformity work, confirm that vendor is actually positioned to meet their obligations — ask directly, or check their published compliance statements. This matters because your compliance, as a deployer, is partly downstream of theirs.

Three: if you're building anything that touches a genuinely high-risk category, start the documentation habit now, extended deadline notwithstanding. Not because the deadline is imminent, but because the habit is cheaper to build early than to retrofit later, and because the discipline of documenting design decisions as you make them tends to produce better decisions, independent of any regulatory benefit.

For the DACH-region businesses we work with most closely — where regulatory caution tends to run higher than in, say, the US market by default — the practical read is the same one we've given on other AI-adjacent DACH strategy questions: the compliance anxiety is usually disproportionate to the actual exposure for a small operator, and the actionable next step is a category check, not a law firm retainer.

The delay bought real time for the businesses that genuinely needed it — the ones building high-risk systems from scratch. It bought nothing for the ninety percent of small businesses who were never in that category and just needed someone to tell them that clearly instead of scaring them with a deadline that was never theirs to worry about.

a compliance advisor we work with, on the Digital Omnibus delay

What we'd actually tell a client this week

If a client asked us this week what the AI Act means for their business, the answer is short. Check which category you're in — most small businesses land in limited-risk or minimal-risk, and the delay is irrelevant to them because the high-risk deadline was never theirs. If you use off-the-shelf AI tools (a chatbot vendor, an AI receptionist service, ChatGPT or Claude for internal work), your obligation is largely about using the tool honestly and disclosing AI interaction to your customers where required — not producing technical documentation. If you're building something novel that touches hiring, credit, health, or safety decisions, the delay is genuine relief on timing, but start documenting now anyway, because the habit pays for itself regardless of the deadline.

The AI Act's 2026 news cycle produced a lot of anxious coverage aimed at a narrow slice of businesses that genuinely need to worry, and it landed, indiscriminately, on every small business owner who read a headline. The delay is good news for almost everyone who read it as bad news. The category check is the thing that actually resolves the question, not the calendar.

— share
— keep reading

Three more from the log.