The EU AI Act for Mid-Sized Companies: What Applies from 2026
Few regulations have produced as many headlines as the EU AI Act, and few are as overestimated in the mid-market. In first conversations we meet both extremes: companies that believe a chatbot on their website turns them into a regulated AI provider, and companies that consider the topic a pure corporate matter. Both are wrong.
This guide sorts out what the AI Act means for a typical mid-sized company. It is deliberately sober and does not replace legal advice. For the binding assessment of your specific case, a lawyer belongs at the table. But you should know the questions to ask them.
The timeline: what applies when
The AI Act (Regulation EU 2024/1689) entered into force in August 2024 and takes effect in stages. The key dates:
| From | What applies | Who it mainly affects |
|---|---|---|
| Feb 2025 | Prohibited practices banned; duty to ensure sufficient AI literacy in the company (Art. 4) | everyone who uses AI |
| Aug 2025 | Duties for providers of general-purpose AI models (GPAI); authority governance structures | model providers (OpenAI, Google, …), not typical users |
| Aug 2026 | The bulk of duties for high-risk AI and the transparency duties take full effect | providers and deployers of high-risk systems |
| Aug 2027 | High-risk duties for AI in products under existing product safety law (e.g. machinery, medical devices) | manufacturers of regulated products |
As of today, mid-2026, the first two stages are already live. The AI literacy duty has applied for over a year, and it affects small companies too. The big high-risk stage is imminent. Still, the first question is not "which stage?" but "which role?".
The decisive question: provider or deployer?
The AI Act distinguishes mainly two roles, and almost the entire workload hangs on this distinction.
A provider develops an AI system or has it developed and places it on the market under their own name. Providers carry the main load of duties: risk management, technical documentation, conformity assessment.
A deployer uses an AI system in the course of their professional activity. If you use a finished tool, say a purchased chatbot, an AI text recognition, or recruiting software with AI, you are a deployer. The deployer duties are considerably lighter.
For the vast majority of mid-sized companies the answer is: deployer. You do not build AI systems, you use them. That is the good news, because it shifts the heaviest duties to your suppliers. Caution applies in one spot only: anyone who substantially modifies a purchased system or resells it under their own name can legally become a provider. You should clarify that line with a lawyer in case of doubt.
The four risk classes and what they mean for you
The AI Act classifies AI applications by risk, not by technology. The same technique can fall into different classes depending on its use.
| Class | Examples | What applies to deployers |
|---|---|---|
| Prohibited | Social scoring, manipulative behaviour, biometric mass surveillance | hands off, banned without exception |
| High-risk | AI in hiring, credit scoring, critical infrastructure, certain products | elevated duties: human oversight, logging, suitability checks |
| Limited risk | Chatbots, AI-generated text and images, deepfakes | transparency duty: disclose the use of AI |
| Minimal risk | Spam filters, AI in standard software, product recommendations | no specific duties under the AI Act |
Most AI applications in the mid-market fall into the lower two classes. A chatbot on the website or an AI assistant that drafts quotes is, as a rule, "limited risk". It gets delicate with personnel decisions: AI-assisted pre-selection of applicants counts as high-risk. If you use such a tool or want to, that is the area to have reviewed legally first.
What you actually have to do as a deployer
For a typical company that uses AI but does not build it, three tangible duties remain:
1. Ensure AI literacy (in force since February 2025). Your staff who work with AI must have enough knowledge to operate the systems responsibly and judge their limits. This requires no certification, but proof that you address the topic in a structured way, for example through training and internal guidelines. This duty is the one most often overlooked in the mid-market.
2. Avoid prohibited practices. Rarely a problem in practice, because the banned applications are far from normal business. Still, the list deserves one read before an ambitious AI project starts.
3. Establish transparency. Users must be able to recognise that they are interacting with an AI, for example with a chatbot. AI-generated content that could deceive people must be labelled. This duty matches our own stance from the guiding principle: disclose AI use, do not hide it.
If you deploy high-risk systems, deployer duties are added: ensure human oversight, follow the provider's instructions for use, keep relevant logs, and check the suitability of the input data. Here too the main load sits with the provider, but you carry shared responsibility in operation.
Three first steps, without panic
You do not have to solve everything at once. This order has proven itself:
1. Inventory. List which AI systems are in use at your company, including the hidden ones in standard software. For each: are we provider or deployer, and which risk class does the use fall into? 2. Tackle AI literacy. A short, documented training for everyone who works with AI, plus a simple internal guideline. That closes the most frequently overlooked gap and is quickly done. 3. Retrofit transparency. Check chatbots and AI-generated content for the necessary labelling. Mostly these are small adjustments to texts and notices.
Only when the inventory surfaces a high-risk system does it get more involved, and then the case belongs with a lawyer anyway.
Does a chatbot on our website make us a regulated AI provider?
As a rule, no. If you use a finished chatbot, you are a deployer, not a provider. The transparency duty applies: users must recognise that they are talking to an AI. The provider would be the maker of the chatbot. It can be different if you substantially rebuild a system or resell it under your own name; that then belongs in legal review.
Are there really fines, and how high?
The AI Act provides for tiered fines, up to 35 million euros or 7 % of global annual turnover for prohibited practices, lower for other violations. These maximums target large providers and serious violations. For a deployer with standard tools and met transparency and literacy duties, the risk is low. The actual enforcement through the national authorities is still at an early stage. A reliable assessment for your case comes only from legal advice.
What does the AI Act have to do with the GDPR?
Both apply in parallel and complement each other. The AI Act regulates the AI system as such, the GDPR regulates the processing of personal data within it. An AI recruiting solution can trigger both frameworks at once. In practice we therefore review such projects in both dimensions.
Should we wait with AI projects until everything is settled?
No. The duties for typical deployers are manageable, and waiting costs competitiveness. It makes more sense to start AI projects with the role and risk question from the outset, rather than retrofitting it afterwards. What a structured entry looks like is described in our post on AI strategy for mid-sized companies.
Your next step
Start with the inventory from step 1. It costs half a day and answers the most important question by itself: whether the AI Act is a manageable compliance topic for you or a larger project. In the vast majority of mid-sized cases, it is the former.
If you do not want to classify your AI systems alone, we bring it into the Future Check, together with the technical assessment. The binding legal review is then done by your lawyer, on a basis we have prepared.
Go deeper in our knowledge base
Want to know what these topics mean for your company? The Future Check shows you the biggest levers within 2–4 weeks.
