The EU AI Act from 2 August 2026: What Now Applies to Your Website. A Checklist for SMEs.
On 2 August 2026, the grace period ends. From that day, the transparency obligations of Article 50 of the EU AI Act apply, and the supervisory authorities can penalise violations with fines. Until now, the AI regulation has been, for most small and medium-sized enterprises, a topic for large corporations and AI vendors. That is changing now, and in a place many think of last: their own website.
If your website runs an AI chatbot, shows AI-generated images or publishes texts straight from a generator, you should go through the following points once before the deadline. It takes about half an hour.
What happens on 2 August 2026
The EU AI Act (Regulation (EU) 2024/1689) has been in force since August 2024, but is being phased in step by step. The bans on certain AI practices have applied since February 2025, the rules for large general-purpose AI models since August 2025. On 2 August 2026 comes the part that affects website operators directly: the transparency obligations of Article 50. On the same day, the national supervisory authorities take up their work. The obligations for high-risk systems under Annex III, originally scheduled for this date as well, were postponed by the Digital Omnibus to 2 December 2027 (Annex I to 2 August 2028); the transparency obligations under Article 50 are not affected.
For a normal company website, Article 50 is the relevant part. It governs when visitors must be informed about the use of AI.
Obligation 1: The chatbot must identify itself
If an AI system on your website interacts directly with people, they must be told that they are communicating with an AI (Art. 50(1)). At the latest at the first interaction, clearly recognisable. A note buried somewhere in your terms of service or legal notice is not enough.
The regulation makes an exception where the use of AI is obvious anyway from the perspective of a reasonably well-informed user. We would not rely on that. Whether a court considers your chatbot "obviously AI" is not something you want to find out. One sentence in the chat window ("You are chatting with our AI assistant") costs nothing and settles the question.
Obligation 2: AI content. A lot of nonsense is being told here.
A claim is circulating online that from August, every AI image and every AI text must be labelled. That is not what the regulation says. Article 50 distinguishes cleanly between providers, meaning the makers of the AI tools, and deployers, meaning companies like yours that use those tools.
The much-cited machine-readable marking of AI output (Art. 50(2)) is a provider obligation. It applies to the makers of image and text generators, not to their customers.
As a deployer, you must disclose in two cases (Art. 50(4)). First, deepfakes: AI-generated or manipulated image, audio or video content that depicts real people, places or events deceptively authentically. Second, AI-generated texts that inform the public on matters of public interest. For texts, however, there is an exception that makes the difference for most companies: if a human has editorially reviewed the content and a natural or legal person bears editorial responsibility, the labelling obligation does not apply.
In practice: the AI-assisted blog article your marketing team has edited does not trigger a labelling obligation. The deceptively real AI photo of a real person does. The generic AI illustration in the header in between falls under no deployer obligation.
Obligation 3: Emotion recognition and biometric categorisation
Anyone using systems for emotion recognition or biometric categorisation must inform the persons concerned (Art. 50(3)). On company websites this is rare. It becomes relevant with tools that analyse webcam data or voices, for instance in some video recruiting or analytics applications.
What violations can cost
Violations of Article 50 can cost up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher (Art. 99). For perspective: most GDPR-related warning letters of recent years involved a few hundred euros per case. How hard the authorities will actually crack down on SMEs, nobody knows today. That they are allowed to from 2 August is certain.
Alongside this, the GDPR continues to apply unchanged. An AI chatbot that processes personal data still needs a legal basis, a data processing agreement with the tool provider and an entry in the privacy policy. The AI Act comes on top, it replaces nothing.
Does this apply to Swiss companies too?
Switzerland is not an EU member, and the AI Act is not Swiss law. But it reaches across the border: the regulation also applies to companies outside the EU when their AI systems are placed on the EU market or the system's output is used in the EU (Art. 2). If your website deliberately targets customers in the EU, you should not file the obligations above away as a purely EU matter. The GDPR has long worked the same way: it applies to companies outside the EU that offer goods or services to people in the EU. And the revised Swiss FADP adds a national layer of its own.
The checklist: know where you stand in 30 minutes
- Create an AI inventory of your website. Which AI features are embedded? Chatbot, recommendation widget, AI search, automatic translation, AI-generated images or texts. Purchased third-party tools count too.
- Check the chatbot notice. Does your chat widget clearly tell users at the first interaction that they are talking to an AI?
- Go through your AI images. Does any of them show real people, places or events deceptively authentically? Then label it. Generic AI illustrations can stay as they are.
- Classify your AI texts. Do you publish AI texts on matters of public interest? Then ensure editorial review or label them.
- Update your privacy policy. Does it mention the use of AI? Are there data processing agreements with the AI providers?
- Assign responsibility. Someone in-house should keep an eye on AI use and the legal situation. The AI Act will continue to roll out until 2027.
- Check recurringly, not once. Websites change. A new plugin or a campaign landing page can quietly add new AI services or trackers.
Honestly: point 1 is the catch. What your website really loads is not something you can see from the outside.
Know where your website stands. Before 2 August.
The free WeCheck360 teaser scan checks your website in a few minutes for GDPR and the EU AI Act together: detected AI services, tracking, cookie consent, transparency obligations. You see your score and the number of findings immediately. Just URL and email, no subscription.
Check your website for free nowFrequently asked questions
Does the AI Act also apply to small businesses?
Yes. The transparency obligations of Article 50 make no exception based on company size. What matters is whether an affected AI system is in use, not the number of employees.
Do I have to label ChatGPT texts on my website?
Usually not. As long as a human reviews the texts editorially and your company bears responsibility for the publication, the exception in Art. 50(4) applies. It only becomes critical when AI texts on matters of public interest are published without review.
Isn't my cookie banner enough?
No. Cookie consent (GDPR/ePrivacy) and AI transparency (AI Act) are two separate matters. A cookie banner says nothing about the fact that your chat runs on AI.
How do I know which AI services my website even loads?
Often you do not, and that is the real problem. Many websites load AI and tracking services through third-party scripts without the operator knowing. An automated scan makes visible what is actually loaded.
Last updated: July 2026. This article has been editorially reviewed and does not constitute legal advice. For your individual case, consult a specialised law firm or your data protection officer.
Sources:
- Regulation (EU) 2024/1689 (EU AI Act), Art. 50, Art. 99, Art. 113 — EUR-Lex full text
- AI Act Implementation Timeline (artificialintelligenceact.eu)
- Art. 50 in the AI Act Explorer
