Compliance · AI · Cybersecurity · July 2026 · ~20 min read

The Regulation (EU) 2024/1689 — better known as EU AI Act — entered into force on 1 August 2024 but applies in phases. The obligations that kick in on 2 August 2026 hit Spanish SMBs directly: governance of high-risk systems under Annex III and transparency of chatbots, deepfakes and other AI-generated content under Article 50. Non-compliance can trigger fines of up to €35 million or 7% of worldwide annual turnover under the sanctions regime, which — like the AI literacy duty of Article 4 — has already been in force since 2025. This guide summarises what to do before August 2026, what arrives in 2027, what role the AESIA plays and how to avoid the prohibited practices of Article 5.

Calendar of AI Act application

Regulation (EU) 2024/1689 was published in the OJEU on 12 July 2024 and entered into force twenty days later, on 1 August 2024. From there, application is staggered: prohibited practices (Art. 5) and AI literacy (Art. 4) on 2 February 2025; GPAI (Chapter V), sanctions (Chapter XII) and notifying authorities on 2 August 2025; the rest of the Regulation including Annex III high-risk systems on 2 August 2026; and high-risk systems enumerated in Annex I on 2 August 2027.

Article 5 · prohibited AI practices since February 2025

Article 5 lists AI practices prohibited under any circumstance in the EU. They are not high-risk systems under control: they are unacceptable. Categories: subliminal manipulation or exploiting vulnerabilities; social scoring by public authorities; predictive policing based on profiling alone; untargeted scraping of facial images; emotion inference at work and in education; biometric categorisation by sensitive data; real-time remote biometric identification in publicly accessible spaces (subject to a narrowly defined set of statutory exceptions).

Article 4 · AI literacy of personnel

Article 4 requires providers and deployers to ensure, to the extent possible, a sufficient level of AI literacy of personnel and any person operating AI systems on their behalf. It applies from 2 February 2025. For an SMB deployer it translates into: inventory of AI systems used (including AI embedded in SaaS); classification of operating staff; proportional training by risk and role; documented evidence (attendees, dates, contents, evaluation).

Annex III · high-risk systems

Annex III lists eight areas where an AI system is considered high risk and subject to Chapter III obligations from August 2026: biometrics; critical infrastructure; education and training; employment and HR; essential services (credit scoring, life/health insurance); law enforcement; migration and borders; justice and democratic processes. SMB deployers using a high-risk system (e.g. ATS with CV filtering AI) must comply with Article 26: use the system per provider instructions, assign competent human supervision, control input data, keep logs, inform affected employees and notify serious incidents.

GPAI · general-purpose AI (Chapter V)

Chapter V regulates foundational or general-purpose models (GPAI). Applies from 2 August 2025. SMBs are rarely GPAI providers (OpenAI, Anthropic, Google, Meta, Mistral are) but can be deployers integrating one, which triggers transparency and synthetic content marking obligations from August 2026: informing the user when interacting with an AI system, marking AI-generated content as synthetic (deepfakes, public-interest information), enabling automatic identification via interoperable watermarking.

AESIA and the Spanish governance ecosystem

Spain has been a pioneer in creating the national supervisory body: the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), headquartered in A Coruña, created by Royal Decree 729/2023. It acts as national notifying and market surveillance authority. It is the Spanish interlocutor for sandbox applications, serious incident notifications, sanctioning procedures and coordination with the European AI Board.

Sanctions regime

Article 99 scales sanctions in three tiers: up to €35M or 7% of worldwide turnover (whichever is higher) for Art. 5 violations; up to €15M or 3% for non-compliance with provider/deployer/importer/distributor obligations; up to €7.5M or 1% for supplying incorrect, incomplete or misleading information to the authority. For SMBs and startups, the Regulation lets Member States apply the lower amount between absolute and percentage figures.

Regulatory sandbox

Article 57 obliges each Member State to set up at least one regulatory sandbox before 2 August 2026. Spain launched its sandbox in 2023 — the first national AI sandbox in the EU — coordinated by the Secretariat of State for Digitalization and AI with AESIA support. For SMBs developing a high-risk system, participation reduces regulatory risk and provides evidence of good-faith compliance that can help mitigate sanctions if problems arise later.

Operational checklist for Spanish SMBs — 6 actions before August 2026

  1. AI inventory (including AI embedded in SaaS: HubSpot, Salesforce Einstein, ATS, automation tools, ChatGPT Enterprise/Team, Copilot, Gemini Workspace).
  2. Risk classification (prohibited, high risk, transparency, GPAI, low/minimal risk).
  3. AI literacy plan proportional to role with documented evidence.
  4. Internal AI policy defining allowed/prohibited uses, human supervision, prompt management with personal data, synthetic content marking.
  5. Contracts with providers revised to delimit responsibility, demand Art. 13 information access and audit clauses.
  6. Incident notification procedure: who detects, who evaluates, who notifies AESIA within Art. 73 deadlines.

Frequently asked questions

What AI Act obligations affect me as an SMB deployer?

If your SMB only uses AI systems developed by third parties (deployer), the main obligations are: verify that none of them falls under the Article 5 prohibited practices; ensure AI literacy of personnel (Art. 4) since February 2025; if you deploy Annex III systems, comply with Art. 26 (human supervision, input data control, log retention, information to affected persons, incident notification); comply with Art. 50 transparency obligations from August 2026.

What fine can I face for non-compliance with the AI Act?

Up to €35 million or 7% of worldwide annual turnover (whichever is higher) for breaching Article 5 (prohibited practices). For breaches of general obligations the cap is €15M or 3% of turnover. For supplying incorrect information to the authority: €7.5M or 1%. The Regulation lets Spain apply the lower figure between absolute and percentage amounts for SMBs and startups.

When does the AI Act actually apply to my company?

It applies in phases. Art. 4 (AI literacy) and Art. 5 (prohibited) on 2 February 2025. Chapter V (GPAI) and sanctions on 2 August 2025. On 2 August 2026 the bulk of the Regulation including Annex III high-risk systems, Art. 50 transparency and full governance. Annex I on 2 August 2027. If your company uses any AI system, the relevant date today is August 2026.

Do I need an AI Officer or does the DPO cover this?

The Regulation does not formally require an "AI Officer" analogous to the GDPR DPO. However, for SMBs deploying high-risk systems, obligations of human supervision, log retention, incident notification and literacy documentation require an identifiable responsible person. The sensible move is for the existing DPO to expand functions to AI governance, or to appoint a specific AI lead when volume justifies it.

Does Art. 4 AI literacy require official certification?

No. Art. 4 requires a "sufficient level" of literacy, proportional to each person's role, without requiring official qualification. What it does require is demonstrable training: contents, attendees, dates, evaluation. Guidelines published by the European Commission's AI Office in 2025 include role-based training plan examples.

Are ChatGPT, Claude or Copilot high-risk systems?

By themselves, not necessarily. They are general-purpose models (GPAI) subject to Chapter V. The "high risk" qualification depends on use: if your SMB integrates Claude or ChatGPT into a candidate scoring system or educational admissions evaluation, that system becomes high risk (Annex III) and you as deployer take on Art. 26 obligations.

How does the AI Act relate to GDPR?

They are complementary, not substitutive. GDPR regulates personal data processing. The AI Act regulates AI systems themselves. A company using AI for credit scoring (Annex III) simultaneously complies with GDPR (lawful basis, data subject information, Art. 22 rights, impact assessment) and the AI Act (human supervision, log retention, AESIA notification). The AEPD and AESIA have signed coordination protocols.