Skip to main content

#ai

The EU AI Act deadline is August 2, 2026. Here's what mid-market DACH companies actually need to do — not the 100-page version.

The EU AI Act takes effect August 2, 2026, with penalties up to 7% of global turnover. Five practical steps mid-market DACH companies actually need to ship.

By
Juri Saloid
Published
2026-04-17
Updated
2026-04-28
Read
8 min

Key takeaways

  1. EU AI Act applies from August 2, 2026 — affects nearly every DACH company using AI, not just AI vendors.
  2. Most mid-market companies fall under 'limited risk' — manageable with five concrete steps.
  3. Penalties up to €35M or 7% of global turnover for non-compliance.
  4. Off-the-shelf tools (ChatGPT, Copilot, Salesforce Einstein) don't exempt you — you're still the deployer.

The EU AI Act (Regulation 2024/1689) is the world’s first comprehensive AI regulation, requiring companies deploying AI systems in the EU to classify risk, document systems, and implement oversight controls by August 2, 2026.

If you’re a mid-market company in DACH wondering what you actually need to do: you need to inventory every AI system you use or operate, classify each one by risk level, write up the required documentation, design human oversight mechanisms, and set up ongoing monitoring. That’s it. Five things. The regulation is long, but the practical work is finite and manageable — especially if you start now.

I’ve spent the last year working through EU AI Act compliance with mid-market clients across Germany, Austria, and Switzerland. What follows is what we’ve learned about what matters, what doesn’t, and where companies waste time.

Who this applies to

The most common mistake I hear: “We don’t build AI, so this doesn’t apply to us.”

It does. The EU AI Act distinguishes between providers (companies that develop AI systems) and deployers (companies that use AI systems in their operations). If your sales team uses an AI-powered lead scoring tool, if your HR department screens CVs with an AI plugin, if your finance team runs forecasts through a machine learning model — you are a deployer. The regulation applies to you.

According to the Stanford HAI AI Index Report 2024, 67% of organizations globally have adopted at least one AI tool in their business operations. In the DACH mid-market, that number tracks similarly based on what we see in the field. Most of these companies don’t think of themselves as “AI companies,” but the EU AI Act doesn’t care about your self-image. It cares about what systems you operate.

Here’s who specifically needs to pay attention:

  • Any company using AI tools in business processes — ChatGPT, GitHub Copilot, AI-powered CRM features, automated document processing, chatbots on your website.
  • Any company deploying AI that affects people — hiring tools, credit scoring, customer service automation, insurance underwriting.
  • Any company selling into the EU market — even if you’re headquartered outside the EU, if your AI system is used by EU residents, the Act applies.
  • Any company in a regulated industry — finance, healthcare, insurance, legal. These sectors have the highest concentration of high-risk AI systems.

The European Commission’s own guidance makes this explicit: the obligations follow the AI system, not the company’s primary business. A logistics company using AI for route optimization has compliance obligations for that system, same as an AI startup.

Risk classification explained simply

The entire EU AI Act framework is built on risk classification. Every AI system you operate falls into one of four categories, and your obligations scale with the risk level. Get the classification right and everything else follows logically.

EU AI Act risk tiers

Every AI system you operate falls into exactly one category. Your obligations scale with the tier.

Unacceptable risk

Prohibited since Feb 2025

Examples: social scoring, subliminal manipulation, real-time biometric ID in public spaces, emotion recognition in workplaces.

→ Obligation: banned outright. Operating one is a regulatory violation.

High-risk

Most compliance effort lives here

Examples: CV screening, credit scoring, insurance risk assessment, automated grading, critical infrastructure management.

→ Obligation: conformity assessment, technical documentation, data governance, human oversight, EU database registration.

Limited risk

Transparency obligations

Examples: chatbots, AI-generated content (text, image, audio, video), non-banned emotion recognition.

→ Obligation: users must be told they're interacting with AI; generated content must be labeled.

Minimal risk

Document the classification itself

Examples: spam filters, recommendation engines for non-critical apps, AI-powered internal search, analytics dashboards.

→ Obligation: no specific requirements — but you still need to record why the system is minimal risk.

The four-tier classification from Regulation (EU) 2024/1689. Most mid-market AI systems fall into limited or minimal risk; the dangerous ones are high-risk HR and finance tools that companies don't yet recognize as high-risk.

For mid-market companies, the most likely high-risk systems live in HR and finance: an AI-powered applicant tracking system, the credit assessment model for B2B customers, the AI feature in your ERP that flags employee performance anomalies. Limited risk usually means labeling chatbots and disclosing AI-generated marketing content. Most other internal tools fall into minimal risk — but you still need to record why the classification holds.

The five things you must do before August 2026

I’m going to be specific. Not “develop an AI governance framework” — actual tasks with concrete outputs.

  1. 01

    AI system inventory

    Catalog every AI system you use, build, or deploy — commercial tools (ChatGPT Enterprise, Copilot, Salesforce Einstein), custom-built models, embedded ML inside existing software, and third-party APIs (OpenAI, Vertex AI). Record what each does, what data it processes, who it affects, and which vendor or team owns it. Most mid-market companies find 5-15 systems when they actually look.

    ⏱ 1-2 weeks

  2. 02

    Risk classification

    For each system, determine the risk level using the four categories above. Check Annex III for high-risk domains, assess whether the system materially influences decisions about people, and document your reasoning. When in doubt, classify higher — easier to downgrade later than to defend a borderline call to a regulator.

    ⏱ 1 week

  3. 03

    Technical documentation

    For high-risk systems, compile docs covering purpose, data governance, architecture, performance metrics, and risk management. For limited risk: system description, transparency measures, classification reasoning. For minimal risk: just record the decision. For vendor systems, request their EU AI Act compliance packages now — some have them ready, others have nothing.

    ⏱ 2-4 weeks

  4. 04

    Human oversight design

    Design workflows where AI recommendations reach a human with enough context to evaluate, override, or stop the system. The depth of oversight matches the risk: a chatbot giving product info needs less than a credit-decision model. For HR screening, the human reviews rankings with access to the AI's reasoning before anyone gets rejected.

    ⏱ 1-2 weeks

  5. 05

    Ongoing monitoring and audit trails

    Set up automated logging, performance and drift monitoring, incident reporting to authorities, and periodic reclassification. Compliance is not a one-time project — retrofitting audit-friendly logs after the deadline is painful and expensive. Most modern AI platforms produce logs; the work is routing them to a system that retains, searches, and connects them to your compliance docs.

    ⏱ Ongoing; setup 1-2 weeks

What compliance actually looks like in practice

I want to be clear about what we’re not talking about. We’re not talking about a 200-page compliance manual that sits in a SharePoint folder and gets reviewed once a year. That approach fails.

What works for mid-market companies:

Integrate into existing workflows. If you already have ISO 27001 or SOC 2 processes, your AI documentation fits into those structures. Risk assessments, vendor management, incident response — you’re already doing versions of these. Add the AI-specific elements to what exists rather than building parallel systems.

Use templates, not blank pages. The European Commission has published guidance documents and templates. We’ve developed our own documentation templates specifically for mid-market deployers that map directly to the regulation’s requirements. The goal is filling in specifics, not inventing a format.

Automate audit trails. Most modern AI platforms produce logs. The work is in routing those logs to a system that retains them, makes them searchable, and connects them to your compliance documentation. Oleks builds the technical controls, I handle the compliance framework — between us, we cover both sides of this: the governance paperwork and the actual infrastructure that makes it enforceable.

Make it someone’s job. The regulation doesn’t require hiring a dedicated “AI officer” for mid-market companies, but someone needs to own it. In most cases, this maps to whoever handles data protection or IT compliance today. Give them the mandate, the training, and the time allocation.

Start with your highest-risk systems. If you have 10 AI systems and two are high-risk, get those two compliant first. The minimal-risk systems need only basic documentation. Don’t let perfect be the enemy of done. If you’re also still trying to move models from pilot into production, the 90-day production framework folds risk classification into Phase 1 — cheaper than retrofitting later.

Common misconceptions

Not sure if your AI use is high-risk?

Take our 5-minute EU AI Act self-assessment. No email required.

Run the assessment → Book a 30-minute compliance review

// SOURCES

  1. Regulation (EU) 2024/1689 — full text and guidance — European Commission, 2024
  2. AI Act Explorer — topic-indexed reference — Future of Life Institute, 2024
  3. AI Index Report 2024 — Stanford HAI, 2024

Frequently asked questions

  • When does the EU AI Act take effect?
    The EU AI Act (Regulation 2024/1689) entered into force in August 2024 with a phased timeline. The main compliance obligations — including risk classification, documentation, and human oversight — apply from August 2, 2026. Prohibited AI practices were already banned in February 2025.
  • Does the EU AI Act apply to companies that just use ChatGPT or other off-the-shelf AI tools?
    Yes. The EU AI Act applies to 'deployers' — companies that use AI systems in their operations — not just developers. If you use GPT-4, Copilot, or any AI tool in business processes, you have compliance obligations including transparency, human oversight, and record-keeping.
  • What is an AI risk classification under the EU AI Act?
    The EU AI Act classifies AI systems into four risk levels: unacceptable (banned), high-risk (strict requirements), limited risk (transparency obligations), and minimal risk (no specific requirements). Most enterprise AI falls into limited or high-risk categories depending on the domain and impact on people.
  • How much does EU AI Act compliance cost for a mid-market company?
    For a typical mid-market company with 3-10 AI systems, initial compliance work — inventory, classification, documentation, and oversight design — runs 8-16 weeks of consulting effort. Ongoing compliance is largely about maintaining documentation and audit trails, which can be integrated into existing workflows.
  • What happens if we don't comply with the EU AI Act by August 2026?
    Penalties for non-compliance range from €7.5 million to €35 million, or 1-7% of global annual turnover, depending on the violation severity. But the bigger risk for mid-market companies is procurement: enterprise clients and public sector buyers are already requiring AI Act compliance in RFPs.

Read next

Was this helpful?

// share

linkedin email

Related reading

want this in your inbox?

one short note per month. only when we have something worth reading.

 subscribe-via-rss

// or write: hello@saloid.com · gräfelfing · de