EU AI Act: what it really means for mid-market companies
Plenty of deadline panic circulates around the EU AI Act. Most of it is wrong. Here is where things actually stand in June 2026, honest and without scaremongering: which rules already apply, which date moved, and where your AI use most likely falls.

Frequently asked
What is the EU AI Act?
The EU AI Act is the European law that sorts AI systems by risk: prohibited, high-risk, limited-risk and minimal-risk. The higher the risk, the heavier the obligations. The law applies to anyone offering or using AI in the EU, mid-market companies included.
Which deadlines apply right now?
Prohibited AI practices have applied since 2 February 2025. Obligations for general-purpose AI (GPAI) have applied since 2 August 2025. The high-risk rules (Annex III) were set for 2 August 2026, but moved via the Digital Omnibus to 2 December 2027.
Is that high-risk deadline final?
No. The move to 2 December 2027 comes from a provisional agreement of 7 May 2026 on the Digital Omnibus. It is not yet final and may still shift. So do not bank on that date; plan for the fact that it can move.
What does this mean for mid-market companies?
For most SMEs, AI use falls under limited-risk or minimal-risk, not high-risk. Limited-risk mainly means transparency: tell people they are talking to AI, or that content was made by AI. Work out your real risk tier before you rush into action.
What are the fines?
For prohibited practices, fines reach up to 35 million euro or 7% of global annual turnover. Other breaches: up to 15 million euro or 3%. Supplying incorrect information to regulators: up to 7.5 million euro or 1%. SMEs and start-ups face proportionally lower fines.
How do you make AI AI-Act-proof in production?
Start by classifying each AI use case, not "AI" in general. Many pilots stall not on the law but on the production gap: governance, compliance and maintenance that arrive too late. Our Scan reviews your AI work on ROI, risk and what the law asks.
The four risk tiers
Prohibited
AI the EU deems too harmful, such as social scoring or manipulating vulnerable groups.
Banned since 2 February 2025.
High-risk
AI in sensitive domains (Annex III), such as hiring, credit or critical infrastructure.
Strict requirements. Date moved to 2 December 2027 (provisional).
Limited-risk
AI people interact with or that creates content, such as chatbots and generated text.
Transparency: make clear it is AI.
Minimal-risk
Most AI: spam filters, recommendations, tools with no direct risk.
No specific obligations under the law.
The honest takeaway
No panic. Most AI in mid-market companies falls under limited-risk or minimal-risk, not high-risk. And the heaviest deadline (2 December 2027) is still provisional. The win is not ticking something off fast; it is first knowing which tier each use case falls under. That spares you work the law does not even ask for.
This is not legal advice. The EU AI Act and the Digital Omnibus are still in motion; dates and details can shift. For your own situation, have a lawyer look at it.
AI work AI-Act-proof in production?
The law is rarely the real blocker; the production gap is. In the Scan we review your AI work on ROI, risk and what the law asks, and tell you which ones we would put into production.