Skip to main content
eu-ai-actcomplianceai-governancegerman-companiesgdpr

The EU AI Act Gets Real on August 2, 2026. Here's What Actually Applies to You

The AI Act's main obligations apply from August 2, 2026. Most mid-market AI use isn't high-risk — but you have to be able to prove it. A practical guide without the fear-marketing.

Jan ZajfertJuly 9, 20265 min read

On August 2, 2026, the EU AI Act's main obligations become applicable. Not "enter a transition period" — applicable, with fines attached. If your company uses AI anywhere in its workflows, this is the date your legal team has been asking about, whether they've found the right words for it or not.

Here's the part most compliance vendors won't tell you: the majority of AI use in mid-market companies is not high-risk under the Act. Document Q&A, data extraction from invoices, email triage — these sit in the minimal or limited-risk categories, where the obligations are light. The catch is that "probably not high-risk" is not a defense. You need to be able to show how you classified your systems, and most companies haven't written a single page of that down.

The timeline, without the noise

The AI Act (Regulation (EU) 2024/1689) entered into force in August 2024 and has been phasing in since:

  • February 2, 2025 — Prohibited practices banned (social scoring, manipulative systems, most real-time biometric identification). Also: the Article 4 AI-literacy duty — staff who use AI systems must have adequate AI competence. This one already applies to you.
  • August 2, 2025 — Obligations for general-purpose AI model providers (that's Anthropic, Mistral, and others — not you, unless you build models).
  • August 2, 2026 — The big one. High-risk system rules under Annex III and the Article 50 transparency obligations become applicable to companies deploying AI.
  • August 2, 2027 — High-risk rules for AI embedded in regulated products (medical devices, machinery).

Penalties scale up to €35 million or 7% of global turnover for prohibited practices, and €15 million or 3% for most other violations. SMEs get proportionality — the caps are lower — but "proportionate" is not "zero."

The only question that really matters: are you high-risk?

Annex III lists the deployment contexts that make an AI system high-risk. For document-heavy mid-market companies, one entry deserves your full attention:

Employment and recruitment. AI systems used to screen or filter job applications, evaluate candidates, or make promotion decisions are explicitly high-risk. If your recruiting workflow uses AI to rank or select people, the full high-risk regime applies to you from August 2026: human oversight, logging, monitoring, input-data quality controls, and registration duties for providers. There's a meaningful line between AI that aggregates candidate data — scraping job boards, structuring profiles, filling your CRM — and AI that decides or ranks. The first is generally not high-risk. The second is. Where exactly your setup falls is a classification question you want answered on paper, not assumed.

Most other mid-market workflows — answering questions from your document library, extracting invoice fields for DATEV, drafting email replies a human reviews — don't appear in Annex III. They carry transparency duties, not the high-risk regime.

What everyone has to do, high-risk or not

Four obligations apply broadly, and all four are cheap to satisfy if you start now:

  1. Inventory your AI. You can't classify what you haven't listed. Every AI-touching workflow, including the shadow ones your team adopted without asking IT.
  2. Classify and document. One page per system: what it does, what data it touches, which risk category, why. This document is what you show a regulator — or a customer's procurement team — when they ask.
  3. Transparency. From August 2026, people interacting with an AI system must be able to tell. Chatbots must be identifiable as chatbots; AI-generated content must be marked. If a human reviews and owns the output before it leaves the building, your duties are lighter — another reason human-in-the-loop workflows age well under this law.
  4. Train your people. The Article 4 literacy duty has applied since February 2025. A documented half-day training for staff who work with AI systems covers most of it. Undocumented knowledge doesn't count — the paper trail is the point.

The AI Act doesn't replace GDPR — it stacks on top

If your AI processes personal data (it does), GDPR applies in parallel: legal basis, data processing agreements with vendors, and in some high-risk cases both a GDPR data-protection impact assessment and an AI Act fundamental-rights impact assessment. The good news: work you've already done for GDPR — records of processing, vendor DPAs, data-flow maps — is the same groundwork the AI Act asks for. Companies that treated GDPR as an architecture decision rather than a folder of PDFs are starting this race halfway down the track.

What to do with the three weeks left

Nothing about the Act rewards panic, and August 2 is not a cliff edge for companies whose AI use is limited-risk. But three things are worth doing now rather than after the first customer questionnaire arrives:

  1. Write the inventory and classification — a focused week of work for most mid-market companies.
  2. If anything touches recruitment decisions, get that classification checked before August.
  3. Schedule the literacy training and keep the attendance list.

We build AI workflow systems for exactly the companies this law now covers, and readiness is part of every implementation we scope — classification documentation included. If you want a second pair of eyes on your inventory, or you're unsure which side of the recruitment line your setup falls on, book a call. Thirty minutes, and we'll tell you honestly whether you have an AI Act problem or just an AI Act paperwork afternoon.

The EU AI Act Gets Real on August 2, 2026. Here's What Actually Applies to You | AI Loopwise