Starting August 2, 2026, mid-sized companies must focus primarily on new EU AI Act transparency, disclosure, labeling, and oversight requirements. The more extensive obligations for high-risk systems have been postponed until December 2027 or August 2028. Companies should now complete an AI inventory, classify each use case, and document ownership for ongoing operation.
Legal status reviewed on July 14, 2026. This article provides operational guidance and is not a substitute for legal advice.
Why does August 2, 2026 still matter to mid-sized companies?
The EU AI Act does not take effect through a single implementation date. It has been introduced in stages. Prohibited AI practices and AI literacy requirements have applied since February 2025. Governance provisions and obligations for providers of general-purpose AI models have applied since August 2025. On August 2, 2026, another major part of the regulation becomes applicable, including transparency requirements for chatbots, synthetic content, deepfakes, and certain systems that interact directly with people.
The legislative timeline changed shortly before the original deadline. The European Parliament and the Council postponed the extensive requirements for high-risk AI. The new date for stand-alone high-risk systems, including many employment and workforce-management tools, is December 2, 2027. AI used as a safety component in a regulated product is scheduled for August 2, 2028. The Council gave its final approval to the amendment on June 29, 2026. According to the Council, publication in the Official Journal and entry into force on the third day after publication were the remaining formal steps.
Use AI with clear rules and responsibilities
KrambergAI helps companies establish practical AI compliance structures for internal rules, data handling, approvals, responsibilities and responsible use in daily work.
Structured guidance · Responsible implementation · Made in Germany
The postponement does not remove the need for action. It changes the immediate objective. Most mid-sized businesses do not need to build a full high-risk compliance program during the next few weeks, but they do need to know which AI systems are operating in sales, customer service, human resources, engineering, dispatch, production, field service, finance, and management.
Without an inventory, the company cannot determine whether it is acting as a deployer, provider, distributor, or product manufacturer. It also cannot provide reliable information during customer assessments, privacy reviews, works council consultations, insurance renewals, security audits, or regulatory inquiries.
Germany is also establishing its national enforcement structure. The Bundesrat approved the German AI Act implementation legislation on July 10, 2026. The Federal Network Agency, Bundesnetzagentur, is expected to hold a central role in market surveillance, coordination, and support for businesses. As of the review date, the German legislation still had to be formally executed and promulgated.
Which EU AI Act requirements already apply?
Several prohibited AI practices have been unlawful since February 2, 2025. These include harmful manipulative systems, certain forms of social scoring, untargeted scraping of facial images to build facial-recognition databases, and biometric categorization intended to infer protected personal characteristics. Emotion recognition in workplaces and educational institutions is also generally prohibited, subject to narrow medical or safety-related exceptions.
The workplace restriction is relevant beyond large technology companies. A call center may consider software that analyzes voices to estimate stress or motivation. A production company may be offered camera software that claims to infer attention or employee mood. A recruiting platform may advertise personality or emotion detection from recorded interviews. Technical availability does not make these uses lawful.
Article 4 on AI literacy has also applied since February 2025. The amendment adopted in 2026 changes the wording toward supporting the development of AI literacy rather than requiring every provider and deployer to guarantee a defined level. Operationally, companies should still provide training appropriate to the role, system, and risk. A general presentation for the entire workforce may be useful, but it does not replace specific instruction for HR, procurement, IT administrators, marketing teams, managers, or employees handling customer and project data.
Since August 2, 2025, governance rules and major obligations for providers of general-purpose AI models have also applied. Most mid-sized companies are not providers of foundation models. They are customers of models and AI-enabled applications. The rules still matter when selecting suppliers because the customer may depend on the provider for technical documentation, copyright information, model limitations, security information, change notifications, and support during incidents.
The EU AI Act also does not replace other legal and operational requirements. The GDPR, German employment law, co-determination rights, copyright law, trade-secret protection, contractual duties, and information-security requirements remain relevant. A use case may be low-risk under the AI Act while still exposing confidential quotations, drawings, employee information, service records, customer addresses, or internal pricing data.
What changes on August 2, 2026?
For many mid-sized businesses, Article 50 is the most immediate part of the August deadline. It establishes transparency obligations for specified AI systems and AI-generated or manipulated content.
People must generally be informed when they are interacting directly with an AI system unless the artificial nature of the interaction is already obvious in the circumstances. A website chatbot, virtual front desk, automated service intake, or AI phone receptionist should therefore identify itself at the beginning of the interaction. A notice buried in a privacy policy is not a practical substitute for a message delivered when the interaction begins.
Providers of systems that generate synthetic audio, images, video, or text must generally support machine-readable marking of outputs when the statutory conditions apply. Companies publishing those outputs must separately assess whether they have a disclosure obligation. Deepfakes and certain AI-generated or manipulated public-interest content receive particular attention.
This does not mean every sentence edited with an office assistant requires a prominent warning. The legal framework distinguishes among technical marking, disclosure to an audience, routine editing assistance, deepfakes, and public-interest material subject to editorial review. Companies need a publishing standard that considers the type of content, the audience, the distribution channel, the degree of human editing, and who assumes responsibility for the final publication.
The 2026 amendment gives providers of systems placed on the market before August 2, 2026 until December 2, 2026 to implement the relevant machine-readable marking solution. New systems are generally expected to meet the applicable requirement from the August date. This transition should not be interpreted as a general postponement of every customer-facing disclosure obligation.
The German enforcement environment is also becoming more operational. The Bundesnetzagentur already provides an AI Service Desk and a compliance assessment tool. Under the German implementation legislation, it is expected to become the main central market-surveillance and coordination body for many AI Act matters.
Which high-risk obligations have been postponed?
The original schedule would have made many high-risk requirements applicable in August 2026. The EU legislature changed that schedule.
The comprehensive requirements for stand-alone high-risk systems in areas such as employment, education, biometrics, critical infrastructure, and access to essential services are now scheduled for December 2, 2027. Requirements for AI systems embedded as safety components in products covered by EU sectoral safety legislation are scheduled for August 2, 2028.
Future deployer obligations include using a high-risk system according to its instructions, assigning competent human oversight, monitoring operation, controlling input data where relevant, retaining specified logs, and reporting certain risks or incidents. Workplace deployments may also require information to employee representatives and affected workers.
The postponement is particularly important for companies already using recruiting software, workforce analytics, automated performance evaluation, AI-based task assignment, or safety-related industrial applications. It provides preparation time but does not permanently change the system’s category. An applicant-ranking system does not become an ordinary office tool merely because the full high-risk obligations start later.
Companies should use the transition period to obtain supplier documentation, contract commitments, logging capabilities, instructions for human oversight, model-change notices, and evidence supporting the supplier’s classification. Replacing an embedded HR or production system shortly before a compliance deadline can be considerably more disruptive than addressing these questions during procurement and renewal discussions.
Which AI applications in mid-sized businesses are typically affected?
In construction, skilled trades, technical service, and field operations, AI adoption rarely begins as a major transformation program. An estimator summarizes tender specifications. A service technician converts a voice memo into a job report. A dispatcher drafts a customer update. A project manager uses an assistant to organize meeting notes. These uses are usually not high-risk, but they belong in the company’s inventory because they may process customer information, project documents, prices, photographs, drawings, or personal data.
Sales teams commonly use AI for proposal drafts, CRM summaries, follow-up emails, lead research, and call notes. The important distinction is whether the system merely assists an employee or materially determines an outcome affecting a person. Drafting a quotation is different from automatically excluding a customer based on an inferred ability to pay.
For HVAC contractors, electrical companies, construction firms, logistics providers, traffic-management companies, marinas, and technical service organizations, customer-facing assistants are becoming increasingly relevant. A chatbot or voice assistant may collect the site address, equipment type, callback number, urgency, preferred appointment, or fault description before routing the case to dispatch. The main August 2026 tasks are disclosure of the AI interaction, privacy notices, controlled transfer to a human employee, and an operating rule for emergencies or unusual requests.
Human resources presents a different risk profile. Applicant screening, candidate ranking, performance evaluation, behavior-based task allocation, promotion recommendations, and workforce monitoring may fall within Annex III high-risk categories. A knowledge assistant that only answers onboarding questions is normally treated differently, provided it does not influence hiring, employment conditions, performance reviews, or access to work.
Manufacturing, logistics, maintenance, and infrastructure operations require attention to the intended purpose of the system. Predictive maintenance or visual quality inspection is not automatically high-risk. A stricter assessment may be required when AI acts as a safety component, controls machinery, affects regulated product safety, or participates in the operation of critical infrastructure.
An internal company knowledge system or retrieval assistant is also usually outside the high-risk categories. It still requires access controls and source management. A field technician may need installation manuals and service history but should not gain access to HR files. A subcontractor may need selected project documents but not the complete customer record. The AI Act does not replace identity management, data protection, or the company’s responsibility for the knowledge sources supplied to the system.
How do common use cases compare by risk and required action?
| Common use case | Likely company role | Typical assessment | Priority action |
|---|---|---|---|
| Writing assistant for email, proposals, or reports | Deployer | Usually low risk | Add to the inventory, define data rules, and require human review |
| Internal company knowledge assistant | Deployer, possibly provider for proprietary products | Usually low risk | Review permissions, sources, logging, and data access |
| Website chatbot or AI phone assistant | Deployer, potentially provider for an own-brand solution | Article 50 transparency obligations | Provide disclosure at the first interaction and a human handoff |
| AI-generated marketing images, voices, or video | Deployer or publishing organization | Possible labeling and disclosure duties | Review machine-readable marking and audience-facing disclosure |
| Applicant ranking or automated candidate selection | Deployer of a potential high-risk system | High-risk from December 2027 | Prepare supplier evidence, human oversight, privacy review, and co-determination |
| Performance evaluation or behavior-based work allocation | Deployer of a potential high-risk system | High-risk from December 2027 | Review purpose, decision impact, data sources, and human authority |
| AI serving as a product safety component | Product manufacturer or provider | Potentially high-risk from August 2028 | Coordinate the AI assessment with sector-specific product safety requirements |
A product name does not determine the regulatory category. The same technical model may organize documents in one company and rank applicants in another. Intended purpose, actual deployment, affected individuals, and the system’s influence on decisions are more important than the vendor’s marketing description.
When can a deployer become a provider?
A company using an off-the-shelf service is generally a deployer. That role may change if the company places a high-risk system on the market under its own name, makes a substantial modification, or changes the intended purpose so that a previously non-high-risk system becomes high-risk. In those situations, the company may assume provider obligations.
This issue is relevant to proprietary applications, white-label products, industry-specific platforms, and AI solutions sold to customers. Configuring an assistant for internal use does not automatically make the business a provider. Turning that configuration into an own-brand product, defining its intended purpose, and supplying it to other organizations requires a new role assessment.
The assessment should cover the complete application rather than the underlying language model alone. A working system may combine a foundation model, company knowledge, workflow rules, interfaces, tools, automated actions, and human approval steps. The organization designing and supplying that complete solution may carry obligations that differ from those of the original model developer.
How can a company establish the first controls within 30 days?
Days 1 through 5: Establish the mandate and ownership.
Executive management appoints an owner and defines the scope of the review. IT, privacy, information security, HR, procurement, and selected business units should participate. The immediate objective is not a large policy library. It is an accurate understanding of how AI is actually being used.
Days 6 through 10: Build the AI inventory.
The inventory should include approved tools, pilots, browser-based services, AI features embedded in existing software, API integrations, and internally developed applications. Each record should state the purpose, owner, provider, user group, data categories, affected people, use of outputs, deployment location, and business process.
Days 11 through 15: Assess roles and risk.
For each system, determine whether the company is acting as deployer, provider, distributor, or product manufacturer. Identify prohibited practices, Article 50 transparency obligations, possible high-risk uses, and ordinary low-risk assistance. Privacy, security, employment, works council, contractual, and intellectual-property issues should be reviewed in the same workflow.
Days 16 through 20: Implement immediate corrections.
Add disclosures to chatbots and AI phone assistants. Stop prohibited uses. Introduce publishing rules for synthetic content. State which data employees may enter into each system and when a qualified person must verify an output before it reaches a customer, applicant, employee, supplier, or authority.
Days 21 through 25: Review suppliers and contracts.
Request information about hosting, processors, security controls, model updates, retention, training use, output marking, incident support, and logging. For a possible high-risk system, determine whether the supplier can provide the documentation and technical capabilities that will later be needed for human oversight and compliant operation.
Days 26 through 30: Establish ongoing operations.
Define approval, training, change management, incident response, periodic review, and system retirement. New AI services should no longer be purchased or activated solely by an individual business unit when customer, employee, operational, or project data will be involved.
A company does not need to finish every AI governance activity within 30 days. It should, however, know what systems exist, who owns them, which uses require immediate intervention, and which projects need a longer compliance roadmap.
Which checklist should executive management and IT leadership use?
Executive management
- Has an accountable AI governance owner been appointed?
- Is there a complete inventory of production AI systems?
- Are prohibited practices, transparency cases, and potential high-risk systems separated?
- Are responsibilities among management, IT, HR, procurement, and business units documented?
- Is there an approval and retirement process for AI systems?
- Are privacy, information security, and the works council involved where required?
- Is there a process for incidents, complaints, and regulatory requests?
- Are systems with material effects on employees, applicants, or customers escalated for specialist review?
IT leadership and information security
- Are the provider, product version, hosting location, and technical integrations recorded?
- Is it known what data is entered, retained, or used for model improvement?
- Have roles, permissions, administrative access, and service accounts been reviewed?
- Can relevant changes, interactions, and outputs be logged where required?
- Are chatbot, voice-assistant, and synthetic-content notices implemented?
- Is there a shutdown, fallback, or human takeover procedure?
- Is sufficient supplier documentation available for possible high-risk systems?
- Are changes to the model, intended purpose, interfaces, and automated actions reassessed?
- Are vendor renewals linked to the delivery of required documentation and support?
Which four figures demonstrate the practical relevance?
AI is already an operational issue for German mid-sized businesses. According to Germany’s Federal Statistical Office, 23 percent of companies with 10 to 49 employees used AI technologies in 2025. Among companies with 50 to 249 employees, the share was 36 percent. The EU AI Act therefore affects not only software vendors but also ordinary manufacturers, service providers, contractors, skilled-trade businesses, and commercial organizations.
The sanctions framework also demonstrates why prohibited practices require management attention. Violations of Article 5 prohibitions may generally lead to fines of up to EUR 35 million or 7 percent of worldwide annual turnover. For small and medium-sized enterprises, the lower of the fixed amount and turnover-based amount applies.
The objective should not be a program designed only around potential fines. A sustainable operating model prevents unlawful use, supports responsible purchasing, provides evidence of decisions, and allows the company to adopt new tools without restarting the entire review each time.
Bring AI into daily operations in a structured way
The KrambergAI AI Introduction helps companies select suitable use cases, prepare workflows and integrate AI solutions into everyday operations in a controlled and practical way.
Structured implementation · Practical guidance · Made in Germany
Which sources support the figures used in this article?
German Federal Statistical Office: Companies using artificial intelligence technologies by employment-size category
https://www.destatis.de/DE/Themen/Branchen-Unternehmen/Unternehmen/IKT-in-Unternehmen-IKT-Branche/Tabellen/ikti-unternehmen-kuenstliche-intelligenz.html
European Commission AI Act Service Desk: Article 99 – Penalties
https://ai-act-service-desk.ec.europa.eu/de/ai-act/article-99
Which resources provide useful further reading?
European Commission: EU AI Act regulatory framework, implementation, and timeline
https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
Council of the European Union: Final adoption of the simplification measures and revised deadlines
https://www.consilium.europa.eu/en/press/press-releases/2026/06/29/artificial-intelligence-council-gives-final-green-light-to-simplify-and-streamline-rules/
Bundesnetzagentur: AI Service Desk and compliance resources for Germany
https://www.bundesnetzagentur.de/DE/Fachthemen/Digitales/KI/start_ki.html
Does the EU AI Act apply to ChatGPT, Microsoft Copilot, and similar assistants?
Yes, a company’s specific use of these tools can fall within the EU AI Act. A business using a finished office assistant is usually a deployer rather than the model provider. The purpose, data, affected people, and role in decisions matter. Basic drafting usually is not high-risk, but internal policies, AI literacy, data controls, and sometimes transparency duties still apply.
Does every mid-sized company need an AI officer?
No. The EU AI Act does not require a specific job title or a dedicated AI officer for ordinary deployers. Responsibility still needs an organizational home. Many mid-sized companies can appoint an AI owner and involve IT, privacy, information security, human resources, procurement, and the relevant business unit through a defined approval and escalation process.
Must every AI system be registered in an EU database?
No. Registration obligations mainly apply to specified high-risk systems and particular actors. An internal writing assistant, knowledge search tool, or ordinary service chatbot does not require registration merely because it uses AI. The company should still maintain an internal inventory recording the purpose, owner, provider, data categories, risk assessment, approval status, and latest review.
Must a chatbot or AI phone assistant disclose that it uses AI?
In general, people must be informed when they are interacting directly with an AI system unless that fact is already obvious from the context. The notice should appear no later than the first interaction. A website chatbot, virtual receptionist, or AI phone assistant should therefore provide a brief, understandable disclosure before requesting names, contact details, service information, or other personal data.
Must every AI-generated item be labeled?
No. The rules distinguish between technical marking by providers and disclosure by deployers. Synthetic audio, images, video, deepfakes, and certain public-interest text receive particular attention. Internal drafts or routine editing support may be treated differently. Companies need practical rules based on the content type, publication channel, audience, editorial review, and whether a person assumes responsibility for the final output.
Do AI systems used in human resources become high-risk in August 2026?
The extensive high-risk obligations for stand-alone employment and workforce-management systems were postponed by the 2026 amendment until December 2027. Potential examples include applicant ranking, selection decisions, performance evaluation, and behavior-based task allocation. Privacy law, German co-determination requirements, and existing prohibited-practice rules already apply, including the general ban on workplace emotion recognition except for narrow medical or safety uses.
Does the high-risk delay mean companies can wait until 2027?
No. The additional time should be used for inventory work, classification, contracts, technical preparation, and supplier engagement. For HR tools, safety-related systems, and automated decisions, collecting documentation, designing human oversight, configuring logs, and obtaining contractual commitments can take months. Waiting until the deadline may lead to rushed replacement projects, interrupted operations, or an inability to continue using the system.
Is an AI policy enough to demonstrate compliance?
An AI policy is useful, but it is not an operating model. A company also needs a current AI inventory, assigned owners, an approval workflow, role-based training, supplier documentation, controls for data and outputs, and an incident process. The decisive point is whether these requirements are actually used in procurement, projects, configuration changes, and everyday work, with evidence of periodic review.
What records should a mid-sized company retain for its AI systems?
Useful core records include a system profile, intended purpose, risk assessment, approval, provider and contract documents, privacy review, security assessment, employee training records, user notices, system changes, and reported incidents. Potential high-risk systems may also require instructions, logs, human-oversight arrangements, and evidence concerning input data. Retention periods depend on the company’s role, system risk, and other applicable laws.
How do the EU AI Act and the GDPR work together?
The EU AI Act does not replace the GDPR. When personal data is processed, companies still need a legal basis, purpose limitation, data minimization, required notices, processor agreements, and sometimes a data protection impact assessment. The AI Act adds system- and use-related risk obligations. Combining privacy and AI reviews in one workflow reduces duplicated work and lowers the risk of conflicting approvals.

