The EU AI Act and August 2026: What Singapore SMEs With EU Exposure Actually Have to Do

The EU AI Act, Regulation (EU) 2024/1689, entered into force on 1 August 2024, but none of its requirements applied at that moment. The Act switches on in phases. The phases that matter most to a smaller company arrived first.

Article 113 sets the schedule. Chapters I and II applied from 2 February 2025, which brought both the prohibited-practice rules in Article 5 and the AI literacy obligation in Article 4 into effect. Then on 2 August 2025, the general-purpose AI rules in Chapter V, the governance provisions in Chapter VII, and the penalty framework in Chapter XII, including Article 99, all became applicable. The high-risk obligations tied to Annex III are the part scheduled for 2 August 2026 under the original text.

Read that order again. The fines are already on. The literacy duty is already on. The transparency and GPAI documentation rules are already on. The one thing still sitting in the future is the high-risk regime, and that is precisely the thing now likely to move.

The Commission's Digital Omnibus on AI is proposal COM(2025) 836, published on 19 November 2025. It proposes to tie the high-risk timelines to the availability of harmonised standards. The agreement reached in negotiation would set standalone high-risk systems to 2 December 2027 and embedded, product-integrated high-risk systems to 2 August 2028.

Co-legislators reached a provisional agreement on 7 May 2026, with a committee vote on 2 June 2026 and a plenary vote in the June session, and Council adoption expected after that. As of mid-June 2026, it is close to adoption but not yet law and not yet published in the Official Journal.

That last point is the whole discipline. Until the Official Journal publishes the change, the original 2 August 2026 date remains the binding legal baseline. The correct posture is neither panic nor dismissal. Treat high-risk readiness as deferrable while you confirm whether any of your systems are high-risk at all, because for most SMEs the answer is no.

A common assumption is that an EU regulation cannot touch a company registered in Singapore. It can. Article 2 gives the Act extraterritorial scope: it applies to providers and deployers located in a third country, such as Singapore, where the output produced by the AI system is used in the Union. If your AI system produces results that land in front of users, customers, or decisions inside the EU, you are in scope regardless of where your servers or your UEN sit.

That is why the staggered timeline matters to a Singapore reader. The obligations that are already live, AI literacy, transparency, and GPAI-downstream documentation, follow your output into the EU today. They do not wait for 2026 or 2027.

Three obligations deserve a Singapore SME's attention before any high-risk planning.

First, AI literacy. Article 4 requires providers and deployers to ensure a sufficient level of AI literacy among staff and anyone operating AI systems on their behalf. It applies to all AI systems regardless of risk level, and it has been in force since 2 February 2025. This is a people-and-process duty, not a product certification.

Second, transparency. Article 50 requires that systems interacting with humans disclose the AI interaction unless it is obvious from context, and that AI-generated output be marked as artificially generated. The deployer duty to label AI-generated text applies specifically to text published to inform the public on matters of public interest.

Third, GPAI-downstream documentation. The general-purpose AI model obligations in Chapter V became applicable on 2 August 2025, and a downstream provider building on a GPAI model is typically the provider of the new system. It must retain the upstream technical documentation to meet its own obligations. If you built a product on top of a foundation model, this is you.

The penalties behind these are real. Article 99 sets maximum fines of up to 35,000,000 euros or 7% of worldwide annual turnover for breaching the Article 5 prohibitions, up to 15,000,000 euros or 3% for other infringements, and up to 7,500,000 euros or 1% for supplying incorrect or misleading information. For SMEs, including start-ups, each fine is capped at the lower of the percentage or the fixed amount. That is the one piece of genuinely good news in the penalty structure.

Most SMEs are not building Annex III high-risk systems. The mistake is treating that as something you assume rather than something you record. Write a high-risk classification memo. Keep it short and dated. State which of your AI systems are in EU scope, walk through why each one does or does not fall into a high-risk category, and name the live obligations you are meeting instead.

That memo does three things. It stops you pre-spending budget and engineering time on a high-risk readiness program you may never need, especially with the deadline likely moving to late 2027. It gives you a defensible answer when a regulator or an enterprise customer asks. And it forces you to confirm the literacy, transparency, and documentation obligations that genuinely apply today are actually in place.

In other words, the useful 2026 project is not a compliance fire drill. It is a paper trail plus three already-required habits.

Read closely, the Act's requirements are software requirements. The human-oversight duty is a confirm-step before an automated action takes effect. The record-keeping duty is an audit trail of what the system did and why. AI literacy and transparency are properties of how your systems are built and how they describe themselves. A structured, governed agent architecture is the literal translation of those clauses into running code, which is the compliance dividend of building the agent-ready business layer well in the first place.

This is the thread that runs through how we think about a governed business brain at Origin Pi: a system where every agent action is logged, attributable, and reversible by design, so that meeting a record-keeping or human-oversight duty is a configuration, not a retrofit. If you want the practical framing, our work on AI compliance covers turning regulatory clauses into operating controls, and our AI governance work covers the oversight and audit-trail architecture that makes those controls hold up. None of this requires a high-risk program you may not need. It requires doing the live obligations properly, on a foundation that already records its own work.

• The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with none of its requirements applying at that stage.
• Article 113(a): Chapters I and II, including Article 5 prohibitions and the Article 4 AI literacy duty, apply from 2 February 2025.
• Article 4 requires providers and deployers to ensure AI literacy among staff, applies to all AI systems regardless of risk level, in force since 2 February 2025.
• Article 99 maximum administrative fines, including the SME cap to the lower of the percentage or fixed amount.
• Digital Omnibus on AI, COM(2025) 836, proposed dates: standalone high-risk to 2 December 2027, embedded systems to 2 August 2028; provisional agreement 7 May 2026, not yet law.
• Article 2 extraterritorial scope: applies to third-country providers and deployers where AI output is used in the Union.
• Article 50 transparency duties: disclosure of AI interaction and marking of AI-generated output.