The 2nd of August 2026 is the date most companies have circled in red when discussing the AI Act (EU Regulation 2024/1689). And rightly so: that day marks the entry into application of the transparency obligations towards users (Article 50), market supervision by AESIA —the Spanish Agency for the Supervision of Artificial Intelligence— and the full regime for general-purpose AI (GPAI) models. However, there is one development that many guides have yet to incorporate: the provisional agreement under the Digital Omnibus of May 2026 postponed the most demanding obligations for high-risk systems listed in Annex III from 2 August 2026 to 2 December 2027. This does not mean you can breathe easy and do nothing. It means you need to distinguish what affects you now from what you have until December 2027 to resolve.
At Summum we have been helping SMEs navigate complex regulatory frameworks since 2007. This article reflects the exact regulatory status as of June 2026 and offers a technical checklist ordered by urgency so you can act, not just read.
The AI Act timeline: what is already in force and what is pending
The AI Act entered into force on 1 August 2024, but its application is staggered. Before drawing up any checklist, it is essential to know which obligation falls at which moment:
| Date | What enters into application | Who is mainly affected |
|---|---|---|
| 2 Feb. 2025 | Prohibition of unacceptable AI practices (Art. 5) + AI literacy obligation (Art. 4) | All companies that use AI |
| 2 Aug. 2025 | Rules for GPAI models: technical documentation, copyright policy, training data summary | Providers of foundation models (OpenAI, Mistral, etc.) |
| 2 Aug. 2026 | Transparency towards users (Art. 50), AESIA market supervision, GPAI deployer obligations | Any company deploying chatbots, content generators, deepfakes or systems that interact directly with people |
| 2 Dec. 2027 (previously Aug. 2026, postponed by Digital Omnibus) | Annex III high-risk systems: full technical documentation, risk management, human oversight, conformity assessment | Companies using AI in HR, credit, insurance, education, critical infrastructure, public services |
| 2 Aug. 2027 | GPAI models in service before August 2025: must comply with the regulation | Providers of legacy foundation models |
Practical conclusion: if your company uses AI without developing it, and does not fall within the Annex III high-risk sectors, your critical obligation for August 2026 is concentrated on transparency, AI literacy and GPAI provider management. That said, most SMEs have at least one or two points to resolve before that date.
What the AI Act prohibits from February 2025 (already in force)
Before looking at August 2026, remember that the following practices have been prohibited since 2 February 2025 and AESIA can act on them immediately:
- Subliminal manipulation or subliminal techniques to influence people's decisions without their awareness.
- Exploitation of vulnerabilities of specific groups (minors, people with disabilities, those in financial hardship) to distort their behaviour.
- Generalised social scoring systems by public or private actors that evaluate the «trustworthiness» of individuals across multiple unrelated contexts.
- Biometric categorisation to infer race, political opinion, religious or philosophical beliefs, sexual orientation or trade union membership.
- Real-time remote biometric identification in public spaces by law enforcement, except in very strictly defined cases.
- Mass scraping of facial images from the internet or cameras to build facial recognition databases.
- Emotion inference in workplace or educational settings.
If any of your technology providers uses any of these techniques, you —as a deployer— bear part of the responsibility. Review your contracts.
The technical checklist for August 2026
What follows is a checklist ordered from highest to lowest urgency for a typical Spanish SME that uses third-party AI tools (copilots, chatbots, text/image generators, HR assistants). If you develop your own model, the requirements are more demanding: contact our AI Act technical compliance team for a tailored roadmap.
1. AI systems inventory (you should already have this)
Without an inventory you cannot classify, and without classifying you cannot comply. For each AI tool your company uses, document:
- System name and provider (including the underlying GPAI model if known).
- Function performed: does it interact directly with customers or employees? Does it make or support decisions that affect people?
- Provisional risk category: unacceptable / high-risk / limited risk / minimal risk.
- Data processed: personal? Of a special category (health, ethnicity, ideology)?
2. AI literacy programme (Art. 4 — mandatory since Feb. 2025)
Article 4 requires providers and deployers of AI to ensure a sufficient level of AI literacy for all staff who design, operate or supervise AI systems. This is not a trendy training course — it is a legal obligation. The programme must be proportionate to each person's level of exposure and must be documented. In practice, for an SME of 20–50 people, this usually translates to:
- Basic 2–4 hour training for the entire workforce on what AI is, what risks it poses and what is prohibited.
- Specific 8–16 hour training for roles that use AI in critical processes (recruitment, customer service, credit analysis, etc.).
- Signed attendance and completion records, with date.
3. Transparency towards end users (Art. 50 — 2 August 2026)
This is the point most companies still have pending. From 2 August 2026, if your company uses an AI system that interacts directly with people, you are required to inform them. The most common situations for SMEs are:
- Customer service chatbot: the user must be told they are speaking to an AI, at the first point of contact, in a clear manner. A mention in the terms and conditions is not sufficient.
- Automated voice assistant: same as the chatbot, adapted to the voice channel.
- AI-generated images, videos or synthetic audio: the content must be labelled as AI-generated. If you publish generated videos, you need an explicit technical or visual marking system.
- Deepfakes for legitimate purposes (art, satire): must be labelled equally, unless it is obvious from the context.
The penalty for non-compliance with Article 50 can reach 7.5 million euros or 1% of global annual turnover, whichever is higher (Article 99(4) of the Regulation).
4. Review of contracts with GPAI model providers
If you use tools based on general-purpose models —ChatGPT, Claude, Gemini, Copilot, Mistral, LLaMA and any derivative— you are a GPAI deployer. The AI Act establishes that providers of these models must supply you with:
- Sufficient technical documentation for you to fulfil your obligations as a deployer.
- Information on the capabilities, limitations and intended uses of the model.
- A summary of the training data (at an aggregated level, not raw data).
Check that your current contracts with these providers include these guarantees, or that the providers have published them publicly on their compliance pages. If there are gaps, document the attempt to obtain the information: it demonstrates due diligence.
5. Internal AI usage policy
Many SMEs use AI without any internal document governing how, by whom and for what purpose. This is a legal and operational risk. An AI usage policy does not need to be a 50-page document: 3–5 pages covering the following points are sufficient for an SME:
- Which AI tools are authorised and for which functions.
- What types of data must not be entered into external AI systems (sensitive personal data, trade secrets, confidential contracts).
- Who is internally responsible for overseeing AI usage and escalating incidents.
- Transparent communication procedure for customers when AI is involved in their relationship with the company.
- Rules on human review of decisions with significant impact on people.
6. Risk assessment for 2 December 2027
Although the deadline has been extended, it is advisable to start now. The Digital Omnibus postponed the obligations for Annex III high-risk systems, but did not eliminate them. If your company uses AI in any of the following areas, you will need to meet far more demanding requirements before December 2027:
- Recruitment, management or performance evaluation of workers.
- Approval or rejection of credit, insurance or financial products.
- Admission, assessment or classification of students in educational institutions.
- Prioritisation of emergency services or critical infrastructure management.
- Decision-making in immigration or asylum proceedings.
- Assessments in the field of justice or judicial administration.
For these cases, the technical roadmap is significantly more complex and includes a formal risk management system, data governance, event logs, structured human oversight and, in some cases, conformity assessment by a notified third party. Our AI Act technical compliance for SMEs team can help you determine exactly which category each system falls into and what documentation you need.
Summary table: August 2026 obligations by company profile
| Company profile | Key obligation before Aug. 2026 | Estimated effort |
|---|---|---|
| SME using a customer service chatbot | Notice of AI interaction at first contact (Art. 50) | Low (1–2 days of implementation) |
| Company publishing AI-generated content | Visible labelling of synthetic content (Art. 50) | Low-medium (requires review of publication processes) |
| Any company with employees using AI | Documented AI literacy programme (Art. 4) | Medium (training + records) |
| Company using GPAI tools (Copilot, ChatGPT, etc.) | Contractual review with providers + inventory | Medium (2–5 days of auditing) |
| Company with AI in recruitment, credit or education | High-risk assessment + roadmap to Dec. 2027 | High (3–9 month project) |
The role of AESIA and the sanctions framework in Spain
The Spanish Agency for the Supervision of Artificial Intelligence (AESIA), headquartered in A Coruña and established by Royal Decree 729/2023, is Spain's national supervisory authority for the AI Act. From 2 August 2026, it assumes full market supervision powers and can open sanction proceedings. AI Act fines operate at three levels:
- Minor infringements (non-compliance with transparency or documentation obligations): up to 7.5 million euros or 1% of global annual turnover.
- Serious infringements (non-conforming high-risk systems): up to 15 million euros or 3% of global annual turnover.
- Very serious infringements (prohibited practices under Article 5): up to 35 million euros or 7% of global annual turnover.
For microenterprises and SMEs, the AI Act provides for reduced fines and priority access to regulatory sandboxes, but not full exemption. Documented diligence —even where full compliance has not been achieved— is an explicitly recognised mitigating factor under the regulation.
What does ISO 42001 have to do with the AI Act
Many companies ask whether obtaining ISO 42001 certification (the AI management system standard published in 2023) helps them comply with the AI Act. The short answer is: it is not equivalent, but it helps. ISO 42001 is a voluntary framework that structures AI governance within the organisation; the AI Act is binding law. However, implementing ISO 42001 generates much of the documentation the AI Act requires (AI policy, impact assessment, incident records, management review), which accelerates the regulatory compliance process. If your company has or plans to obtain ISO 42001, the Summum Calidad team can help you map which controls cover AI Act requirements and where gaps remain.
Frequently asked questions
Does the AI Act apply to me even if I only use third-party AI (without developing it myself)?
Yes. The AI Act distinguishes between providers (those who develop or place the system on the market) and deployers (those who use the system in a professional context). If you use a chatbot, a copilot or any AI tool in your business activity, you are a deployer with your own obligations: ensuring your team's AI literacy, informing users when they interact with AI, and not using the tool for prohibited purposes. Responsibility does not rest solely with the technology provider.
The Digital Omnibus postponed the high-risk deadline: can I wait until 2027 to do anything?
No. The Digital Omnibus postponement applies exclusively to Annex III high-risk systems. The obligations regarding prohibited practices (already in force since February 2025), AI literacy (February 2025), GPAI models (August 2025) and transparency (August 2026) have not changed. Waiting until 2027 without acting on these fronts is a decision that carries significant regulatory risk.
How long does it take to prepare for August 2026?
For an SME that is not high-risk, the basic compliance process for August 2026 typically takes between 4 and 10 weeks: inventory of systems (1–2 weeks), contractual review (1–2 weeks), design and delivery of the AI literacy programme (2–4 weeks), and adjustment of transparency notices across digital channels (1–2 weeks). Many of these steps can run in parallel. At Summum we have guided this process for companies across different sectors and have proven methodology to shorten timelines without leaving gaps.
What happens if my AI provider does not supply the technical documentation the AI Act requires?
Document the attempt. Send a formal written request to the provider asking for the information required by Article 13 (high-risk systems) or the relevant GPAI articles. If the provider does not respond or does not supply the documentation, you have two options: find an alternative provider that complies, or assess whether the risk of continuing with that provider is acceptable. AESIA may request this documentation during an inspection; not having it because of the provider can be a mitigating factor, but documenting your due diligence is essential.