AI Act 2026 for small businesses in the Czech Republic: practical checklist before August
The European AI Act is not a topic only for corporations and model developers. From August 2026, it will also affect small companies in the Czech Republic in practice if they use tools for recruitment, customer support, marketing, employee monitoring, or document work. It is not about “having AI,” but about recognizing when a company is already entering a regime of obligations: as a provider, deployer, importer, or distributor of an AI system.
For a smaller business, the biggest risk is usually more mundane than high fines: it buys a service that looks like ordinary automation, but in reality falls under regulated use. The second common problem is documentation. If someone in the company is already using generative AI today to work with personal data, make decisions about people, or automate communication, it is advisable to start keeping records of use, contractually vetting suppliers, and setting internal rules before summer 2026.
If you first need to clarify the differences between ordinary AI assistants and business tools, the overview at AIVýběr is useful. For orientation in categories, you can also browse the directory of AI tool categories, where it is clearly visible how easily marketing or HR software can shift into a regulated regime.
What will actually change for small businesses from August 2026
August 2026 is important for most businesses because the rules for high-risk AI systems and obligations across the chain will begin to apply in full. A small company does not have to “train” anything itself. It is enough that it deploys a ready-made system in an area where the AI Act works with higher risk: for example in recruitment, employee evaluation, access to education, credit scoring, or biometric identification.
What to do: by the end of Q1 2026, make an inventory of all AI tools according to their specific use, not according to the application name. For each tool, write down three things: what it is used for, over whom or what it makes decisions, and whether it works with personal data.
Who this is for: especially companies with up to 50 employees that have AI scattered across marketing, sales, HR, and customer support without a central owner.
When not to use this: it is not enough to rely on the list of applications in accounting or IT. Tools such as ChatGPT, Microsoft Copilot, Make AI, or various CRM add-ons are often paid for by card outside the standard purchasing process and may not appear on the official list at all.
From the perspective of roles, it is crucial to distinguish whether you are only a user, or whether you also modify the system’s behavior for clients or employees. As soon as, for example, an agency builds a custom chatbot for a client on top of a third-party model, it may no longer be just an “ordinary user.” The obligations may then be broader than in the case of simple internal deployment.
It is advisable to follow the official text and timeline directly from the European Commission: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai and on the EUR-Lex portal: https://eur-lex.europa.eu/.
First step: divide company AI into four piles by risk
Without dividing by risk, it is impossible to decide what can remain in a light regime and what already requires stricter governance. In a small company, four groups will usually emerge.
1. Prohibited uses
This may include cases that the AI Act directly prohibits or restricts very strictly, typically certain forms of manipulative use or impermissible biometric surveillance. For most small companies, the signal is simple: avoid buying tools promising “secret emotion analysis,” “hidden candidate evaluation based on video,” or “automatic detection of employee unreliability from facial expressions.”
What to do: add a ban to your purchasing rules on acquiring tools with emotion analysis, biometric profiling, and autonomous evaluation of people without legal assessment.
Who this is for: HR, security agencies, retail with camera systems, and schools or educational companies.
When not to use this: do not use the supplier’s marketing claims as proof of compliance. For these functions, it is necessary to rely on the official product documentation and a legal assessment of the specific deployment.
2. High-risk systems
This is the most important group from the perspective of small companies. A typical example is AI in recruitment, CV screening, candidate recommendation, employee evaluation, or decision-making about access to essential services.
What to do: for these tools, verify whether the supplier provides technical documentation, instructions for use, a description of limitations, requirements for human oversight, and information for record-keeping.
Who this is for: companies with their own HR, staffing agencies, call centers, and companies using scoring of employees or applicants.
When not to use this: do not use them for fully automated rejection of a candidate without human review if the output significantly affects their chance of getting a job.
3. Systems with transparency obligations
This usually includes chatbots, text, image, or voice generation, and situations where the user must be clearly informed that they are communicating with AI or that the content was artificially created.
What to do: add labels for chatbots on the website, in customer support, and for AI-generated audiovisual content. In internal email and ticket templates, set a sentence stating that the first draft of the response may have been created with the help of AI and is subject to employee review.
Who this is for: e-shops, SaaS companies, marketing agencies, and providers of online support.
When not to use this: do not hide AI behind an allegedly “live operator” if the customer is in fact communicating with an automated system.
4. Ordinary internal use with low impact
This often includes meeting summaries, text drafts, translations, or searching internal documents. Even here, however, the obligation remains to address security, contracts, and data protection.
What to do: define a list of approved tools and types of data that employees are allowed to enter into them.
Who this is for: accounting firms, small manufacturing companies, agencies, and sales teams.
When not to use this: do not enter non-anonymized contracts, health data, payroll data, or non-public source code into public versions of AI services without an approved regime.
Procurement checklist: what to require from an AI supplier before signing the contract
Small companies often make the mistake of buying an AI feature as if it were an ordinary SaaS add-on. But for AI tools, a price list and DPA are not enough. You need to know what the system’s limits are, who is responsible for updates, how logging is handled, and whether the supplier allows human oversight.
What to do: send the supplier a short 10-point questionnaire in advance. Minimum content: purpose of use, risk category, deployment conditions, accuracy limitations, human oversight, logs, data retention period, subcontractors, processing location, incident procedure.
Who this is for: managing directors, buyers, IT administrators, and HR managers who order the tool on behalf of the company.
When not to use this: it is not enough to accept a general marketing document such as “Responsible AI principles.” That usually does not address the specific obligations for your deployment.
For real services, it is also worth verifying the terms and conditions and administrative functions. For example:
- OpenAI ChatGPT Team / Enterprise – address workspace management, retention rules, disabling training on customer data under the current terms, and audit settings. Indicative price: ChatGPT Team around USD 25–30 per user per month with an annual commitment, according to the current price list. Official source: https://openai.com/business/chatgpt-pricing/.
- Microsoft Copilot for Microsoft 365 – verify licensing prerequisites, access management through Microsoft 365, audit logs, and Data Loss Prevention policies. Indicative price: around USD 30 per user per month, depending on region and contract. Official source: https://www.microsoft.com/en-us/microsoft-365/copilot/business.
- Google Workspace with Gemini – important points are administrative policies, logging, and the mode of working with company data within Google Workspace. Indicative prices vary by plan. Official source: https://workspace.google.com/.
The result of this step should be practical: for each tool, know whether it is suitable for internal writing, whether it may work with personal data, and whether it may be used in HR or customer decision-making. If you do not get the answers, that is in itself a warning sign.
HR and recruitment: the area where small companies make mistakes most often
Recruitment is often the first place where convenient automation becomes high-risk use. This concerns tools for CV screening, automatic applicant scoring, shortlist recommendation, or video interview analysis.
What to do: introduce a rule that AI in HR may only sort administrative duplicates, summarize materials, and suggest questions. It must not decide on rejecting a candidate on its own without reviewable human intervention.
Who this is for: companies hiring in larger volumes, recruitment agencies, and franchises with multiple branches.
When not to use this: do not use AI analysis of face, voice, or emotions in interviews if the supplier claims it can infer “motivation,” “honesty,” or “cultural fit” from them. Such functions are highly problematic both regulatorily and evidentially.
Practical scenario: a small e-shop is hiring warehouse workers and customer support staff. It uses an ATS system that can recommend candidates based on past recruitment. If the system effectively creates a ranking of applicants and the recruiter follows it, it is necessary to assess whether this is not a high-risk deployment. A safer setup is to use AI only for extracting data from CVs and creating summaries, while the final selection criteria and decision remain with a human who has a duty to justify them.
The advantage is that even without an expensive compliance project, three inexpensive steps can be taken: write a 2–3 page internal HR policy, enable logging of recruiters’ work in the ATS, and add wording to the information for applicants. The indicative cost of an external legal review of such a basic setup at smaller firms may range roughly from CZK 10,000 to 30,000 depending on scope; this is an indicative figure, not a fixed price list.
Marketing, content, and customer support: mainly transparency and data protection
In marketing and support, the main problem is usually not high risk, but a combination of three things: misleading the user, working with personal data, and uncontrolled generation of incorrect information. This is exactly the area where most risks can be reduced with a simple process.
What to do: introduce mandatory review of AI outputs before publication, a rule for labeling chatbots, and a ban on entering entire customer databases into unapproved tools.
Who this is for: e-shops, B2B services, agencies managing campaigns, and companies with a helpdesk.
When not to use this: do not use a public chatbot to answer complaints, returns, or individual contractual terms without a strictly limited knowledge base and human escalation.
Practical scenario: a company deploys a chatbot on its website and connects it to FAQs. That is reasonable if it is clearly labeled as an automated assistant, if the user can easily switch to a human, and if the answers do not interfere with legal or financial decisions. By contrast, connecting a chatbot directly to internal documents without authorization and letting it improvise over non-public data is a common recipe for information leakage.
For generated content, address two levels. The first is truthfulness and responsibility for commercial claims. The second is copyright and contractual cleanliness of the inputs. For images and videos, also follow the service terms. Real tools such as Adobe Firefly, Midjourney, or Canva AI have different rules for commercial use, moderation, and handling of outputs; always rely on the provider’s current terms on the official website.
If you are choosing a tool for a content team, a comparison in the overviews on AIVýběr may be useful, for example on the AI text generators hub, where it is clearly visible that there are major differences between tools in language quality, administration, and business mode.
Documentation, logs, and internal policies: the minimum without which it will not work
A small company does not need an extensive governance program right away, but without basic documentation it cannot demonstrate that it uses AI in a controlled way. In practice, it is enough to start with four documents that can be prepared within a few weeks.
What to do: prepare 1) an AI tools register, 2) rules for permitted data, 3) role responsibilities and approval of new tools, 4) a procedure for incidents and complaints about incorrect outputs.
Who this is for: all companies that have more than a few AI users and want to limit “shadow AI” outside the control of IT and management.
When not to use this: do not write a general policy copied from the internet without connection to specific tools. Such a document will not help employees decide what they are allowed to do tomorrow morning in practice.
The register should contain at minimum the tool name, owner in the company, purpose, type of input data, risk category, approved use, prohibited use, supplier, contractual basis, and date of last review. For logs, it is not necessary to archive every prompt if that does not make sense, but you need to be able to trace who used the tool, for which process, and who verified the critical output.
A reasonable standard for a smaller business is a quarterly review of the register and one-off training for employees. The indicative price of a basic internal workshop led by an external consultant on the Czech market may range approximately between CZK 15,000 and 50,000 depending on length and preparation; again, this is an indicative figure.
How to align the AI Act with GDPR, cybersecurity, and contracts
The AI Act is not a substitute for GDPR or security rules. In a small company, these areas mainly intersect where employees enter personal data, trade secrets, or client documents into AI. A common mistake is to think that if the service has a European data region, everything is solved. It is not.
What to do: carry out a quick assessment of data flows: what data enters the tool, where it is processed, who has access to it, and how long it is retained. Based on the result, adjust the DPA, access rights, and retention settings.
Who this is for: companies processing CVs, customer tickets, contracts, accounting documents, or sensitive internal documentation.
When not to use this: do not allow “Bring Your Own AI” for employees’ personal accounts if the company cannot demonstrate where the data goes and under what conditions it is processed.
Practical scenario: an accounting firm wants to use generative AI to summarize contracts and explain invoicing differences. That only makes sense if an approved company account is used, restricted access is set, a contractual framework with the processor exists, and sensitive data is minimized or anonymized before entry. Otherwise, it is safer to limit AI only to templates and general queries without client data.
In addition to GDPR, also think about security obligations according to the sector and company size. For tools connected to email, cloud storage, CRM, or an internal wiki, multi-factor authentication, role-based access control, and auditing of administrative changes are essential. This is not a “legal add-on,” but a technical foundation without which company AI very quickly becomes a source of incidents.
Practical month-by-month plan: what to complete by August 2026 without chaos
Small companies do not need a major transformation project. They need an order of steps. Below is a realistic plan for a business that today uses several AI tools across departments.
January to March 2026
- Write up a register of all AI tools, including unofficially used services.
- Divide uses into low risk, transparency, high-risk, and prohibited or inappropriate scenarios.
- Stop new purchases without approval from the process owner.
What to do: appoint one responsible person, typically an operations manager, IT manager, or DPO, to maintain the register.
Who this is for: companies with 10 or more employees where AI is no longer used only by the founder.
When not to use this: do not postpone the inventory until a lawyer gets involved; the company itself must provide most of the list, not an external consultant.
April to May 2026
- Review suppliers and add missing contractual and security information.
- Issue a short internal policy for working with AI and prohibited inputs.
- Adjust HR and customer support processes so that critical decisions are reviewed by a human.
What to do: prepare a one-page list of prohibited uses and send it to team leaders.
Who this is for: department managers who decide on specific tools and work procedures.
When not to use this: do not try to solve everything at once. Start with the departments that have the highest impact on people and data.
June to July 2026
- Test logging, incident escalation, and the method for complaining about incorrect outputs.
- Train employees on specific company scenarios, not generally about “AI.”
- Add transparent labeling of chatbots and AI-generated content where necessary.
What to do: carry out one internal test: deliberately insert an incorrect AI output into a process and verify who catches it and when.
Who this is for: heads of operations, support, HR, and marketing.
When not to use this: do not leave training until the last week. Employees must clearly understand what is changing in their everyday work.
Limits: what the AI Act will not solve and where small companies often expect too much
Regulation alone will not ensure that a model does not hallucinate, that text will be commercially usable, or that an employee will not use an unapproved tool. The AI Act sets a framework of responsibility and conditions of use, but you must provide process quality yourself.
What to do: set measurable limits for AI use: where human review is mandatory, what error rate is still acceptable, and which tasks are outside the permitted scope.
Who this is for: companies that expect AI to speed up work but do not want to bear uncontrolled reputational and legal risk.
When not to use this: do not use generative AI as the sole source of factual information for legal, tax, medical, or personnel decisions.
Another limit is budget. A smaller business may feel that compliance will be expensive. In reality, most basics can be handled more cheaply than one larger incident: inventory of tools, a simple policy, review of three key suppliers, and training for risk teams. More expensive than that is chaos, where everyone uses a different tool on a different account and the company has no overview of data or responsibility.
FAQ
Does a small company in the Czech Republic have to appoint a special compliance manager because of the AI Act?
Usually not. For smaller businesses, it is enough to designate a specific responsible person and divide roles among management, IT, HR, and legal support. The important thing is that someone maintains the tools register and approves risky deployments.
We use ChatGPT only for text drafts. Do we fall into the high-risk category?
Not in itself. The risk lies in the specific use. If the tool serves only to create text drafts and does not influence decisions about people or access to essential services, it will usually be low risk with an emphasis on data protection and output control.
Is it necessary to label every text created with the help of AI?
Not always. The transparency obligation depends on the type of use. For chatbots and some synthetic outputs, labeling is important, but an internal working draft or a text substantially edited by a human may not automatically require the same labeling. The decisive factor is the context and whether the user could be misled.
What if the supplier refuses to provide detailed documentation?
It is a warning sign, especially in HR, scoring, or other sensitive processes. For less risky tools, a limited internal regime without personal data may be chosen. For risky use, it is safer to look for a supplier who can document the parameters, limits, and deployment conditions.
Is GDPR documentation enough for us, or do we need something more?
It is not enough. GDPR deals with personal data, while the AI Act targets the use of AI systems, transparency, human oversight, documentation, and other specific obligations. The documents overlap, but they are not interchangeable.
Do small companies face high fines immediately from August 2026?
The risk of sanctions exists, but in practice operational and contractual problems are often visible earlier: poorly configured recruitment, an unlabeled chatbot, data leakage, or the inability to demonstrate how the company arrived at a decision. That is why it pays to focus mainly on processes, records, and supplier selection.
Conclusion
For a small company in the Czech Republic, the most important thing is not to know the entire text of the AI Act by heart. What matters is to do five practical things by August 2026: list the tools in use, divide them by risk, review suppliers, adjust processes in HR and customer support, and introduce short internal rules for data and responsibility. Those who postpone this usually run into not the complexity of the law, but the fact that no one in the company knows what is actually being used.
The good news is that most of the necessary steps are manageable even without a large budget. Start where AI affects people, money, and sensitive data. That is exactly where the benefit of records, transparency, and human control is greatest — and exactly where a small company can avoid expensive mistakes the fastest.
Recommended AI stack for implementation
Choose tools according to your budget and level of automation. Below is a direct overview of services for implementing the project.
| Service | Service description | Offer |
|---|---|---|
| NordVPN | VPN service for privacy protection and secure connections. | Open offer |
| Semrush | SEO and marketing platform for analysis and traffic growth. | Open offer |
| Make | Advanced visual automation for workflows and integrations. | Open offer |
| Hostinger | Web hosting and domains for fast website launch. | Open offer |
| Fiverr | Marketplace for freelancers and external specialists. | Open offer |
| Adobe | Creative tools for graphics, video, and digital content. | Open offer |
| Canva | Online design tool for graphics, presentations, and social media. | Open offer |
| Jasper | AI tool for marketing copy and content campaigns. | Open offer |
Note: We use affiliate links for listed services. If you purchase through them, we may earn a commission at no extra cost to you.
Links in the article
- OpenAI
- Adobe
- https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- https://eur-lex.europa.eu/
- https://www.microsoft.com/en-us/microsoft-365/copilot/business
Sources of illustrative images
The original illustrative image was created using the OpenAI Images API.
Doporučení ke čtení
NordVPN in practice: 20 specific situations where you protect your data and privacy
Case study: how an agency reduced reporting time from 6 hours to 90 minutes without increasing licenses
Case Study: a Czech agency sped up reporting by 60% thanks to an AI workflow
