← Blog

KI-Recht & Compliance

AI Act: What SMEs must do now

The EU AI Act is in effect — and the first obligations are already active. What awaits medium-sized companies, which deadlines count, and a pragmatic 8-step roadmap.

Felix Stürmer· 08 April 2026· 3 min read
AI Act: What SMEs must do now

The Regulation (EU) 2024/1689 — briefly the AI Act or EU AI Act — has been in force since August 1, 2024, and is being implemented in stages. It is the world's first comprehensive legal framework for Artificial Intelligence. The EU Commission formulates the goal as follows:

"The AI Act ensures that Europeans can trust what AI has to offer."

For SMEs, this is not a distant corporate regulation: The Bitkom implementation guide reports that 69% of companies need support with implementation. The good news first — most medium-sized companies are deployers, not providers of AI, and therefore bear significantly leaner obligations.

The deadlines that count now

The regulation does not apply all at once, but in stages. Two of them are already active:

AI Act Deadlines
02.02.2025Prohibitions + AI Competence02.08.2025GPAI Obligations02.08.2026Transparency (Art. 50)02.08.2027High-Risk (Art. 6)
The first obligations already apply – competence and prohibitions since February 2025.

Since February 2, 2025, the prohibitions (Art. 5) and the obligation for AI competence (Art. 4) have applied: Anyone using AI must ensure that the people involved have sufficient knowledge. Since August 2, 2025, obligations for general-purpose AI models (GPAI) have taken effect. On August 2, 2026, transparency obligations (Art. 50) follow, and on August 2, 2027, the rules for high-risk AI (Art. 6).

What is threatened in case of violations

The fines are serious — the framework according to Art. 99 is tiered:

Fines according to Art. 99 AI Act
Prohibited practices (up to 7% of turnover)35 Mio. €
Other violations (up to 3% of turnover)15 Mio. €
Incorrect information (up to 1% of turnover)8 Mio. €

Important for smaller companies: For SMEs and start-ups, the lower of the two values (fixed amount or turnover percentage) applies in each case, and economic viability must be taken into account. Therefore, panic is not appropriate — but ignoring it is not an option either.

The 8-Step Roadmap

The Bitkom implementation guide and the IHK Munich recommend a pragmatic approach:

  1. Inventory AI— also include embedded systems (Copilot, chatbots, HR tools).

  2. Clarify role— Provider or operator? Operators are subject to leaner obligations.

  3. Determine risk class— immediately cease prohibited practices.

  4. Building AI competence— Document training sessions (mandatory since Feb 2, 2025).

  5. Prepare transparency— Label AI content and deepfakes, disclose chatbots.

  6. Align with GDPR— The AI Act and data protection are intertwined.

  7. Embed governance— Appoint responsible parties, write AI policy.

  8. Using tools— utilize Bitkom tools, IHK offers, and the AI Act Explorer.

ℹ️

A practical lever for steps 4 and 5: A central AI platform makes AI competence and transparency manageable in the first place — instead of scattered shadow AI across dozens of private accounts.

Conclusion

The AI Act is no reason to stop AI projects — it is a reason to set them up in an organized manner. Those who inventory their systems, clarify roles, and build competence today will be on the safe side when the next stages take effect in 2026 and 2027. Our [guide/overview] provides a complete overview of the regulation.Guide to the EU AI Act for Companies; how data protection and AI interact is shown by theGuide to GDPR-compliant AI.

Sources

GDPR-compliant AI from a real German data center

Kasimir runs on its own infrastructure in Germany — no detour via US providers, no CLOUD Act reach.