Hardly any law has triggered as much consulting marketing as the EU AI Act — and hardly any gets summarized wrongly as often. Between "doesn't affect us" and "we need an AI officer immediately", the reality for mid-sized companies sits almost exactly in the middle. We sort out what actually applies — and from when.

Up front, because it belongs here with legal topics: we build and operate AI systems, we are not a law firm. This text is hands-on experience from projects and the assessment we work with ourselves — not legal advice. For your specific case, a specialist lawyer belongs at the table.

The principle: the use case is regulated, not the technology

The AI Act doesn't regulate "AI" as a whole; it sorts use cases into risk classes — and the obligations hang off those:

  • Prohibited practices: social scoring, manipulative systems, emotion recognition in the workplace (with narrow exceptions). Banned since February 2025 — and simply a non-issue for a normal mid-sized company, as long as nobody gets such ideas.
  • High risk: AI in hiring and employee evaluation, credit decisions, critical infrastructure, medical devices and similar areas. Real obligations kick in here: risk management, data quality, documentation, human oversight.
  • Limited risk: mainly transparency duties. A chatbot has to identify itself as a machine; AI-generated content has to be labelled in certain cases.
  • Minimal risk: everything else — and that's the large majority of what runs in mid-sized companies. No special obligations from the risk class.

Important when reading all four classes: the classification hangs on the concrete use case, not on the product name. The same software can fall into two different classes in two departments. And the mapping isn't a one-off exercise — whoever starts a new use case classifies again. That sounds like bureaucracy; in practice it's a two-liner in the inventory list.

Where the typical mid-sized company stands

The second important distinction: the AI Act separates providers (who develop an AI system and put it on the market) from deployers (who use it). Whoever uses ChatGPT, Copilot and co as a tool is a deployer — and the typical applications like drafting texts, summarizing, translating, extracting receipts or sorting emails land in the lower risk classes. What essentially remains: the AI literacy duty from Article 4, transparency in places — and vigilance around anything heading towards hiring or credit decisions.

Because that's exactly where it tips: the same language model is minimal risk when summarizing minutes — and a high-risk use with everything that entails when pre-screening job applications. Whoever already lets AI results flow into personnel decisions today shouldn't treat that as a grey area, but as what it formally becomes in August 2026.

// Pull quoteIt's not the tool that's regulated, it's the use case. The same model can be harmless and high-risk — depending on what you use it for.

Three cases from everyday practice

Because abstract classes don't help much, three mappings we encounter constantly in conversations:

  • Marketing has product texts and posts drafted. Minimal risk. The usual duties of care apply — review before publishing, copyright — but practically nothing additional follows from the AI Act. Whoever publishes AI-generated images or videos keeps the labelling duties from August 2026 in view; for plain working texts, it's a non-issue.
  • A chatbot answers customer questions on the website. Limited risk: the bot has to identify itself as a machine — which is good style anyway and long built into most off-the-shelf solutions. The Act demands nothing more here. In our experience, the harder questions come from the GDPR: where do the chat contents go, and does the privacy policy say so?
  • HR wants applications pre-screened. High risk under Annex III. From August 2026 that means: human oversight, informing the people affected, use strictly according to the provider's specifications — and a provider that demonstrably fulfils its high-risk obligations. Our advice in all clarity: without proper preparation, leave this case alone.

The pattern behind all three cases is the same, and it works as a rule of thumb: first ask what the result acts on — a text, a purchase, a person and their rights. The closer to the person, the higher the class.

The timeline, without the fog

  1. February 2025 — already applies: the prohibited practices are banned, and Article 4 obliges all companies that use AI to equip their staff with sufficient AI literacy. That's the duty that already affects almost everyone today — and the one most often overlooked.
  2. August 2025 — already applies: obligations for providers of general-purpose AI models (GPAI) — transparency about training data, technical documentation. That concerns OpenAI, Google, Anthropic and co, not their users. Governance structures and the penalty framework have also been in place since then.
  3. August 2026: the bulk of the remaining obligations becomes applicable — above all the high-risk requirements under Annex III and the transparency duties. Whoever uses AI in hiring, credit decisions or similar areas, or plans to, has to deliver by then. (For high-risk AI in regulated products like machinery or medical devices, a longer transition runs until 2027 — a footnote for most SMEs.)

The pragmatic to-do list

From all of this follows a manageable work programme. In a company with clear responsibilities it's more like a week of on-the-side work than a project — and half of it overlaps with what the GDPR has long required anyway:

  1. Take inventory. Which AI systems run in the company, and for what — including the unofficial ones. One list, one owner, done. This list is the foundation for everything else.
  2. Map use cases to the classes. For nine out of ten entries that's done in a minute: minimal or limited risk. The exceptions are the ones the exercise is worth doing for.
  3. Check the red lines. Nothing in the direction of emotion recognition or scoring — and everything touching hiring or credit decisions is either treated as a high-risk project or left alone.
  4. Schedule training and document it. Article 4 has applied for over a year. Short, concrete, on real tasks — and record who was trained when.
  5. Adjust procurement. For every new AI tool, ask for the AI Act classification and the GDPR paperwork. Serious vendors have both ready; whoever dodges sorts themselves out.

What's scaremongering — and what isn't

Scaremongering: "every company now needs an AI officer" (written nowhere), "ChatGPT use will require a permit" (also written nowhere), and the whole market of certificates promising compliance you can't buy. Not scaremongering: the penalty framework is real — up to 35 million euros or 7 percent of global turnover for prohibited practices, tiered below that for other violations. The high-risk obligations are substantial and need lead time. And Article 4 isn't future music, it's applicable law.

Plus the question we get asked second-most often: "Who actually checks this?" The supervisory structures are only just emerging — at EU level the AI Office for the model providers, nationally designated authorities for the rest. That inspectors will stand in mid-sized companies on day one is unlikely. Betting that nobody will ever ask is still a bad strategy — at the latest when a major customer asks about AI use in the supplier questionnaire, or the works council raises the topic. The documentation from the to-do list above is exactly what you'll want to be able to show in that moment.

The honest summary: for typical tool use in a mid-sized company, the AI Act is a footnote with one concrete duty — build competence and be able to show it. For hiring, credit and critical infrastructure it's a real project with an August 2026 deadline. The two shouldn't be confused — in either direction.

Whoever wants to do the mapping for their own company properly once — inventory, classes, rules, training — will find exactly this roadmap in our AI consulting. And the GDPR side of the same question, which in practice is usually the more urgent part, is in the guide Using AI in line with the GDPR.

// End of article