The EU AI Act was drafted with Big Tech in mind — the firms training foundation models, deploying biometric identification at scale, and running recommendation engines that shape public discourse. But the Regulation binds everyone who develops or deploys AI systems on the EU market, including the €30M industrial supplier, the €100M insurance broker, and the €200M e-commerce retailer.
The useful question for a Mittelstand company is therefore not "does the AI Act apply to us?" — it does — but "what does it actually require, given what we are building?" For most, the honest answer is far less than the headlines about €35 million fines suggest.
The Mittelstand AI landscape
Across DACH mid-market engagements, the same handful of use cases comes up again and again. Companies use AI to classify and extract from incoming documents — invoices, contracts, support tickets, claims — and route them onward. They make internal knowledge searchable through retrieval over wikis, technical manuals, and policy databases. They automate the unglamorous middle of operations: order processing, quality checks, report generation, data reconciliation. They put chatbots on FAQs, triage inbound email, and draft customer responses. And they forecast — demand, capacity, supply.
None of this is high-risk under the AI Act. Most of it is minimal risk and carries no specific obligations at all. A narrow slice — customer-facing chatbots and AI-generated content — falls under the limited-risk band, which triggers transparency duties rather than the full conformity machinery. This is the part that gets lost in the compliance panic: the Act's heavy instruments — conformity assessment, a formal risk-management system, EU database registration, Annex IV technical documentation — do not touch the vast majority of Mittelstand AI.
Where the Mittelstand does meet high-risk
The exceptions exist, and they are specific. Annex III, not a vibe, defines them.
HR and recruiting. AI used to filter job applications, evaluate or rank candidates, or to make or support decisions on promotion, termination, task allocation, or performance monitoring is high-risk. This holds even when the capability is buried inside a third-party tool — you are the deployer, and deployer obligations follow you. Many mid-market firms run applicant-tracking and performance systems with embedded "fit scores" or attrition flags they barely register as AI. Those are precisely the features Annex III is pointing at.
Credit and insurance. AI used to evaluate the creditworthiness of natural persons or set a credit score is high-risk — with an explicit carve-out for systems used to detect financial fraud. In insurance, the high-risk trigger is narrower than most people assume: it covers risk assessment and pricing for natural persons specifically in life and health insurance. A commercial-lines broker automating claims intake or document handling is not automatically in scope; an insurer pricing individual life or health cover with a model is. The distinction matters, and reading it correctly is the difference between a six-month conformity programme and a transparency notice.
The practical move is an honest audit of the software stack. Which tools embed AI, and what decisions do they touch? Anything that reaches employment outcomes, individual creditworthiness, or life-and-health pricing deserves a second look. Most of the rest does not.
What the Act does not require from most Mittelstand companies
It is worth being explicit about the obligations you almost certainly do not carry. Conformity assessment applies to high-risk systems only. EU database registration applies to high-risk systems only. The formal risk-management system under Article 9 is a high-risk requirement — sound practice for any AI, but not a legal mandate for minimal or limited risk. Annex IV technical documentation, to that depth, is high-risk only. The fundamental-rights impact assessment is a deployer duty attached to certain high-risk systems. If your portfolio is minimal and limited risk, none of this is on your plate.
What you do owe, regardless of risk level, is more modest and mostly governance hygiene. You need an inventory — you cannot classify what you have not catalogued. You need a documented classification rationale for each system, so that when a supervisor asks "how do you know this is minimal risk?" you have a written answer rather than a shrug. You need transparency disclosures for limited-risk systems — users must be told when they are talking to a machine or looking at AI-generated content. And you need DSGVO compliance wherever personal data is processed, which was already true before the AI Act existed.
The SME provisions actually help — within limits
The Act does carve out genuine relief for smaller firms. On penalties, Article 99 inverts the usual logic: where a large undertaking faces the higher of a fixed cap or a turnover percentage, an SME or start-up faces whichever is lower. The three tiers themselves are steep — up to €35M or 7% of worldwide turnover for prohibited practices, up to €15M or 3% for breaching most obligations (including high-risk and transparency duties), and up to €7.5M or 1% for supplying false information — but for a Mittelstand balance sheet the "lower of" rule meaningfully bounds exposure.
On innovation, Member States must stand up at least one national AI regulatory sandbox, operational by 2 August 2026, with priority access for SMEs and start-ups — a controlled environment to test systems against regulatory expectations before going to market. National authorities are also directed to provide SME-tailored guidance. These provisions reduce penalty risk and lower the cost of getting compliance right; they do not dissolve the underlying obligations. If you operate a high-risk system, you comply — the SME track makes that less punishing, not optional.
A practical compliance path
A realistic Mittelstand effort runs in four phases, and most companies spend almost all of their energy in the first two.
Inventory and classification — one to two weeks. List every AI system in use: production workflows you built or commissioned, AI features embedded in your SaaS stack (CRM, ERP, HR, marketing), the shadow AI your teams run informally through ChatGPT, Claude, or Copilot, and any pilots and proofs of concept. Then classify each against the risk tiers using the EU AI Act classification guide. For most firms this yields a list that is overwhelmingly minimal risk, a thinner band of limited risk, and — sometimes — a small set of genuinely high-risk systems.
Limited-risk obligations — one to two weeks. For chatbots and content generators, implement transparency: make it unmistakable that the user is interacting with AI, label AI-generated output where it applies, and document that you did so. In practice this is a notice line in the chat interface and a step in the content workflow, not a project.
High-risk obligations — if applicable, two to six months. Where high-risk systems exist, usually in HR or individual credit and life-and-health pricing, first settle whether you are provider or deployer. As a deployer you review the provider's documentation, implement meaningful human oversight, run a fundamental-rights impact assessment, and stand up monitoring and logging — the Compliance by Design patterns are built for exactly this. Where personal data is involved, run a DPIA alongside, and name the person accountable for human oversight.
Ongoing governance — continuous. Revisit the inventory quarterly, re-classify when systems change, and track guidance from the supervising authorities (see the EU AI Act timeline for the live dates). In Germany the Bundesnetzagentur is the designated market-surveillance and coordinating authority under the national implementing law, with the data-protection authorities retaining their role wherever personal data is in play.
Read the calendar correctly
Timing is where a lot of Mittelstand planning has quietly gone stale. Article 50's transparency obligations apply from 2 August 2026 — that date is firm, and it is the one that touches the most common mid-market use cases. The heavier obligations for standalone Annex III high-risk systems were originally set for the same date, but under the Commission's Digital Omnibus package their application has been pushed back to 2 December 2027. That deferral is provisional until it is formally adopted and published in the Official Journal, so plan against it rather than bank on it — but it does mean the high-risk clock is almost certainly less urgent than last year's briefing told you, while the transparency clock is not.
The real risk for the Mittelstand
The largest AI Act risk to a Mittelstand company is not the Regulation. It is using the Regulation as a reason not to deploy. Compliance panic — fed by the €35 million headline and the language of "sweeping" oversight — produces decision paralysis. A team that was ready to ship its first AI workflow in Q1 decides to "wait for clarity," and quietly hands competitors six to twelve months of operating advantage.
The pattern from our work is consistent. For the great majority of mid-market use cases, the AI Act asks for little beyond what decent governance already demands: an inventory, a documented classification, and a transparency notice on the systems that face customers. That is the whole job. The companies that win are the ones that classify, understand their actual obligations, and deploy — not the ones still waiting for someone else to go first.
A Fit Call maps your AI portfolio against the AI Act's risk tiers in 30 minutes — so you know exactly which systems need a transparency notice, which need real high-risk work, and which need nothing at all, before the transparency obligations bite on 2 August 2026.
References: EU AI Act, Article 99 (Penalties), https://artificialintelligenceact.eu/article/99/; EU AI Act, Annex III (High-Risk AI Systems), https://artificialintelligenceact.eu/annex/3/; EU AI Act, Article 57 (AI Regulatory Sandboxes), https://artificialintelligenceact.eu/article/57/; EU AI Act Implementation Timeline, https://artificialintelligenceact.eu/implementation-timeline/; Gibson Dunn, "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes," 2025, https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/; Bundesnetzagentur, "Market Surveillance — Artificial Intelligence," https://www.bundesnetzagentur.de/EN/Areas/Digitalisation/AI/14_MarketSurveillance/start.html.