EU AI Act 2026: What Mid-Market Companies Need to Know by August

From 2 August 2026, the core obligations of the EU AI Act take effect. Regulation (EU) 2024/1689 has been in force since August 2024. It is being applied in stages. The next stage concerns all companies that deploy high-risk AI systems. Including mid-market companies.

This article summarises what the regulation covers, which obligations apply from August and what mid-market companies need to do now.

What the EU AI Act regulates

The EU AI Act is the world's first comprehensive law governing artificial intelligence. It applies to all companies that develop, distribute or deploy AI systems in the EU. Industry and company size are irrelevant.

The regulation classifies AI systems into four risk tiers (Articles 5, 6 and 52 of the regulation):

• Unacceptable risk: Prohibited. This includes social scoring, subliminal manipulation and real-time remote biometric identification in public spaces. These prohibitions have been in effect since 2 February 2025.
• High risk: Permitted, but strictly regulated. Applies to AI in areas such as recruitment, credit scoring, education or critical infrastructure. Extensive documentation and monitoring obligations apply from August 2026.
• Limited risk: Transparency obligations. Anyone deploying chatbots, deepfakes or AI-generated text must disclose this.
• Minimal risk: No specific obligations. This covers most common AI applications such as spam filters, translation software or recommendation engines.

The timeline

The regulation entered into force on 1 August 2024. Obligations are being phased in (Article 113):

• February 2025: Prohibitions on AI with unacceptable risk.
• August 2025: Rules for general-purpose AI models. Primarily affects providers of large language models.
• August 2026: Obligations for operators of high-risk AI systems. This is the stage that directly affects mid-market companies.
• August 2027: Full applicability of all provisions.

What "high risk" means for mid-market companies

Most mid-market companies do not deploy AI in high-risk areas. Anyone using AI for copywriting, data analysis, marketing or internal process optimisation typically falls under "minimal risk". No specific obligations.

But there are exceptions. Annex III of the regulation lists eight areas in which AI is classified as high-risk:

1. Biometrics and categorisation of persons
2. Critical infrastructure
3. Education and vocational training
4. Employment and human resources management
5. Access to public and private services
6. Law enforcement
7. Migration and border control
8. Administration of justice and democratic processes

Point 4 is relevant for mid-market companies. Anyone using AI to pre-screen applications, automate performance reviews or support promotion decisions is operating a high-risk system.

In that case, the following obligations apply from August 2026 (Article 26):

• Establish a risk management system
• Ensure data quality
• Maintain technical documentation
• Guarantee human oversight
• Ensure logging and transparency
• Register in the EU database

Special provisions for SMEs

The EU AI Act includes explicit concessions for small and medium-sized enterprises. This is set out in Recital 141 and Article 62.

Specifically:

• Regulatory sandboxes: EU member states must establish AI regulatory sandboxes. SMEs receive priority access to test their systems under supervision. Germany has already designated the AI Regulation Authority at the Bundesnetzagentur as the responsible body.
• Reduced fees: Conformity assessments and certifications cost less for SMEs. The exact amounts are set by national authorities.
• Simplified documentation: Documentation requirements may be simplified for SMEs. The European Commission is to publish guidelines to this effect.

According to a European Commission study, estimated compliance costs for a high-risk AI system range between EUR 6,000 and EUR 7,000. For SMEs, these costs are expected to decrease further through the concessions (Impact Assessment SWD(2024) 2).

What happens in case of non-compliance

The fines are set out in Article 99:

• Prohibited AI practices: up to EUR 35 million or 7 per cent of global annual turnover.
• Violations of other provisions: up to EUR 15 million or 3 per cent.
• Providing false information to authorities: up to EUR 7.5 million or 1 per cent.

For SMEs and start-ups, the lower amount applies in each case. The fines are intended to be "effective, proportionate and dissuasive". The national supervisory authority decides on the amount on a case-by-case basis.

What to do now

Three steps. None of them requires a major project.

1. Take stock. Which AI systems are currently in use? Which are planned? Do they fall under the high-risk categories in Annex III? In most cases, the answer is no. The general transparency obligations are then sufficient.

2. Implement transparency obligations. Anyone deploying chatbots or AI-generated content must disclose this. The effort is minimal. A notice on the website or in communications is enough.

3. Vet your providers. Anyone using AI as a service -- for example via a managed AI Adapter -- should verify that the provider complies with the regulation. This particularly concerns where data is processed and whether the provider meets its documentation obligations.

For most mid-market companies, the EU AI Act is no cause for alarm. It is a regulatory framework. It creates legal certainty. And it includes clear concessions for SMEs.

Conclusion

The EU AI Act regulates AI by risk. Not by company size. Most AI applications in mid-market companies fall under minimal risk and require no special measures.

Those using AI in human resources need to look more closely. For everyone else: ensure transparency, vet your providers, done.

The deadline is August 2026. No reason for panic. But a good reason to take stock now.

Jürgen Zirk

Managing Director · lupenRhein · 30 years of B2B dialogue marketing

LinkedIn