Status: 29 May 2026
A company that uses ChatGPT for emails, uses an AI tool for recruiting or runs a credit check with AI is already the operator of an AI system within the meaning of the EU AI Act. With obligations, some of which already apply today. The widespread reflex "We're not building any AI, it doesn't affect us" therefore doesn't hold water.
2026 is aggravated by the fact that two developments are overlapping: central obligations are coming into effect, and at the same time the EU postponed the original timetable once again in May. It is precisely this mixture that is currently causing uncertainty. This article categorises what really affects you as a medium-sized company. No alarmism, no trivialisation. First things first.
What the EU AI Act is and who it affects
The EU AI Act (officially the "Regulation on Artificial Intelligence", Regulation (EU) 2024/1689) is the first comprehensive regulation for artificial intelligence worldwide. It has been in force since August 2024, but its obligations are staggered over several years. As an EU regulation, it applies directly in all member states without Germany first having to transpose it into national law.
The distinction between two roles is important for SMEs. Providers develop an AI system or have it developed and bring it to market under their own name. Operators ("deployers" in the legal text) use an AI system in their own company. Most SMEs are operators, not providers. However, if you do not build your own AI model, you are not automatically exempt from the regulation.
This is precisely the underestimated point: even the use of ChatGPT for texts, an AI tool in recruiting or an AI-supported credit check makes you an operator within the meaning of the law. The resulting obligations depend on the risk class of the specific system, not the size of the company.
The four risk classes
The EU AI Act does not regulate "AI" across the board, but works on a risk-based basis. The higher the risk to health, safety or fundamental rights, the stricter the obligations. There are four levels.
Prohibited risk: Certain applications are generally prohibited, such as the social scoring of people (by public or private bodies) or manipulative systems that influence people's behaviour to their detriment. These prohibitions already apply.
High risk: AI in sensitive areas such as personnel selection, lending or critical infrastructure. In SMEs, the typical case is AI-supported applicant screening. The strictest obligations apply here: Risk management, technical documentation, human supervision, logging.
Limited risk: systems with transparency obligations. The classic example is the chatbot on your own website or an AI that generates images, text and videos. Users must be able to recognise that they are dealing with a machine. This is the most common regulatory level for SMEs because generative AI is now widely used in marketing and customer service.
Minimal risk: The majority of current applications, from spam filters and product recommendations in shops to AI in warehouse logistics. No special obligations arise here from the AI Act. This is the majority of what a typical company actually uses.
For the vast majority of companies, the systems used are in the lower two classes. It becomes explosive where AI decides over people, i.e. especially in recruiting and creditworthiness.
What's really new in 2026: the digital omnibus
Here lies the most important change of the year, and it is still misrepresented in many older guides. On 7 May 2026, the EU Parliament and Council agreed on the "Digital Omnibus", a package of targeted changes to the AI Act. The aim is simplification and more time for implementation.
The decisive effect: the deadline for the high-risk obligations that many companies were facing will be pushed back. Instead of 2 August 2026, these obligations will now take effect later in stages (the exact dates are listed below). The reason for this is remarkably sober: the technical standards and supervisory infrastructure on which the original timetable was based were simply not ready in time. The postponement was therefore not because the requirements were too lax, but because the apparatus behind them was not yet in place.
An important caveat regarding the status: the agreement of 7 May 2026 is a provisional political agreement, not yet a final law. Parliament and the Council must formally confirm the text, which will then be published in the Official Journal of the EU. Formal adoption is expected before 2 August 2026. Until then, the following applies: the direction is clear, individual details may still change. Anyone planning should treat the new timeframe as probable, but not as set in stone.
Was für den Mittelstand schon heute gilt
Independent of the Digital Omnibus, two obligations are already in force, both since 2 February 2025.
Firstly, the prohibitions from the highest risk class. Very few SMEs are directly affected by this, but anyone using a purchased tool should know that emotion recognition in the workplace is largely prohibited.
Secondly, and this is the more practically relevant obligation: the AI competence under Article 4. Providers and operators must ensure that their employees who operate AI systems or use their results have a sufficient level of AI competence. This has been in force since February 2025 and is not linked to any risk class.
In everyday terms, this means that as soon as someone uses an AI tool at your company in a work context, you are obliged to provide training. The law does not require certification. What is required is that the training measures match the context of use and are documented. Pragmatic basic training plus role-specific in-depth training fulfils the requirement in most cases; practical formats such as AI workshops for the team cover precisely this need.
The transparency obligation and AI labelling
The second obligation that will affect many companies in 2026 is transparency under Article 50. The practical message is simple: anyone who publishes AI-generated images, videos or certain texts must make this clear.
There are two strands to this. Providers of systems that generate synthetic audio, image, video or text content must mark the output as artificially generated in a machine-readable way (watermarking). Operators, in turn, must disclose deepfakes and AI texts that serve to inform the public on topics of public interest.
The original deadline for the transparency rules was 2 August 2026. The Digital Omnibus is expected to postpone the watermarking obligation of providers to 2 December 2026 in accordance with Article 50(2). Here, too, the formal adoption is still pending (see above). Anyone using AI content in marketing today is well advised to set up a labelling practice early on instead of waiting for the final deadline.
In practical terms, this does not involve a great deal of effort: a brief indication that an image or text is AI-generated is usually sufficient. The organisational side is more complex, namely knowing where AI content is created in the company in the first place. This is precisely why taking stock is the first step in any sensible approach.
High-risk AI: the deferred deadlines
The Digital Omnibus changes the timetable most significantly for high-risk systems. Following the agreement of May 2026, a two-stage approach applies:
| Category | Examples | New deadline |
|---|---|---|
| Independent high-risk systems (Annex III) | AI in recruiting, credit scoring, biometric identification | 2. December 2027 |
| High-risk AI embedded in regulated products (Annex I) | AI as a security component in regulated products | 2 August 2028 |
Originally, the Annex III obligations were to take effect on 2 August 2026. The postponement gives companies more time, but does not change the substance: anyone using a high-risk system needs risk management, technical documentation, data quality, logging and human supervision.
The EU has formulated a clear expectation: the additional time is not a postponement to do nothing, but is intended to enable preparation. If you have a high-risk application in-house, such as AI-supported applicant screening, it is worth taking stock now, even if the hard deadline is not until the end of 2027.
Fines: staggered by severity
The penalties under the EU AI Act are higher than under the GDPR. The range of fines is graded according to the severity of the breach.
For breaches of the prohibitions in the highest risk class, the upper limit is €35 million or 7 per cent of annual global turnover, whichever is higher. For breaches of other obligations, for example in the high-risk area, the maximum is 15 million euros or 3 per cent. For false or incomplete statements to authorities, up to 7.5 million euros or 1 per cent.
The regulation provides relief for SMEs and start-ups: The lower of the two figures applies here, i.e. the absolute amount or the percentage, whichever is less. This significantly reduces the peak amounts that are intended for large corporations. Enforcement is also staggered; part of the sanction mechanism only comes into effect with the respective obligations, and the national supervisory authorities must first be formed. For most SMEs, the realistic scenario is therefore not the maximum fine, but the simple necessity to properly fulfil the already applicable obligations regarding AI competence and transparency. The greatest danger is not the maximum fine, but the failure to deal with the topic at all.
Roadmap for SMEs
Most SMEs do not need an oversized compliance machinery. They need an organised start. A sensible sequence:
- Inventory: Record which AI systems are used in the company, in which departments and for what purpose. Without this inventory, no risk class can be assigned.
- Risk categorisation: Assign each system to one of the four classes. As a rule, most systems end up in minimal or limited risk. The few high-risk cases, often in recruiting, deserve special attention.
- Build up AI expertise: Set up and document training courses. This is the only obligation that already applies to every operator without restriction.
- Labelling regulations: Determine how AI-generated content is labelled before the transparency obligation takes effect.
- Determine responsibility: Designate who is responsible for the topic within the company. In smaller companies, one person with a clear mandate is often sufficient.
If you work through these five steps properly, you will be well positioned for the realistic 2026 scope of duties. If you need support to get started, a structured AI consultation will help you take stock and categorise the risks.
Classification
The EU AI Act 2026 is in a phase in which a distinction must be made between applicable and deferred obligations. The AI competence and prohibitions have been in force since February 2025, while the high-risk obligations have been postponed to 2027 and 2028 by the Digital Omnibus, as has provider watermarking under Article 50(2) until the end of 2026, although formal adoption is still pending.
The situation is therefore less dramatic than the headlines about the 35 million fine suggest, but it is not over either. The obligation for AI competence is real and applies now. The rest can be planned if the stocktaking starts early enough. That's the sensible way to deal with a regulation that's still in flux: don't wait, but don't overreact either. If you only initiate one thing this week, it's the inventory of your AI systems in use. Everything else builds on that.