SiteProof AI Blog

EU AI Act for Small Businesses: What You Actually Need to Do in 2026

May 24, 20269 min read

Most small business websites are classified as “limited risk” under the EU AI Act — meaning your main obligations are transparency and disclosure, not the heavy documentation burden of high-risk systems. The key requirement: if your website has a chatbot or AI-generated content accessible to EU users, you must disclose this clearly. Deadline: August 2, 2026.

Does the EU AI Act Apply to Your Small Business?

Yes, if any of these apply:

✓Your website is accessible to users in EU countries

✓You use a chatbot, virtual assistant, or AI-powered live chat

✓You publish AI-generated content (blog posts, product descriptions, reviews)

✓You use AI tools that interact directly with your customers

What Risk Category Is Your Website?

Risk Tier	Examples	Your Obligation
Unacceptable risk	Social scoring, manipulation systems	Prohibited entirely
High risk	Hiring AI, credit scoring, medical AI	Full documentation + human oversight
Limited risk	Customer chatbots, AI content	Transparency and disclosure
Minimal risk	Spam filters, internal tools	No specific obligations

The Small Business EU AI Act Compliance Checklist

☐

1. Add chatbot disclosure

Before or at the start of every conversation, users must be told they are interacting with an AI system. A human-sounding name like 'Aria' or 'Max' without explicit disclosure does not qualify.

☐

2. Label AI-generated content where required

If your website publishes AI-generated text, images, or audio that could mislead users into thinking it is human-created, you must label it.

☐

3. Update your privacy policy

Your privacy policy must explain how AI systems on your website process user data — what data is collected during chatbot interactions, how it is stored, and whether it is used to train AI models.

☐

4. Create or update your AI policy page

Document what AI systems your website uses, their purpose, and what user data they process.

☐

5. Train relevant staff

Article 4 requires that providers and deployers ensure staff working with AI systems have sufficient AI literacy.

☐

6. Run a compliance scan

Identify specific gaps across your website before August 2, 2026.

Item 4 (AI policy page) is made easy with our free AI policy generator — generate a compliant AI usage policy in seconds.

Item 6 (compliance scan) is also free — free compliance scan, no signup required, results in 60 seconds.

What Happens If You Don't Comply?

Maximum fine under Article 50

€15 million or 3% of global annual turnover — whichever is higher.

Existing enforcement precedent under GDPR and FTC rules shows regulators are already active:

→Snap Inc. received an enforcement notice from the UK ICO in 2023 for inadequate AI transparency

→DoNotPay was fined $193,000 by the FTC in 2025 for deceptive AI chatbot claims

→A Berlin bank was fined €300,000 under GDPR for undisclosed automated decision-making

Chatbots are consistently the highest enforcement priority. See our detailed breakdown of chatbot disclosure requirements to understand exactly what regulators expect.

The August 2, 2026 Deadline — What Changes

Before August 2, 2026

Obligations exist but not yet actively enforced under the EU AI Act.

After August 2, 2026

National supervisory authorities begin enforcement. Fines can be issued for Article 50 violations.

Also see: website AI compliance audit guide.

Frequently Asked Questions

My website just uses a third-party chatbot widget. Am I responsible?

Yes — you are a 'deployer' under the EU AI Act even when using third-party AI tools. The responsibility for ensuring disclosures are shown to users falls on the organization deploying the tool, not just the tool provider. Your vendor may also have obligations, but those don't eliminate yours.

What is 'limited risk' AI and how do I know if that's my category?

Limited-risk AI systems are those that interact with users but do not make high-stakes decisions (hiring, credit, healthcare, law enforcement). Chatbots, AI-generated content, and recommendation systems typically fall here. High-risk AI includes systems used in employment decisions, credit scoring, biometric identification, and critical infrastructure.

Do I need to hire a lawyer to comply with the EU AI Act?

For most small businesses with limited-risk AI, the core obligations — disclosure text, privacy policy update, basic documentation — can be completed without external legal counsel. More complex situations (high-risk AI, AI that processes special category data) benefit from legal review.

What is an 'AI policy' and do I really need one?

An AI policy (or AI usage statement) is a published document explaining how your organization uses AI systems, what data they process, and what users can do if they have questions. It's not strictly required for limited-risk AI but is considered best practice and protects you if regulators investigate.

My website was built before the EU AI Act. Do existing sites need to comply?

Yes. The EU AI Act is not grandfather-claused for existing deployments. If you're operating an AI system that falls under the regulation on August 2, 2026, you need to comply — regardless of when the system was built. This is why auditing your site now, before the deadline, is important.

Check Your Website Now — It's Free

Run a free EU AI Act compliance scan. No signup required.

Start Free Scan →