Artificial intelligence rules now apply to ordinary businesses, not just AI labs. The EU AI Act is phasing in between 2024 and 2027, and 2026 brings the obligations most Croatian SMBs will actually feel. The good news: a 2026 reform pushed the heaviest deadline back. Here is what applies now and what just moved.
Which risk tier are you in?
The Act sorts every AI use into four tiers, and your duties follow the tier - not the tool:
- Prohibited - social scoring, manipulative or exploitative AI. Banned outright since 2 February 2025.
- High-risk - AI for hiring, credit scoring, education, or critical infrastructure (Annex III). The heaviest documentation and conformity duties.
- Limited-risk - chatbots, generative content, deepfakes. One core duty: transparency.
- Minimal-risk - spam filters, recommendations. No new obligations.
Most SMB use - a support chatbot, AI-written copy, an AI agent - lands in limited or minimal risk.
What actually applies in 2026
For everyday business AI, the key 2026 duty is transparency. From 2 August 2026 you must tell people when they are talking to an AI, and label AI-generated content such as synthetic images or text. The synthetic-content marking rule was deferred to 2 December 2026, giving a little breathing room.
The big change: under the 2026 Digital Omnibus reform, high-risk (Annex III) obligations were deferred from 2 August 2026 to 2 December 2027 (provisional, pending formal adoption). General-purpose AI model rules have applied since 2 August 2025 - relevant mainly if you build on top of foundation models.
A practical checklist for SMBs
You do not need a compliance department - you need to know where your AI sits:
- Inventory every AI tool and feature you use or ship.
- Classify each by risk tier; flag anything touching hiring, credit, or safety as possible high-risk.
- Disclose - add clear “you are chatting with an AI” notices and label AI-generated media.
- Document what each system does and what data it uses - this also feeds your GDPR and AI-readiness work.
Penalties are tiered - up to €35M or 7% of turnover for prohibited use, €15M or 3% for high-risk - but for SMEs the fine is capped at the lower amount.
This article is general information, not legal advice. The AI Act is still being amended; confirm your exact obligations with qualified counsel.
Frequently Asked Questions
Does the AI Act apply to small companies? Yes. It applies by how AI is used, not by company size. Most SMB uses are limited or minimal risk, where the main duty is transparency.
What is the most important 2026 deadline? 2 August 2026, for transparency duties on chatbots and AI-generated content. High-risk obligations were pushed to December 2027.
Do I have to label AI chatbots? Yes. From 2 August 2026, users must be told when they interact with an AI system, and AI-generated content must be marked.
Is using ChatGPT or an AI agent high-risk? Usually no. Everyday content and support uses are limited-risk. High-risk covers narrow areas like hiring, credit scoring, and critical infrastructure.
Related Articles
- AI readiness audit: is your business ready for AI?
- AI agents beyond chatbots
- GDPR and custom software
Not sure where your AI sits?
We map your AI use to the right risk tier, add the transparency and documentation you need, and build compliant AI features - without slowing your roadmap.
Reach out at [email protected] or via the form on our homepage.