Europe's most important AI regulation - translated into a language that a mid-sized business owner can understand in half an hour. Six points on risk classes, obligations, deadlines and what you should do now.
The EU AI Act has been in force since 2024 and is being phased in step by step. It affects you if you build AI - but also if you only use AI.
This page is a quick orientation. It does not replace legal advice - but it helps you judge whether you need to look into the topic more deeply. A note on the legal status: May 2026. Because the law becomes effective in stages, the precise state of the obligations will change in the years to come.
The AI Act is a European regulation - it applies directly in all EU member states, without Germany having to turn it into its own laws. It regulates two things: which AI applications are banned in Europe, and which obligations providers and users of certain AI systems have.
The central idea is a risk gradation: the more dangerous an AI is, the stricter the rules. Recruiting software that pre-sorts CVs counts as high-risk - whereas an email-sorting AI hardly does. The goal is not to ban AI, but to make it controllable.
The AI Act distinguishes four levels. Most mid-market applications land in the lower two.
Banned. Social-scoring systems, manipulative AI, real-time biometric mass surveillance. Not relevant for the typical mid-sized business - no one in Europe may operate these applications.
High-risk. AI in personnel selection, creditworthiness, critical infrastructure, education, law enforcement or as a safety component in products. Strict obligations apply here: documentation, risk assessment, human oversight, conformity assessment. If you want to build such an AI or use it in your company, you need specialised advice.
Limited risk. Chatbots, AI-generated content, emotion recognition. Here the main requirement is a transparency obligation: users must be able to recognise that they are talking to an AI or that a piece of content is AI-generated.
Minimal risk. The vast majority of AI applications: spam filters, recommendation algorithms, translation tools, AI assistants for employees. There are no special obligations here - the GDPR and the normal duty-of-care rules still apply, but nothing more.
If you buy AI (for example ChatGPT, Copilot, an AI assistant), your main obligation is: your employees should understand what they are doing. The AI Act calls this AI literacy - and it has applied since the start of 2025.
This is not a formal training obligation in the sense of certificates, but a substantive one: anyone who uses AI should know what it can do, what it cannot do, where hallucinations arise, what you should never feed into it. A pragmatic two-hour introduction per team is enough in most cases - and it is a good investment anyway (see Employees and AI).
The AI Act becomes effective in stages. As of May 2026, these stages are already active or coming up:
Since February 2025: Banned AI practices are prohibited. The AI literacy obligation applies.
Since August 2025: Obligations for providers of so-called General Purpose AI Models (that is, LLMs like GPT, Claude, Gemini). This concerns the big providers, not you as a user directly.
From August 2026: Most of the general rules of the AI Act apply - including the obligations for limited risk (labelling AI content, chatbot notices).
From August 2027: Full applicability of the high-risk rules, including for AI systems built into already regulated products.
The penalties are considerable. Anyone who operates banned AI practices can be fined up to 35 million euros or seven percent of worldwide annual turnover - whichever is higher.
For breaches involving high-risk systems, lower but still substantial amounts apply - up to 15 million euros or three percent of turnover. For false or incomplete information to supervisory authorities, up to 7.5 million or one and a half percent. For most mid-sized businesses, these orders of magnitude are deterrent enough that the question is not "How do I hide this?" but "How do I do it right?".
Three steps that every mid-sized business should take in 2026 - regardless of which risk class it ends up in later.
One: List which AI applications are actually in use in your business at all. Even individual employees using ChatGPT counts. You will be surprised how much it is.
Two: Classify roughly: which of these applications is high-risk, which is limited risk, which is minimal? When in doubt, the official EU list helps, or a free consultation with the BSI or a Digital Innovation Hub.
Three: Take care of the AI literacy obligation. An introduction for your team, a short internal policy on types of data (what may go in, what may not), a list of permitted tools. This is not a lot of work, but it is indispensable.
At the start of every AI project, we check which risk class the planned application falls into. If it is to be classified as high-risk, we say so openly - and recommend a specialised law firm that has experience with the AI Act. We only build high-risk projects when this advice is in place without gaps.
For limited or minimal risk, we provide the necessary transparency notices, documentation and handover materials for your AI literacy training as standard. That way you stay compliant without it turning into a science of its own.
The EU AI Act is not the end of AI in Europe. It is the attempt to put it under adult supervision.
For the average mid-sized business, the obligations are less severe than the first headlines suggested. Anyone who uses AI consciously, documents it and brings their people on board has already done the most important thing. Anyone who buries their head in the sand risks more than legally - they also miss the chance to build AI cleanly into their business.
What AI fundamentally is can be found under What is AI, really?. Which terms come up in this field can be found under AI glossary. How we bring employees along when using AI can be found under Employees and AI.