fairlane.systems

Law & Compliance

EU AI Act for Swiss SMEs 2026: Obligations, Risk Classes, Roadmap Checklist

When EU AI Regulation 2024/1689 reaches Swiss firms, which risk classes apply, and which 2026 deadlines are due.

Researched & fact-checked by: · As of: 2026-06

What is the EU AI Act?

The EU AI Act is Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence. It entered into force on 1 August 2024 and becomes applicable in several phases. It is the world's first comprehensive horizontal AI law and follows a risk-based approach: the higher an AI system's risk to fundamental rights, health and safety, the stricter the obligations.

The regulation distinguishes four tiers: prohibited practices (Art. 5), high-risk systems (Art. 6 in conjunction with Annex III), systems subject to transparency obligations (Art. 50, e.g. chatbots, AI-generated content) and systems of minimal risk (no specific obligations). Separate rules apply to general-purpose AI models (GPAI, Chapter V, in particular Arts. 53 et seq.). Note that Art. 51 only governs the classification of GPAI models as models with systemic risk (the 10^25 FLOP threshold); the actual provider obligations (technical documentation, transparency, copyright policy) are set out in Arts. 53 et seq.

The key point for Swiss SMEs: the AI Act is EU law but, through its extraterritorial reach (Art. 2), can also bind firms with no EU establishment. Switzerland itself has no comprehensive AI law of its own as of 2026; the applicable framework remains existing law (notably the revised FADP) plus the AI Act where there is an EU nexus.

*This is not legal advice. Classifying a specific AI system requires expert assessment.*

Why it matters for Swiss SMEs

Many Swiss firms assume EU law does not concern them. With the AI Act that is a dangerous misconception. Under Art. 2(1)(a) the regulation applies to providers that place an AI system on the EU market or put it into service, regardless of establishment. Under Art. 2(1)(c) it even applies where the output produced by the AI system is used in the EU, even if the provider or deployer sits outside the EU. The statutory wording contains no express limitation to "intended" use; on the prevailing interpretation (based on recital 23), however, merely coincidental use in the EU is not enough – what matters is whether the provider intends EU use or can reasonably foresee it.

In concrete terms: a Swiss fiduciary or SME deploying an AI system for clients, subsidiaries or job applicants in the EU may fall within scope as a provider or deployer. For high-risk applications this triggers extensive obligations.

The penalties are substantial: under Art. 99 prohibited practices can attract fines of up to EUR 35 million or 7% of worldwide annual turnover (whichever is higher); other breaches up to EUR 15 million or 3%. For SMEs and start-ups, Art. 99(6) provides that each fine shall be the lower of the fixed amount or the turnover percentage – the reverse of the rule for large undertakings, where the higher governs. The reputational and contractual risk remains in any event.

Independently of the AI Act, Switzerland's revised Federal Act on Data Protection (revFADP) continues to apply: AI-assisted processing of personal data is subject, among others, to the principles of Art. 5 et seq. revFADP.

How the AI Act works: risk classes and deadlines

The four risk classes:

1. Prohibited practices (Art. 5): Applicable since 2 February 2025. Banned are, among others, subliminal techniques operating beyond a person's consciousness as well as purposefully manipulative or deceptive techniques that distort behaviour and cause significant harm (Art. 5(1)(a)); social scoring by public authorities or private entities (Art. 5(1)(c)); untargeted facial-image databases via scraping from the internet or CCTV footage (Art. 5(1)(e)); and – with exceptions – emotion recognition in the workplace and in educational institutions (Art. 5(1)(f)).

2. High-risk systems (Art. 6, Annex III): Cover sensitive fields including employment (recruitment, applicant selection, performance evaluation, termination decisions) and creditworthiness/credit scoring of natural persons (with the exception of AI systems used to detect financial fraud, Annex III point 5(b)). Obligations include risk management, data governance, technical documentation, logging, human oversight and conformity assessment.

3. Transparency-subject systems (Art. 50): Users must be able to tell they are interacting with AI (chatbots); AI-generated or manipulated content (deepfakes) must be labelled. These obligations only become applicable on 2 August 2026.

4. Minimal risk: No specific obligations (e.g. spam filters).

The deadlines (Art. 113): - 1 Aug 2024: Entry into force. - 2 Feb 2025: Prohibitions (Art. 5) + AI literacy obligation (Art. 4) applicable. - 2 Aug 2025: GPAI rules (Chapter V), governance and establishment of national authorities (Chapter VII) and most penalty provisions (Chapter XII) applicable – exception: Art. 101 (fines for GPAI providers) only applies from 02.08.2026. - 2 Aug 2026: Most remaining obligations, in particular for high-risk systems under Annex III, plus the transparency obligations (Art. 50). - 2 Aug 2027: Art. 6(1) (high-risk via product safety law, Annex I) and related obligations.

Important: Art. 4 (AI literacy) and the high-risk obligations (02.08.2026) are separate matters and must not be conflated.

Roadmap checklist to 02.08.2026

  1. 01Build an inventory: capture all AI systems in use and planned (including purchased SaaS tools with AI features).
  2. 02Check the EU nexus: for each system determine whether placing on the market, operation or output use occurs in the EU (Art. 2).
  3. 03Determine your role: are you a provider, deployer, importer or distributor? Obligations differ.
  4. 04Assign the risk class: prohibited (Art. 5), high-risk (Annex III, e.g. employment/credit), transparency-subject (Art. 50) or minimal.
  5. 05Ensure AI literacy (Art. 4, since 02.02.2025): document training, an internal policy and evidence.
  6. 06Build high-risk obligations (by 02.08.2026): risk management, data governance, technical documentation, logging, human oversight, conformity assessment.
  7. 07Implement transparency (mandatory from 02.08.2026, Art. 50): label chatbots, mark AI-generated content as such.
  8. 08Couple with data protection: ensure revFADP compliance (Art. 5 et seq. revFADP), and a data protection impact assessment where needed.
  9. 09Adapt contracts: contractually allocate responsibilities with AI suppliers and EU partners.
  10. 10Document governance, designate responsible persons, and repeat the review regularly.

When an assessment is needed

A structured AI Act assessment is warranted for a Swiss SME as soon as an EU nexus is plausible. Typical triggers:

- You distribute software or services with an AI component to customers in the EU. - You operate subsidiaries or branches in the EU that use AI. - You use AI whose output is used in the EU (e.g. applicant selection for an EU position, credit assessment of EU customers). - You deploy AI in Annex III fields: employment, creditworthiness, critical infrastructure, education.

Independently of high-risk status, the AI literacy obligation (Art. 4) applies to every provider and deployer within scope: staff operating AI systems must have sufficient competence. This obligation has applied since 02.02.2025 and should be documented (training records, internal policies).

Also applicable from 02.08.2026: the transparency obligations (Art. 50) as soon as you use chatbots or publish AI-generated content perceived in the EU. As of 2026-06 these obligations are not yet in force, but should be prepared in good time.

When the AI Act (likely) does not apply

Not every AI use by a Swiss SME triggers AI Act obligations. Scope typically falls away where there is no EU nexus:

- The AI system is developed, operated and used exclusively in Switzerland, and the output is not intended for use in the EU. - A position located in Switzerland is filled using AI – even if an applicant resides in the EU, the AI Act does not, on current interpretation, apply for that reason alone. - Purely internal testing/research before placing on the market may, depending on the setup, be exempt (cf. the research and development exemption).

Caution is still warranted: the boundary is delicate in individual cases, and coincidental EU use can become foreseeable use, e.g. where outputs are foreseeably used across borders (cf. recital 23). Moreover, Swiss law continues to apply – the AI Act not applying does not mean no obligations: the revFADP, due-diligence and accounting duties (e.g. Art. 957a CO for AI-assisted bookkeeping) remain in force.

*This classification does not replace a legal review of the specific facts.*

FAQ

Does the EU AI Act apply at all to a Swiss GmbH without an EU establishment?

Yes, it is possible. Under Art. 2(1)(a) and (c) the regulation can apply if you place an AI system on the EU market or if the system's output is used in the EU – even without an EU establishment. On the prevailing interpretation (recital 23), purely coincidental EU use is not enough; what matters is intended or reasonably foreseeable EU use. Classification depends on the individual case; this is not legal advice.

What specifically must I have in place by 2 August 2026?

From 2 August 2026 most remaining obligations become applicable, in particular for high-risk systems under Annex III (e.g. employment, creditworthiness): risk management, data governance, technical documentation, logging, human oversight and conformity assessment. The transparency obligations under Art. 50 also apply from that date. The establishment of national supervisory authorities (Chapter VII), by contrast, applies already from 02.08.2025. The AI literacy obligation (Art. 4) has applied since 02.02.2025.

Is the AI literacy obligation (Art. 4) the same as the high-risk obligation?

No. Art. 4 requires every provider and deployer within scope to ensure staff have sufficient AI literacy – independent of risk class, and applicable since 02.02.2025. The high-risk obligations under Annex III are far broader and only become applicable from 02.08.2026. The two must be treated separately.

How high are the fines for breaches?

Under Art. 99, prohibited practices (Art. 5) can attract up to EUR 35 million or 7% of worldwide annual turnover (whichever is higher). Other breaches face up to EUR 15 million or 3%. For SMEs and start-ups, Art. 99(6) provides that each fine shall be the lower of the fixed amount or the turnover percentage – the reverse of the rule for large undertakings, where the higher amount governs.

Related topics

EU AI ACT · COMPLIANCEEU AI Act 2026: high-risk duties from 2 August 2026 – what Swiss providers must do nowrevDSG · COMPLIANCErevDSG / revFADP and AI: what the revised Swiss Data Protection Act means for LLM useISO 42001 · COMPLIANCEISO/IEC 42001: the international standard for AI management systemsPeople & OrganisationShadow AI in the fiduciary firm: policy, tool approval list & staff training

Sources

  1. Verordnung (EU) 2024/1689 (AI Act), Volltext – EUR-Lex · 2024-07-12
  2. Art. 113 AI Act – Inkrafttreten und Geltungsbeginn (artificialintelligenceact.eu) · 2024
  3. Art. 2 AI Act – Anwendungsbereich (artificialintelligenceact.eu) · 2024
  4. Art. 5 AI Act – Verbotene Praktiken (artificialintelligenceact.eu) · 2024
  5. Art. 99 AI Act – Sanktionen (artificialintelligenceact.eu) · 2024
  6. Anhang III AI Act – Hochrisiko-KI-Systeme (artificialintelligenceact.eu) · 2024
  7. AI Act – Shaping Europe's digital future, Europäische Kommission · 2026
  8. Application of the AI Act to Swiss companies – CDBF · 2025

FITS YOUR STACK?

What this looks like in your business – a 30-minute intro call.

Book a call