Ethical Tech
The EU AI Act for Small Consultancies: A Plain-Language Guide to the August Deadline
The next major EU AI Act deadline lands on 2 August 2026. Most coverage is written for enterprise compliance teams. The rules also apply to solo consultants, coaches, and small values-led businesses, even when nobody seems to be writing for that audience. Here's what's actually in scope, what isn't, and what to do about it before summer.
14 May 2026 · 12 min read · By Sophie Kazandjian
What a one-person practice or small consultancy actually needs to do before the August deadline.
If you have been quietly assuming the EU AI Act is something for Big Tech to worry about, the next twelve weeks are a good time to reconsider. The next major enforcement milestone is 2 August 2026, when the rules for general-purpose AI providers come into full effect and the governance and penalty framework activates. Most coverage of all of this is written for enterprise compliance teams. Almost nothing exists for solo consultants, coaches, or small practices, who are also covered by the law, even when they assume they are not.
The short version (if you only have two minutes)
The table below summarises the obligations a small UK or European consultancy needs to know about, when each one kicks in, whether it is likely to apply to you, and the practical action to take. The rest of the article walks through each obligation in more depth.
| Obligation | Status | Applies to most small practices? | What to do |
|---|---|---|---|
| AI literacy (Article 4) | Already in force since 2 February 2025 | Yes, to almost everyone using AI in their work | Write a one-page internal AI policy. Get every staff member, contractor, or associate using AI on your behalf to read and acknowledge it. |
| Prohibited practices (Article 5) | Already in force since 2 February 2025 | Unlikely, but worth confirming | Read the prohibitions and confirm none of your AI uses match. |
| Transparency (Article 50) | Full effect from 2 August 2026 | Yes, if you use client-facing AI or publish AI-generated content | Disclose chatbots clearly. Label AI-generated images and content. |
| High-risk classification (Annex III) | Full effect from 2 August 2026 | Only if you work in HR screening, credit, education, biometrics, or essential public services | Risk management, technical documentation, human oversight, and conformity assessment if in scope. |
| Penalty enforcement | Activates 2 August 2026 | All breaches enforceable from this date | SMEs benefit from reduced penalty caps and proportionality. Not the same as immunity. |
If your work falls outside the high-risk domains and you have not yet written an internal AI policy, the literacy obligation is where you are most exposed and the easiest thing to fix.
What the AI Act actually is
Regulation (EU) 2024/1689, the AI Act, is the world's first general AI law. It came into force on 1 August 2024 and applies in phases, with different obligations switching on at different dates. The framework is risk-based. Some AI uses are banned outright. Some are classed as high-risk and carry heavy compliance duties. Most ordinary uses sit in a limited-risk or minimal-risk bracket and only require transparency to users.
The law applies to providers (organisations that build AI systems and put them on the EU market) and to deployers (organisations that use AI systems in a professional capacity). If you are a UK or European consultant using AI for client work, you are almost certainly a deployer. The Act applies regardless of where your business is registered, as long as the outputs of the AI system reach people in the EU. A UK consultancy with French or German clients is in scope.
The reach is the same pattern as GDPR. If your work touches Europe, the rules touch you. For UK readers, the Information Commissioner's Office has been clear that even with the UK's lighter-touch domestic approach to AI regulation, UK businesses still need to comply with the EU AI Act when their AI outputs reach EU users.
The timeline at a glance
The phasing is worth knowing because it shapes what is already required of you, versus what is coming. Provisions on prohibited AI practices and AI literacy entered into force on 2 February 2025. Obligations on general-purpose AI model providers and the governance rules followed on 2 August 2025. The full framework, including penalty enforcement and the bulk of obligations for high-risk AI systems, applies from 2 August 2026. The extended transition for legacy high-risk systems embedded in regulated products runs until 2 August 2028.

The European Commission proposed a Digital Omnibus simplification package in late 2025 that could push some Annex III high-risk obligations back to December 2027. As of May 2026, this remains a proposal, not a confirmed extension. Prudent planning treats August 2026 as the binding date.
The most overlooked of these dates is the first one. The AI literacy requirement under Article 4 has been a legal obligation for over a year already. Most small businesses I speak to have never heard of it.
The Article 4 problem (and the easiest thing to fix first)
Article 4 says that providers and deployers of AI systems must "take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf." That includes employees, contractors, freelancers, and any associate working on your clients' behalf using AI.
Article 4 has been law since February 2025. The European Commission's AI literacy Q&A confirms that this applies to every organisation that uses AI in any professional capacity, regardless of size. There is no carve-out for solo practitioners. The Commission's AI Pact initiative offers a voluntary framework for organisations preparing for full enforcement.
The good news is that the obligation is proportionate. The Commission has been clear that no strict format is imposed. What is expected is that you can demonstrate you have taken reasonable steps appropriate to the risk level of your AI use, the role of the people using it, and the context of your business. For a one-person practice using AI to draft emails and structure documents, this is manageable. For an associate-led consultancy where five freelancers use AI on client work, the bar is a little higher.
Demonstrating AI literacy looks something like this. A written record of which AI tools your business uses and what for. An internal policy that covers what staff and associates can and cannot do with AI on client work. Awareness of the prohibited practices under Article 5. A short training note or briefing that everyone using AI on your behalf has read and acknowledged. None of this needs to be a fifty-page policy document. A clear one-pager, signed off and stored properly, is enough for a small practice.
This is also where my piece on why AI still needs a human earns its place. Literacy is about training judgement, not just operating a tool: when to overrule an AI suggestion, when to redact before pasting, when to escalate. The policy is the artefact. The judgement is the point.
This is the part you should do first. It is cheap, it has been required for a year, and it gives you a foundation for everything else.
Prohibited practices: what you cannot do with AI
Article 5 sets out the AI practices the EU has banned outright. These are unlikely to apply to most small businesses, but they are worth knowing about so you can be confident you are not breaching them, and so you can recognise them if a vendor tries to sell you one.
In plain terms, the prohibitions cover:
- Manipulative AI. Systems that use subliminal or deceptive techniques to distort people's decisions in ways that cause them harm.
- Exploitative AI. Systems that exploit vulnerabilities of specific groups (age, disability, socio-economic status) to materially distort their behaviour.
- Social scoring. Scoring of people by public authorities or private actors using personal or behavioural data, leading to unfavourable treatment.
- Predictive policing. Systems that predict criminal offending based purely on profiling or personality traits, rather than objective verifiable facts.
- Real-time biometric identification in public spaces. With narrow law-enforcement exceptions for serious crimes.
- Untargeted facial-image scraping. Scraping the web or CCTV footage to build facial recognition databases.
- Emotion recognition in workplaces and educational settings, except for medical or safety reasons.
If you are reading this and your work has nothing to do with any of these, that is the right reaction. The prohibitions exist for cases where AI causes serious individual or societal harm. They have been in force since February 2025, and national supervisory authorities (the CNIL in France, the Bundesnetzagentur in Germany, the ICO in the UK for UK-applicable matters) have been issuing guidance on each.
Are you operating a "high-risk" AI system?
The Act's high-risk classification covers AI used in specific domains:
- Employment, recruitment, and worker management
- Education and vocational training
- Access to essential private and public services and benefits
- Law enforcement
- Migration, asylum, and border control
- Administration of justice and democratic processes
- Critical infrastructure (energy, transport, water, digital)
- Biometric identification and categorisation
Annex III is the full list with the detail.

For most small consultancies, the answer is "no, this does not apply." Drafting client proposals with Claude, generating images for a newsletter, summarising meeting notes, building an Airtable workflow with AI assistance, designing a Squarespace site with AI help. None of these falls into a high-risk category.
Where it can apply, in ways small practices sometimes do not realise, is when AI is used to:
- Screen, rank, or assess job applicants for a client (recruitment consultancies, HR consultants)
- Filter or evaluate candidates for promotion, performance review, or termination
- Score people for access to credit, insurance, housing, or essential services
- Personalise content for vulnerable groups in ways that affect access to opportunities
- Build assessment tools used in education or vocational training
If any of that sounds like work you do, or work you do on behalf of a client, you need to look at the high-risk obligations carefully. They include risk management, data governance, technical documentation, human oversight, and conformity assessment. For a solo consultant, this is the point at which "I will figure this out myself" stops being realistic, and a conversation with someone who knows the specifics becomes the right next step.
Transparency: the obligation almost everyone has
Article 50 is the rule that applies the most widely. If your AI system interacts directly with people, those people need to be told they are interacting with an AI, unless it is obvious from context. If your business uses AI to generate text, image, audio, or video content that is published or shared, that content should be marked as artificially generated or manipulated, in a way that is detectable.
For a small consultancy, this lands in three practical places. First, any chatbot or automated assistant on your website or in your client tools needs a clear disclosure that the user is talking to an AI. Second, any AI-generated images or marketing content you put out should be flagged, even quietly (a caption, a credit line, metadata). Third, deepfakes (synthetic content depicting real people, places, or events) carry stricter labelling rules.
None of this is hard to do. It does mean that the "looks like Sophie, sounds like Sophie, but is actually an AI agent answering my client emails" use case is regulated. Disclose it, and you are fine. Hide it, and you are not.
What penalties actually look like
The headline numbers are large. Up to €35 million or 7% of global annual turnover for prohibited-practice violations. Up to €15 million or 3% for breaching obligations on high-risk systems. Up to €7.5 million or 1% for supplying incorrect information to regulators. These are designed for corporations the size of Meta, not for one-person practices in Nîmes or Manchester.
For SMEs and startups, the Act includes proportionality provisions. National regulators are required to take size, market share, and economic impact into account when setting penalties. SMEs benefit from reduced penalty caps, and member states are required to set up regulatory sandboxes so smaller businesses can test AI systems under supervision before going to market.
Proportionality is not the same as immunity, though. A small business found to be doing nothing about AI literacy, deploying a high-risk system without conformity assessment, or breaching the prohibited practices is still exposed. The realistic risk for a small practice is rarely a multi-million-euro fine. It is reputational damage with clients, contractual breach with partners who require AI Act compliance in their supplier terms, or civil liability if a poorly governed AI system causes harm to a third party.
Vendor due diligence: the part most people forget
When you use an AI tool for client work, you are a deployer of that tool, and the Act expects you to have done basic due diligence on the provider. That means knowing where your data is processed, whether the provider trains on user input, and what compliance documentation the provider offers.
This is one reason I have moved much of my own stack to EU-residency tools. The compliance conversation is shorter, the vendor documentation is clearer, and the answer to "where is my client's data?" stops being "somewhere in the United States, processed under their domestic surveillance laws." I have written separately about why I cancelled ChatGPT and about ditching Perplexity and Comet, which covers the practical EU alternatives in detail.
You do not have to leave US-based tools to be compliant. You do need to have thought it through and be able to defend the choice.
A small-business AI Act readiness checklist
If you want to spend a focused half-day on this before August, the priorities are:
Inventory. Write down every AI tool currently used in your business and on client work. Include the chatbots inside SaaS tools you already use (CRMs, helpdesks, design tools), not just the obvious ones like Claude or Le Chat. Note what data goes into each. My 2026 AI stack piece shows the shape of this for my own practice.
Role classification. Confirm whether you are a provider, a deployer, or both. Most small consultancies are deployers. If you are reselling or rebranding an AI tool as your own product, you may also be a provider.
Risk classification. For each tool, classify the use as prohibited (don't do it), high-risk (heavy obligations), limited-risk (transparency rules), or minimal-risk (largely unregulated). Document this.
Literacy. Write a short AI use policy covering what staff and associates can and cannot do with AI on client work. Have everyone read and acknowledge it. Keep a record. This satisfies Article 4 for most small practices.
Transparency. Audit your client-facing AI uses. Add disclosure language where AI is interacting with people directly. Flag AI-generated content where it is published.
Vendor due diligence. For each AI tool you use, check the provider's documentation. EU-based or EU data-residency providers reduce your compliance load. US-based providers can still be used, but pay attention to their stated compliance posture and data handling terms.
Review rhythm. Schedule a quarterly internal review. AI tools change quickly, and the law is still settling. A standing thirty-minute check-in keeps you current without becoming a project.
For most consultancies, all of this is half a day of focused work, followed by a short standing rhythm. The work I do for clients on Cyber Essentials readiness, supported by the BYOD cyber security toolkit, already covers a lot of the same ground: device audits, access reviews, written policies, recurring check-ins. The AI Act sits naturally inside the same operational discipline. If you have done one, you are ready to do the other.
What to read next
The official source is the European Commission's AI Act page, which links to the consolidated regulation text, the Article 4 guidance, the prohibited practices guidelines, and the AI Pact webinars. The independent AI Act explainer at artificialintelligenceact.eu has a useful compliance checker tool for SMEs that walks you through your specific position in around twenty minutes.
For UK readers, the ICO's AI guidance hub covers UK obligations under the UK GDPR and the relationship with the EU AI Act. For French readers, the CNIL's AI hub is the equivalent. For broader European context, the European Data Protection Board has published guidance on the overlap between GDPR and the AI Act, which is the area where most small-business questions cluster.
If any of this has made you realise your current AI use is more exposed than you assumed, that is a useful reaction to have in May rather than in August. Most of what is needed is structural rather than technical: a policy, an inventory, a disclosure habit, a review rhythm. It is the kind of work I do with consultancy clients as part of digital operations readiness, alongside Cyber Essentials and GDPR practice.
For values-led practices, much of this aligns with how you would want to work anyway. The Act makes optional habits into required ones, and adds external accountability where there was only your own judgement.
FAQs
- Does the EU AI Act apply to my UK business?
If your AI outputs reach people in the EU (clients, end users, or audiences), yes. The Act has extraterritorial reach in the same way GDPR does. UK consultancies serving European clients are in scope. The ICO has further UK-specific guidance.
- I'm a one-person business. Do I really need an AI policy?
The Article 4 AI literacy obligation has applied to providers and deployers of any size since February 2025. For a solo practice, the policy can be short and proportionate. A one-page internal note covering which AI tools you use and how is enough for most consultancies. The obligation is to have something appropriate, not to have a fifty-page document.
- What happens on 2 August 2026 specifically?
The penalty framework activates fully, the bulk of the high-risk AI obligations under Annex III come into force, and national supervisory authorities gain full enforcement powers. The literacy and prohibited-practice rules have been in force since February 2025 already.
- If I use Claude or another US-based AI for client work, am I breaching the Act?
No. Using a US-based AI is not in itself a breach. The Act regulates the use of AI, not the nationality of the provider. What you do need to consider is data residency (separately, under GDPR) and the AI Act's transparency, literacy, and risk-classification obligations as they apply to your use case. My guide to ethical AI alternatives covers the practical EU-residency options if you want to reduce your US exposure.
- Are there proportionality protections for small businesses?
Yes. SMEs and startups benefit from reduced penalty caps, and member states are required to take size and economic impact into account in enforcement. Regulatory sandboxes for smaller businesses are also being set up across the EU. Proportionality does not mean the rules do not apply to you. It means the response to a breach is calibrated to your size.
- Will the Digital Omnibus push the deadline back?
The European Commission's proposed simplification package, announced in late 2025, suggests extending some Annex III high-risk obligations to December 2027. The proposal has not been finalised. The Commission has been explicit that organisations should continue to treat 2 August 2026 as the binding date in their planning.