fairlane.systems

EU AI ACT SME · COMPLIANCE

EU AI Act for SMEs: deadlines and mandatory check by 2 Aug 2026

High-risk duties from 2 August 2026. How a Swiss SME deployer works through the AIA timeline concretely – inventory, classification, training.

Researched & fact-checked by: · As of: 2026-05

Deadline calendar for SMEs

Regulation (EU) 2024/1689 – the EU AI Act, or AIA – phases its duties over three years. For a Swiss SME (fiduciary, lawyer, insurer, consultancy) the full text is not what matters, but the question: which date hits us, with which concrete steps? This page answers that. The general AIA explainer and provider perspective live on our sister page "EU AI Act 2026".

2 February 2025 – prohibitions in force (past). Art. 5 AIA absolutely prohibits eight practices. SME-relevant: no emotion recognition in the workplace, no biometric categorisation of sensitive attributes, no social scoring by authorities, no subliminal manipulation. Anyone using a bought-in HR tool or a customer-analytics system checks today whether it contains a prohibited practice. In practice this hits only edge cases, but the mandatory check is done.

2 August 2025 – GPAI duties in force (past). General-purpose AI providers (OpenAI, Anthropic, Google, Mistral, Meta) must publish technical documentation, copyright policy and a training-data summary. For a Swiss SME deployer this practically means: know which GPAI model you use, and record provider name, model version and Swiss data-protection addendum in your AI inventory (see workflow).

2 August 2026 – high-risk duties in force (critical). Annex III lists eight high-risk areas. Three can hit a typical SME: (4) employment – CV screening, employee evaluation, AI-driven shift scheduling; (5b) creditworthiness and access to essential private services – AI-supported credit-risk calculation in fiduciary mandates; (8) justice and democratic processes – AI output in court proceedings. Whoever as deployer uses an AI system in one of these fields has, from 2 Aug 2026, deployer duties from Art. 26: use as intended, input-data control, human oversight, logging, informing employees (para. 7), and possibly a data-protection impact assessment (Art. 27).

2 August 2027 – full text applicable. High-risk systems as safety components under sectoral EU law (Annex I, Medical Devices, Machinery) get 36 months of transition. For pure advisory SMEs usually not relevant.

Outside these dates, Art. 4 AIA already applies since the entry-into-force day (2 Aug 2024): providers and deployers must ensure that persons operating AI systems have sufficient AI literacy. This training requirement is NOT tied to the high-risk deadlines – it applies today.

Why this is urgent before the deadline

Three concrete reasons a Swiss SME acts now, not in July 2026.

First: contract duties kick in before the deadline. From summer 2026, EU clients require an AIA compliance assurance in engagement contracts as a default – also from Swiss sub-suppliers. Whoever in July 2026 has no AI inventory, no classification and no deployer documentation loses mandates or has to scramble. EU corporates (insurers, banks, pharma) are already retrofitting AIA clauses into running contracts.

Second: supervisory authorities must be designated by 2 Aug 2026. Each EU member state designates a national market surveillance authority (Art. 70). DE: BfDI / BNetzA, FR: CNIL, IT: AGCOM / Garante. From entry into force these bodies are competent to review high-risk applications – also cross-border. A request from an EU authority to a Swiss SME via market-surveillance cooperation (Art. 74) is a realistic scenario from 3 Aug 2026.

Third: training duty under Art. 4 is already due today. Whoever lets employees work with AI tools must train them in fundamentals – hallucination risk, source verification, data protection, confidential inputs. A written training confirmation per employee is the usual form. In an audit Art. 4 is the first question; the answer "we did not train this" is an immediate fine indicator.

The SME relief under Art. 99 para. 6 (fines capped to the lower of the two figures) helps but does not remove the duty. A maximum EUR 7.5 m is not a "lenient fines rule" for an SME – it is an existential risk.

What to do in practice

For a typical Swiss SME as deployer (not provider), preparation breaks into four blocks.

Block 1 – AI inventory. A list of all AI tools used in the company. Per entry: tool name, provider, model (e.g. GPT-4o, the current top Claude model), application area, user group, data categories (client data, HR data, financial data), legal basis under revFADP. Example: "Microsoft Copilot in M365 / OpenAI GPT-4 / general office support / all employees / non-sensitive content / contract with Microsoft Switzerland". Even unsanctioned shadow IT (a privately used ChatGPT account of an employee) belongs in the first inventory pass and is then shut down or formalised.

Block 2 – risk classification. Per inventory entry a classification: prohibited / high-risk / limited (transparency) / minimal. Prohibited: Art. 5 collision. High-risk: Annex III hit. Limited: chatbots, AI-generated content (Art. 50 – "AI-generated" disclosure mandatory). Minimal: everything else, the lion's share of typical SME usage. Classification is legal – when in doubt ask a lawyer. An intuitive self-classification is NOT sufficient near Annex III.

Block 3 – for high-risk hits: conformity procedure. When a tool in use is high-risk (e.g. applicant-screening software), the deployer duties from Art. 26 apply from 2 Aug 2026. That means: use as intended per manufacturer's instructions, logging of decisions (Art. 26 para. 6, combined with provider system logging from Art. 12), human oversight by trained personnel, information of affected employees and where applicable their representatives (para. 7), data-protection impact assessment under Art. 27 if personal data are processed. Whoever BUILDS high-risk software themselves or distributes it under their own name becomes a provider – that is a different duties list (see our provider page).

Block 4 – training under Art. 4. All employees using AI tools need basic training: what AI can do, what not, when it hallucinates, how to verify sources, what may be entered and what not. Duration: typically 2-4 hours in-person or e-learning. Confirmation in writing, in the personnel file. Repetition: yearly or on significant tool change.

Disclaimer. This page is not legal advice. The risk classification of a specific tool may differ from the logic shown here – when Annex III is suspected, an EU-specialised law firm must be involved early. Notified bodies for conformity assessment are listed in the EU Commission's NANDO database.

SME checklist in 6 steps

  1. 01Build the AI inventory: list all AI tools in the company (including shadow IT). Per entry: provider, model, use area, data categories, user group.
  2. 02Risk classification: per inventory entry determine – prohibited (Art. 5), high-risk (Annex III), limited (Art. 50 transparency), minimal. Near Annex III, engage a lawyer.
  3. 03For high-risk hits: prepare deployer duties from Art. 26 – use as intended, logging configuration with provider, human oversight by trained staff, employee information.
  4. 04Document the data protection impact assessment (Art. 27 AIA, parallel to Art. 22 revFADP/DPIA) for high-risk with personal data – completed before 2 Aug 2026.
  5. 05Run employee training under Art. 4 AIA: train all AI users in fundamentals, hallucination risk, source verification, data protection. Written confirmation in the personnel file.
  6. 06File the compliance folder: AI inventory, classification reasoning, DPIA, training records, provider contracts (data-protection addendum). Annual review date in the calendar.

When this checklist applies

This SME checklist applies to Swiss companies with fewer than 250 employees that use AI tools professionally – as deployers, not providers. Typical audience: a fiduciary office with a bought-in AI payroll tool, a law firm with Claude Pro or Microsoft Copilot, an insurance broker with AI-supported claims handling, a consultancy with a RAG system over its own guidelines, an architecture firm with AI-generated renderings.

The checklist applies especially when (a) the SME has EU clients or signs contracts with EU clients, (b) the SME uses AI output in EU proceedings or for EU addressees (Art. 2 para. 1 lit. c – output-in-EU as a trigger), (c) the SME operates in a sector heavily embedded in EU value chains (pharma supplier, machinery, financial services).

For SMEs WITHOUT any EU touch, Art. 4 (training) remains best practice and is anyway required via revFADP due-diligence and professional rules (bar associations, EXPERTsuisse, FINMA-supervised entities). The other AIA duties are not directly applicable – but sectoral law (FINMA, FDPIC, industry self-regulation) increasingly adopts AIA standards (see SECO communications 2025-2026).

What this page does NOT replace

This page is an orientation roadmap, not a legal opinion. It specifically does not replace:

A concrete classification of your AI system under Annex III. Annex III texts are complex and contain elements requiring interpretation. An AI system "may be high-risk" is not sufficient – the answer must be "is high-risk" or "is not high-risk", with reasoning. That answer comes from a lawyer, not a website.

The conformity assessment itself. Whoever as provider falls under high-risk runs either internal control (Annex VI) or a notified body (Annex VII). Both are documented processes with technical files, risk assessment and CE marking. The checklist here helps prepare – the assessment itself it does not perform.

Ongoing compliance maintenance. Post-market monitoring (Art. 72), reporting of serious incidents within 15 days (Art. 73), updates on substantial changes – these are operational tasks, not one-off projects.

Where this page also does NOT help: if the AI system falls under parallel regulation (revFADP, FINMA supervisory law, Medical Devices Regulation, Machinery Regulation, Cyber Resilience Act), sectoral law applies BEFORE or ALONGSIDE the AIA. These boundary questions are still under interpretation in 2026 – see EU Commission guidance from March 2026 and EDPB opinions 2025-2026.

Disclaimer (repeated, because central): Not legal advice. For Annex III suspicion, conflicts with sectoral law, or contract disputes with EU clients, engage a specialised law firm – before the next contract negotiation, not after.

Trade-offs

STRENGTHS

  • Clear deadlines – planning possible, no surprises
  • SME relief under Art. 99 para. 6 – fines are capped
  • Art. 4 training is required anyway via revFADP – no double effort
  • Structured preparation as trust signal toward EU clients

WEAKNESSES

  • Annex III classification requires legal judgment – risky without a lawyer
  • Double regulation with revFADP, sectoral law, EU data protection – many interfaces
  • Contract-clause amendments with providers take time (contract round, negotiation)
  • Training must be repeated annually – ongoing, not one-off effort

FAQ

We are an 8-person fiduciary with only Swiss clients. Does the AIA hit us?

Not directly. The AIA is EU law and not transposed into Swiss law. You are however indirectly affected via three paths: (1) sub-supplier clauses from your clients as soon as they work with EU corporates; (2) sectoral law – EXPERTsuisse standards, FINMA supervision and revFADP DPIA adopt AIA logic; (3) the training duty under Art. 4 is anyway required via revFADP due-diligence. Pragmatic advice: AI inventory and training now; serious Annex III classification only when EU touch is added.

We use a bought-in HR screening tool. Are we "provider" or "deployer"?

Usually deployer (Art. 3 No 4). You would only be provider if you distribute the system under your own name or brand (Art. 25). But: CV screening falls under Annex III No 4(a) – high-risk. As deployer of a high-risk system, deployer duties from Art. 26 apply from 2 Aug 2026: use as intended, logging, human oversight, information of affected candidates, DPIA under Art. 27. Clarify with the provider BEFORE the deadline: is the EU declaration of conformity, technical documentation and instructions-for-use available?

What does SME preparation realistically cost?

For a 10-person SME without high-risk system: 8-15 consultant hours for inventory + classification (CHF 1500-3000), 4-8 hours of training development (CHF 800-1600), 2 h/employee training delivery. Total CHF 3000-6000 one-off, annual maintenance CHF 1000-2000. With a high-risk hit, the lawyer share rises significantly (CHF 5000-15000 for legal clarification, conformity prep, possibly amending provider contracts). A notified body (providers only) costs CHF 30000-200000 – NOT needed for pure deployers.

Which tools do I need technically for compliance logging?

For Art. 26 para. 6 deployer logging, the provider's system logging is often enough (Microsoft Compliance Center, Anthropic Workbench, OpenAI Audit Logs) plus central storage. For self-built AI systems we recommend LiteLLM as gateway (central audit log), Grafana-Loki for log aggregation, a Postgres DB as audit-proof storage. Retention for high-risk: minimum 6 months per Art. 12 para. 1, in practice 24 months. For provider tools: check that log export is possible – cloud providers without audit-log export are unfit for high-risk use.

Related topics

EU AI ACT · COMPLIANCEEU AI Act 2026: high-risk duties from 2 August 2026 – what Swiss providers must do nowrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useISO 42001 · COMPLIANCEISO/IEC 42001: the international standard for AI management systemsAUDIT TRAIL · AI CONCEPTAI audit trail design: what to log so an AI answer stays audit-readyAI-READINESS AUDIT · SERVICEAI-Readiness Audit: where your business stands with AI today – clarified in one to five days

Sources

  1. Verordnung (EU) 2024/1689 – EUR-Lex Volltext (de), Art. 4, Art. 26, Art. 99 · 2024-07
  2. EU AI Act – interaktiver Explorer mit KMU-Filter (Future of Life Institute) · 2026-04
  3. European Commission – AI Act implementation timeline and SME guide · 2026-05
  4. EDÖB – Position zum EU AI Act und Schweizer Anwendbarkeit · 2026-03
  5. SECO – Mitteilung zur Umsetzung des AIA für CH-KMU · 2026-04

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call