Regulation (EU) 2024/1689 of the European Parliament and of the Council on artificial intelligence, known as the AI Act, entered into force on August 1, 2024. In 2026 its key obligations activate for all companies that deploy or work with AI. Fines reach up to 35 million EUR or 7% of worldwide turnover (whichever is higher). For Slovak SMBs, the AI Act means concrete obligations that most companies are still unaware of. Let’s go through what you really need to know, without the legal jargon.
Why the AI Act affects smaller companies too
A widespread myth: “The AI Act is for OpenAI and big AI companies, it does not concern us.” The opposite is true. The AI Act distinguishes three roles:
- Providers, developers/suppliers of AI systems (OpenAI, Anthropic, also Slovak software companies)
- Deployers, companies that use AI (your HR department with an AI assistant)
- Importers / distributors, companies that distribute AI
If your company uses ChatGPT, Claude, Microsoft Copilot, Gemini, or an HR/CRM system with AI functionality, you are a deployer. And deployers have obligations, especially for high-risk AI systems.
4 risk levels of AI systems, what belongs where
The AI Act classifies AI systems into 4 categories by risk.
Level 1: Unacceptable risk (prohibited)
What belongs here: Social scoring of citizens (the Chinese model), subliminal manipulation techniques, emotion recognition in the workplace (!), biometric categorization by race/political views, real-time remote biometrics in public space.
What it means for SMBs: You cannot deploy an AI system that:
- Detects the emotional state of employees in an open-space (even if you wanted to)
- Evaluates employees by political views
- Creates manipulative ads based on vulnerable groups (children, people in depression)
Effective: From February 2, 2025.
Level 2: High risk
What belongs here (relevant to SMBs):
- AI in HR, CV screening, performance evaluation, hiring/promotion decisions
- AI in credit / credit scoring
- AI in grading in education
- AI in decisions on social benefits
- AI in critical infrastructure (energy, water)
What it means for SMBs: If you use AI for automatic CV pre-screening, you must:
- Have human oversight (a human must be in the loop before every important decision)
- Log operations
- Inform candidates that AI is being used
- Have a risk management system (DPIA + AI risk assessment)
- Ensure quality of training data (no bias)
Effective: Main wave on August 2, 2026.
Level 3: Limited risk, transparency
What belongs here:
- Chatbots (must identify themselves as AI)
- Deepfakes, generated images/video must be labeled
- AI systems recognizing emotions/biometrics (outside high-risk cases)
What it means for SMBs: If you have an AI chatbot on your site, you must clearly state on it “You are communicating with an AI assistant.” If you use AI to create marketing photos (deepfake-like), they must be labeled.
Effective: August 2, 2026.
Level 4: Minimal risk (most AI)
What belongs here: Spam filters, AI in games, recommendation algorithms, AI assistant in a text editor, automatic invoice categorization, anomalies in cash flow, predictive inventory models.
What it means for SMBs: No obligations beyond GDPR. You can use it without restriction. But it is still a good idea to have an internal AI policy.
Human oversight, what it really means
“Human in the loop” is a key concept in the AI Act. It is not enough for AI to propose a decision and a human to click OK. There must be:
- Human ability to understand the AI’s output (not a black box)
- Ability to intervene, override, cancel, stop
- Training of people who work with AI
- Process documentation, who, when, and how reviewed
Concrete example: In a recruiting company you use AI to evaluate CVs. You cannot automatically send rejection to candidates with a low score. Every CV must be seen by an HR manager who has the option to override the AI assessment.
6 concrete AI use cases in SK SMBs and their classification
| Use case | Risk level | Obligations |
|---|---|---|
| Invoice categorization (OCR + AI) | Minimal | None (only GDPR) |
| Chatbot on the website | Limited | Transparency |
| AI in CRM, lead scoring | Minimal | No special ones |
| AI for CV screening in hiring | High | Human oversight + DPIA + log + info |
| AI for employee performance evaluation | High | Human oversight + DPIA + log |
| ChatGPT/Claude for writing texts | Minimal | Internal AI policy |
Tip: If you are unsure of the classification, use a simple test: “Does the AI make a decision that directly affects the work, career, finances, or fundamental rights of a specific person?” If yes, probably high risk.
Practical AI policy for SMBs, the minimum you need in 2026
Every company that uses AI (and in 2026 that will be every company) should have a short internal AI policy. Recommended content:
- List of approved AI tools (whitelist)
- Ban on entering sensitive / customer data into public AI (ChatGPT free), only into enterprise versions with a DPA
- Transparency rule: AI-generated content must be labeled
- Human review before publication / sending to a customer
- List of AI use cases with risk classification (update every 6 months)
- Training at least once a year
- Contact, who in the company handles AI questions (DPO or delegated manager)
Modulario provides AI features (document categorization, anomalies, assistant) at the minimal and limited risk level with full transparency and human oversight. More on the AI page and in the security documentation.
Sanctions, how much it can cost you
The AI Act defines 3 levels of fines:
| Violation | Maximum | For whom |
|---|---|---|
| Use of prohibited AI practices | 35M EUR / 7% of turnover | Everyone |
| Failure to meet obligations for high-risk AI | 15M EUR / 3% of turnover | Providers, deployers |
| Providing false information to the regulator | 7.5M EUR / 1% of turnover | Everyone |
For SMBs that sounds abstract, but regulators confirm they will fine proportionally, the typical fine for an SK SMB is expected in the range of 10,000-100,000 EUR, which is devastating for a company of 20 people.
Checklist for SK SMBs for 2026
- Audit all AI tools used by employees in the company (including shadow ones)
- Classify each by risk level
- Write a 1-page AI policy and communicate it to the team
- Cancel access to public AI tools (ChatGPT free) for sensitive data
- Update GDPR documentation, DPIA for AI use
- For hiring / HR AI: implement a formal human oversight process
- Label chatbots and AI-generated content on the website
- Add AI training to onboarding
Conclusion
The AI Act is not an existential threat for SK SMBs, it is a framework that protects customers and employees from AI misuse. Most SMB AI uses (OCR, categorization, text assistants) fall under minimal risk and require nothing more than an internal policy and training. Risk areas (HR, scoring) require human oversight and documentation.
Using AI and want to be sure you are AI Act compliant? See how Modulario approaches AI or book a free 30-minute consultation. We will go through your AI stack together and prepare a tailored compliance checklist.