Back to home

Training

the ai act without panic

On what the AI Act actually asks of a small business: one afternoon of work, two calendar reminders, and no panic beyond that

For a small business with a customer service chatbot, the AI Act comes down to three things in practice from 2 August 2026: show customers they are talking to AI, be able to demonstrate attention to AI knowledge in your team, and know which AI tools you have in the building. Conformity assessments, EU registrations and thick risk dossiers only apply to high-risk applications, such as AI that screens job applicants or handles credit applications, and precisely those obligations are all but certain to shift to December 2027. Everything the law asks of an average small business fits in one afternoon.

That is a different story from the one your inbox tells. And it is a different story from the one the numbers suggest, too: according to research by the Dutch Chamber of Commerce (KVK), half of Dutch business owners are not familiar with the AI Act, only 7 percent are well informed, and 2 to 3 percent are actually taking preparatory measures (KVK, 2025). That survey dates from June 2025, well over a year before the deadline, and it is the most recent hard number available; today’s picture is hopefully somewhat better. But the gap remains striking: on one side an audience that largely does not know the law, on the other a compliance industry selling AI scans, register subscriptions and training courses at hundreds of euros per employee, as if every bakery needs a conformity dossier.

With fikst I build chatbots and AI workflows for Dutch small businesses, so I read this law as someone who has to comply with it himself. What follows is practical explanation with sources attached, not legal advice: if you have a genuine edge case, put it to a lawyer once.

what needs to be in place for my chatbot on 2 august 2026?

From 2 August 2026, every customer who talks to your AI system must be able to know it is AI: that is the transparency duty of article 50(1). The duty has no transition period and also applies to chatbots that have been live for years (Latham & Watkins, 2026). There is an exception for situations where it is already obvious to a normal user that they are talking to a machine, but that is not something you want to gamble on as a business. One visible sentence at the start of the conversation settles it.

For a regular service or FAQ chatbot, that is also where it ends. A chatbot that answers questions about opening hours, return policies or order status falls into the limited-risk category: disclosure required, nothing extra beyond that (research by chatbot company Gurusup, 2026). Only when an AI system independently makes decisions about people, think rejecting job applicants or assessing claims, does it move to the high-risk category with the full package of obligations.

One nuance that dies in many summaries: the “no transition period” applies specifically to paragraph 1 of article 50, the chatbot disclosure. The marking duty for synthetic content in paragraph 2, the machine-readable marking of AI-generated image and audio, did get a deferral through the Digital Omnibus: generative AI systems that were already on the market before 2 August 2026 only have to comply from 2 December 2026 (Latham & Watkins, 2026).

On paper the sanctions are steep: breaching the transparency obligations can run up to 15 million euros or 3 percent of global annual revenue, with the lower of the two applying to SMBs and startups (AI governance platform AIGN, 2026). That number is mostly useful to hold next to how small the fix is: one line of text at the top of your chat.

so is the ai act postponed or not?

Partially, and the phrasing matters: the deferral is all but certain, but not formally in force yet. The European Parliament approved the Digital Omnibus on 16 June 2026, and the Council gave its final green light on 29 June 2026 (Shumaker, 2026). That package moves the heavy obligations for high-risk AI under Annex III, such as recruitment and credit scoring, from 2 August 2026 to 2 December 2027; AI in regulated products under Annex I moves to August 2028. At the time of writing, 10 July 2026, the text has not yet been published in the Official Journal of the EU, and until that publication plus three days, the old timeline formally remains the legal baseline (DLA Piper, 2026). Publication is expected mid to late July, right before the deadline in other words, but an expectation is not law. What stays untouched through all of this either way: the transparency duty for chatbots stands firm on 2 August 2026.

How confusing the situation is shows at the regulator itself. On 10 July 2026, the page of the Dutch Data Protection Authority (AP) on the AI Act still stated that supervision of high-risk AI starts in August 2026 and that the regulation is fully in force by August 2027; both dates have been overtaken by the Digital Omnibus (Autoriteit Persoonsgegevens, 2026). And the European Commission’s page on AI literacy lists two different start dates for enforcement on the same page: 2 and 3 August 2026 (European Commission, 2025). If the official sources contradict themselves, you have no reason to feel embarrassed about losing the thread. The legislator is wrestling here with what I call the production gap elsewhere: the difference between announcing something and having it working in production.

the quiet obligation: ai literacy has applied since february 2025

The least known obligation is also the oldest. Article 4, the AI literacy duty, has applied since 2 February 2025 to every business that uses AI professionally, which includes the shop where the team uses ChatGPT or Copilot daily (European Commission, 2025). What is new from August 2026 is that the national regulators start enforcing it; in the Netherlands that sits with the AP.

What the duty entails has meanwhile changed, and in your favor. The same Digital Omnibus rewrites article 4 from an obligation of result, “ensure a sufficient level of AI literacy”, into a duty of effort: take appropriate measures to support the development of AI literacy (Stibbe, 2026). So there is no prescribed knowledge level and no exam or certificate. What you need is demonstrable effort: an overview of which AI tools your team uses, a team session on what those tools can and cannot do, and a note with the date and the participants. That is your file.

For completeness: Dutch supervision of the AI Act is divided across ten market surveillance authorities, with the AP as the catch-all for domains without a sectoral regulator of their own, including the transparency obligations of article 50 (Binnenlands Bestuur, 2026). For you as a small business owner that means the AP is, in practice, your point of contact.

what do I not have to do?

More than the average compliance mailing suggests. You do not have to commission a conformity assessment or register your system in an EU database; that belongs to high-risk AI, and a service chatbot does not fall under it as long as it makes no independent decisions about people (research by chatbot company Gurusup, 2026). You do not have to buy certified AI training; the law knows no certificates, and after the softening of article 4 the bar has moved down rather than up. You do not have to subscribe to AI register software; for a business with a handful of tools, a list in a shared document is enough. And a written AI policy is not legally required anywhere, although one page is the easiest way to make your effort demonstrable.

Honesty also demands the other side. If you use AI in recruitment and selection, credit decisions or another Annex III application, the deferral to December 2027 is extra preparation time for a track that is real work: risk management, documentation and human oversight. Start on that this year, with help. And if you offer a generative AI product of your own that produces image or audio, put the marking duty of December 2026 in your calendar.

the checklist: done in one afternoon

For the average small business with a chatbot and some AI tools around the office, this is the entire homework:

  1. Take stock of your AI (30 minutes). Walk through which AI is active in your business: the chatbot on your site, ChatGPT or Copilot at the office, AI features in your email or accounting software. Put it in one document.
  2. Do the high-risk check (15 minutes). Does any of those systems decide about people on its own, such as job applications, credit or claims? If no: done. If yes: plan a separate track toward December 2027 and bring in expertise.
  3. Put the AI notice live (30 minutes). Have your chatbot introduce itself as an AI assistant at the start of every conversation. If you run a voice bot on the phone, do not forget that one. How to deliver that notice without losing trust is covered in what klarna really teaches.
  4. Check your AI content (15 minutes). If you publish AI-generated image or audio that could pass for real, make sure it is recognizable as such.
  5. Write a one-page AI policy (45 minutes). Which tools you use, what for and what not, what never goes into a prompt (customer data, passwords), and who the point of contact is.
  6. Hold a team session and document it (60 minutes). Discuss the one-pager, show where the tools go wrong, and note the date, the participants and the topics. That is your article 4 effort, documented.
  7. Put two reminders in your calendar (5 minutes). December 2026: the marking duty for existing generative systems. Late 2027: the high-risk obligations. Check the current state at those moments, preferably in the Official Journal and not just on a regulator’s page.

Add it up and you land at around three hours of work. No scan and no certificate.

My position: for the vast majority of Dutch small businesses, the AI Act is one afternoon of work and two calendar reminders, and anyone selling you a bigger package is earning from uncertainty the legislator fed with its own fumbling of the timelines. Plan that afternoon this month, and on 2 August you are ready and can archive the rest of the compliance mailings with an easy mind.

frequently asked

Do I have to tell customers they are talking to a chatbot?
Yes. From 2 August 2026, article 50(1) of the AI Act requires that users know they are communicating with AI, unless that is already obvious. One visible notice at the start of the conversation is enough for a regular service chatbot. The duty applies without a transition period, so it also covers chatbots that have been live for years.
Is an AI register or AI certificate mandatory for small businesses?
No. Nothing in the AI Act obliges an SMB with only low-risk tools to buy register software, certificates or certified training. Your own overview of your AI tools and a documented team session are enough to make the article 4 duty of effort demonstrable.
What fine can I get if my chatbot has no AI notice?
On paper up to 15 million euros or 3% of global annual revenue, with the lower of the two applying to SMBs. How actively the Dutch Data Protection Authority (AP) will enforce in practice from August 2026 has not been announced yet. Since the fix costs one line of text, this is a risk to remove rather than to estimate.
Does the AI Act apply if I only use ChatGPT or Copilot?
Yes, through the AI literacy duty of article 4, which has applied since 2 February 2025 to every business that uses AI professionally. Since the Digital Omnibus it is a duty of effort: you must be able to show appropriate measures, such as a short internal policy and a documented team session. The law asks for no exams or certificates.
nlen