The EU AI Act: The 2025/2026 Timeline and What SMEs Really Need to Do Now

In nearly every Microsoft 365 audit we currently run for SMEs in the Berchtesgaden and Traunstein region, we encounter the same picture: ChatGPT open in a browser tab, Copilot licensed, and a handful of staff who have quietly enabled two or three more AI tools of their own — and nobody can say what data actually ends up there. AI arrived in the working day long before most businesses set a single rule for it. This is exactly where the EU AI Act comes in, and exactly why it matters even for companies that do not build AI themselves but merely use it.

The good news first: for an SME, the AI Act is no cause for panic and no reason for a sprawling compliance programme. It is more of a welcome prompt to tidy up a few things that needed tidying anyway. In this article we translate the official timeline into plain language and show the lean setup that lets you meet the key obligations without slowing your teams down.

The Timeline: What Applies When?

The AI Act has been in force since 1 August 2024, but it does not apply all at once — it phases in. These are the dates you should know:

• Since 2 February 2025: Certain AI practices are banned (such as social scoring or manipulative systems). At the same time, the AI literacy obligation applies — companies must take measures so their staff understand and use AI appropriately.
• Since 2 August 2025: The governance structures take effect, and obligations apply to providers of general-purpose AI (GPAI) models — the large language models behind Copilot, ChatGPT and the rest.
• From 2 August 2026: The AI Act becomes substantially fully applicable. From this point, national authorities take over supervision and enforcement.
• Until 2 August 2027: An extended transition period applies to certain high-risk applications in regulated products.

One distinction matters for getting your bearings: the AI Act differentiates roles. Anyone who develops AI systems and places them on the market is a provider and carries far more extensive obligations. Most SMEs, by contrast, are deployers — they use finished tools. For deployers the list of obligations is manageable, but it is not zero. The AI literacy obligation applies to you regardless of whether you have ever built a single AI tool yourself.

AI Literacy: What the Obligation Means in Practice

AI literacy sounds like an abstract term from Brussels, but it means something very down to earth: your staff should understand what the AI tools they use can do, where their limits lie, and what risks arise from working with them. This is not a computer science degree — it is confidence in everyday decisions.

One subtlety is decisive and often overlooked in practice: the obligation has applied since 2 February 2025, even though official supervision only begins in August 2026. So you must already have taken measures — the fact that no one is checking yet changes nothing about the obligation itself.

In practice, AI literacy may and should be risk-based. A clerk using Copilot to draft emails needs different content from a developer adopting AI-generated code. From our experience, these four points form the core of a workable training:

• Role- and tool-specific: Which tools are permitted in which department, and what exactly do they do?
• Data rules front and centre: What must never go into a prompt — and why.
• Name the typical risks: Hallucinations, data leakage, AI-assisted phishing, copyright pitfalls.
• Documentation: Record content, audience, frequency and attendance — this is your proof if anyone asks.

A 30- to 60-minute, role-specific session per team is often the biggest lever here. It creates more safety than any 40-page policy PDF that no one reads.

AI Governance for SMEs: The Minimal Setup That Works

You do not need an AI governance board or a specially appointed AI officer. What you need is a lean framework that immediately lowers the key risks. In our IT consulting projects the following minimal setup has proven itself:

1. Tool list: A short overview of which AI tools are permitted (e.g. Microsoft Copilot with privacy options enabled) and which are explicitly not. This ends the quiet spread of shadow IT.
2. Data rules: A clear statement of what must never go into prompts — customer and HR data, passwords, keys, confidential contracts.
3. Roles: Who decides on new tools, who approves, who documents? A named owner is often enough.
4. Access: Least privilege, MFA and — where licensed — sensitivity labels and DLP. In Microsoft 365 in particular, the permission structure is the practical lever that determines what Copilot can access at all.
5. Incident plan: What happens if confidential data does end up in an AI tool? Who is informed, who decides?

The point about access rights is the one most underestimated in practice. Copilot shows a user exactly what that user is already allowed to see — but if permissions have run wild over the years and half the company has read access to the management drive, then AI suddenly makes that legacy mess visible and searchable. A clean permission structure is therefore part of every AI rollout. If you are unsure here, sort out the network and infrastructure layer before the AI rollout.

A Real Example: AI Policy and AI Literacy in Two Weeks

How lean this can be is shown by a project at a mid-sized business in the region. The starting point: several teams using different AI tools in parallel, with no rules on data and approvals — a typical case.

In two weeks we jointly drew up a one-page AI usage policy with clear dos and don'ts, defined the permitted tools, set up role-based short trainings, and tightened the access rights in Microsoft 365. The result: noticeably less shadow IT, a demonstrably better level of data security, and clear responsibilities — without slowing the teams down in their daily work. The effort bore no relation to the risk that had previously been sitting uncontrolled in the room.

What SMEs Should Concretely Prepare for 2026

If you do not want to be reacting under pressure in 2026, these are the most sensible steps — in this order:

• Set up an AI literacy programme: short, role-specific, recurring.
• Write an AI policy and define an approval process for new tools.
• Introduce data classification and sensitivity labels so confidential material is technically protected.
• Control and clean up access rights to files, Teams and SharePoint.
• Assign responsibilities and document training.
• Review suppliers and tools: contracts, data protection, and where possible an EU Data Boundary.

The real work rarely lies in the technology but in setting clear rules. Once those are in place, implementation in Microsoft 365 or your existing tool landscape is usually done quickly. If you also want to harden data security, the IT security and cybersecurity area holds the right measures — from DLP through sensitivity labels to the incident process.

Conclusion

The EU AI Act is no bureaucratic monster but a clear signal: AI needs governance the moment people use it in their working day. For SMEs, three things are decisive — a pragmatic AI literacy training, clear tool rules, and robust data guardrails. The AI literacy obligation has applied since February 2025; full application arrives in August 2026. Invest the few weeks such a minimal setup costs now, and a year from now you will be in a far more relaxed position — using AI more safely and productively not despite, but because of, clear rules.

---