- On 2 August 2026 the central obligations for high-risk AI systems come into force. For most companies this is the hardest regulator deadline since GDPR.
- Fines up to €35M or 7% of global annual turnover. That's not a rounding error.
- One duty has been live since February 2025 — and almost no one knows: your staff need documented AI competence (Art. 4).
- The upside: anyone acting now is 6-12 months ahead of the competition. B2B customers are already asking for AI governance evidence.
- Action plan: ~40 hours, spread across 90 days — doable with 3 people.
The starting point: why you need to read this now #
The EU AI Act has been in force since 1 August 2024 — but the real weight lands in phases. Two are already behind us (Prohibited Practices since Feb 2025, GPAI rules since Aug 2025). The third and biggest wave rolls in on 2 August 2026: the compliance obligations for high-risk AI systems.
Why this concerns every business owner — not just the ones with machine-learning teams:
- Recruiting software with AI filter? High-risk.
- Credit-scoring models? High-risk.
- Biometric access systems? High-risk.
- AI-based employee evaluation? High-risk.
- An AI chatbot that answers customer questions about contracts? Can be high-risk — depends on context.
You use AI if you use: ChatGPT, Copilot, HubSpot AI, Personio, Workday, Salesforce Einstein or one of the ~800 other AI features in standard business software. The point is: you are probably a Deployer of an AI system without ever having seen yourself that way.
And yes, this applies to you as a mid-sized company with 47 staff. It applies to you even as a solo consultant.
Fear-moment #1: what happens if you do nothing #
The fines in the AI Act are deliberately harsh — that was political signalling, not an oversight:
| Violation | Maximum | Example |
|---|---|---|
| Prohibited practice (Art. 5) | €35M OR 7% of global turnover — whichever is higher | Emotion-recognition software in the workplace |
| Ignoring high-risk obligations | €15M OR 3% of turnover | Running recruiting AI without a conformity assessment |
| False statements to authorities | €7.5M OR 1% of turnover | "We don't use AI" — while HubSpot AI, Copilot, Notion AI run in daily work |
For SMEs: reduced rates, but not zero. And personal liability of the CEO under national implementation laws (in Germany, not yet final) will be the real motivator.
On top of that:
- Market ban: the authority can order you to shut the system down immediately.
- Product recall obligation for anything placed on the market.
- Public sanctions list — reputational damage before the proceedings even conclude.
The most relaxed but most expensive consequence: no B2B customer in the EU will sign a contract with you in 2027 if your answer to "can you demonstrably document your AI compliance under the EU AI Act?" is just "yes of course" without evidence.
Fear-moment #2: the hidden duty since February 2025 #
The EU AI Act has one article almost no one has read: Article 4 — AI competence. It's been live since 2 February 2025. Retroactively.
What it says: if you operate or offer AI systems, you must ensure "a sufficient level of AI competence" among staff who operate them or are affected by them.
What that actually means:
- It's not enough that marketing uses Copilot but no one knows what the thing actually does.
- You need documented training — not "we watched a video", but trackable training records.
- The burden of proof lies with you. Market surveillance can ask any time.
And the kicker: there is no fixed size threshold. Even a 12-person business must be able to prove AI literacy if it has AI in daily use. And you do — since ChatGPT moved into the team, at the latest.
Right now: few fines, many authority enquiries within data-protection audits. But from 2 August 2026, this interlocks with the high-risk obligations — then it gets expensive.
The hidden opportunity: why movers win now #
Before you panic: the EU AI Act isn't pure burden. Anyone who operationalises this now gets three concrete advantages:
1. B2B trust signal
I see it right now in our RFPs: enterprise customers are already asking for AI governance evidence. Firms that have it make the shortlist. Firms that stammer get dropped. In 12 months this will be standard contract clause in every vendor deal.
2. Skill build-up as a calculated investment
The AI-literacy training you have to do anyway is upskilling. Your staff get better at AI. Your processes get leaner (because you're now forced to document what AI does where). That's the cost side of compliance — but it's also operational clarity you never had.
3. First-mover advantage in the market
Your competitors will wait until July 2026. Then panic. Then buy wobbly compliance packages. Then still not be properly set up in 2027. Anyone who runs a clean 90-day pass now is structurally superior for the next contract negotiation.
That's not marketing speak. That's simply timing.
The 90-day action plan · concrete todos #
Forget the 40-page compliance frameworks from consultancies. What a 15-500 person company can realistically do — and must — in 90 days:
Week 1-2 · Inventory (10 hours)
Goal: you know what you have.
- List every software tool that has AI features. Not just dedicated AI tools. Also: HubSpot, Salesforce, Notion, Microsoft 365, Google Workspace, Grammarly, Personio, every CRM/HR system.
- Per tool: which role uses it, for which use case, which data flows in?
- Flag: which of these likely make decisions about people? (Recruiting, evaluation, credit, access, medical, education)
- Output: a sheet with 20-80 rows. Not a Word document. Not a PDF. An Excel or Notion database.
Who: IT lead + CEO. Don't delegate to junior — the assessment needs context.
Week 3-6 · Risk classification (12 hours)
Goal: you know your high-risk applications.
- For every tool in the inventory: does it fall under Annex III of the AI Act (the high-risk list)?
- Recruiting filter → YES
- Credit scoring → YES
- Standard marketing CRM → mostly NO
- Biometric identification → YES
- Chatbot that interprets contracts → borderline
- For every high-risk tool: contact the vendor, request a Declaration of Conformity. They MUST supply it.
- Anything without a conformity document that IS high-risk: write a migration plan. The tool cannot be used after 2 Aug 2026 without CE marking.
Who: IT + line-of-business + (optional) external legal advisor. Don't try to lawyer this yourself.
Week 7-10 · Policies + processes (10 hours)
Goal: you have written rules + named owners.
- AI usage policy: 2-3 pages. What AI can and can't do. Who decides edge cases. Where personal data cannot go.
- Incident response process: what happens when an AI system makes a mistake that harms someone.
- Name an AI owner. Not necessarily full-time. But visible role: the person to ask when questions arise.
- Conformity file (SharePoint or equivalent). Collects all documents centrally.
Who: CEO + named AI owner. In Germany this doesn't have to be the Data Protection Officer — but should be coordinated with them.
Week 11-12 · AI literacy training (8 hours)
Goal: every member of staff has a documented baseline training.
- Baseline training (90 min) for everyone: what is AI, what does it do in our company, what am I allowed to do with customer data, where are the red lines.
- Deep-dive (2h) for anyone actively using AI tools: how to spot hallucinations, how to check results, which prompts are risky.
- Leadership briefing (1h): legal framework, liability, escalation processes.
- All trackable in an LMS or at least an attendance tracker.
Who: HR + AI owner. Can be booked internally or externally.
~40 hours over 12 weeks · 3-4 people · realistically €8-15k of external support if needed. That's the investment. The alternative: €15M fine risk + reputational damage.
That was the hub. Detail guides to follow.
This article is the cornerstone of a 9-part series: "EU AI Act · Operator's Field Guide". Coming weeks bring detail articles on inventory template, high-risk matrix, AI-literacy training plan, vendor assessment and more. Subscribe to the newsletter = automatic alert when a new spoke goes live.
What AMIA changed internally #
A quick look inside our own AI ops (because people ask): AMIA uses Claude, Make.com, HeyGen, fal.ai, Recraft, ChatGPT. That's six AI systems with different risk classes.
What I changed:
- A central AI inventory in Notion that lists every AI tool with use case, data classification and owner. Reviewed quarterly.
- Prompt guidelines for the team — 1 page: what you don't paste into prompts (customer names, account data, real names from HR).
- Conformity file per vendor. All GDPR processing agreements + AI vendor statements centralised.
- Explicit co-authorship disclosure on every piece of content produced with AI. Trust signal + future documentation duty.
- Quarterly 60-min AI update session for the team — what's new, what we risk if we change nothing.
It's not a perfect compliance structure. But it's one that would survive a regulator enquiry and has clear internal responsibilities.
5 consulting recommendations you can ignore #
I'm seeing a lot of consultancies selling panic packages right now. Five of them I consider overhyped:
"You need an AI Officer per ISO 42001."
No. For 90% of mid-sized companies a named person with a clear mandate is enough. ISO 42001 is a framework, not an obligation.
"All AI prompts have to be logged."
Not generally. Only for high-risk systems and only the audit-relevant interactions there. Logging everything creates data-protection problems worse than the actual compliance problem.
"You need an AI ethics board with external members immediately."
For enterprise with AI products: yes. For mid-market using AI in standard software: absolutely not. Over-engineering.
"Every AI-in-meeting exchange must be pre-consented."
Not legally defensible. If staff use ChatGPT for spellcheck you don't need consent forms. You need a clear guideline.
"You must stop using AI until everything is clarified."
The worst advice. Anyone who stops AI usage until "compliance is clear" loses 12 months of productivity and still won't be compliant at the end. Keep using it, build processes in parallel.
FAQ #
Are sole traders and freelancers affected at all?
If you deploy AI systems: yes, but the obligations are proportional. A solo marketer without person-affecting high-risk systems gets by with a three-page self-documentation. No reason to panic. Every reason to be structured.
What about ChatGPT usage inside the team?
ChatGPT itself is a GPAI system. As a user you are a "Deployer". Your duties: train staff (AI literacy), define usage rules, keep sensitive data out. Not complex. But must be documented.
Do I have to appoint an AI Officer?
Not formally, not everywhere. In practice: yes — without a named person, responsibility drops onto the CEO, and you want to control that.
How does this differ from GDPR?
GDPR governs personal data. The AI Act governs AI systems regardless of data type. The two are complementary. If your AI system processes personal data: both apply in parallel.
What happens if we don't finish in time?
No customs truck rolls up on 3 August 2026. But market surveillance can inspect from that day forward. And from that moment, every week of delay is a risk. Also: customers ask. Better to have Version 1 on 2 August than to still be "working on it" on 15 August.
Is 2 August 2026 the final deadline?
No. On 2 August 2027 the obligations for high-risk AI in regulated products (medical devices, vehicles, etc.) go live. For companies active there, that's the second big wave.
Closing · what to do now #
This article isn't legal advice. It's the operational map.
If you do exactly one thing in the next 7 days: start the inventory step from week 1-2. It's the cheapest hedge. You'll find things you didn't know you had.
If you do two things in the next 30 days: inventory + name your AI owner. That's half the game.
If you get through everything in the next 90 days: you're literally ahead of 80% of your competitors.
The EU AI Act is uncomfortable. But it's one of the few regulations where acting early doesn't just reduce risk — it creates an actual advantage zone. Not marketing talk: pure timing.
T-minus 22 days until 2 August 2026.
This text is an operational take, not legal advice. For concrete compliance decisions, consult specialist legal advice — especially for high-risk systems in HR or customer contexts. Legal framework and national implementation in Germany continue to evolve. Last updated: 2026-07-11.