EU AI Act Compliance

EU AI Act Compliance for Mid-Market Companies

The EU AI Act is now live, and its first hard deadline for everyday business AI — transparency for chatbots and AI-generated content — lands on 2 August 2026.

Free strategy callPilot in 4–8 weeksMeasurable ROI
Services

100%

AI-focused

24/7

AI in production

8

weeks to a pilot

Compliance specialist reviewing an EU AI Act risk classification for a company's AI systems
SCOPE

What EU AI Act compliance means for your business in 2026

The EU AI Act (Regulation (EU) 2024/1689) is the world's first horizontal law on artificial intelligence, and it reaches any company that develops, sells, or simply uses AI systems in the EU — including mid-market firms in Croatia, Slovenia, and Serbia that sell into the single market. Divine Solutions runs your compliance end to end: we inventory every AI system you use, classify each one against the Act's risk tiers, close the gaps, and hand you the documentation, human-oversight controls, and internal policy that stand up to a regulator's review. The point is not paperwork — it is to remove legal exposure and turn "we use AI responsibly" into something you can prove to customers and auditors.

Which EU AI Act deadlines actually apply to you

The timeline matters, and it shifted in 2026. Here is the current state of play:

  • Since 2 February 2025 — bans on unacceptable-risk practices (social scoring, manipulative or exploitative AI, untargeted facial-recognition scraping) are already enforceable.
  • Since 2 August 2025 — obligations for general-purpose AI (GPAI) models apply to model providers.
  • 2 August 2026transparency obligations (Article 50) take effect: chatbots and virtual assistants must tell people they are interacting with AI, and AI-generated or manipulated content (deepfakes, synthetic media) must be labelled. This is the deadline that binds most mid-market companies.
  • 2 December 2027 and 2 August 2028 — under the 2026 "Digital Omnibus" simplification package, the heaviest high-risk obligations were deferred: stand-alone Annex III systems to December 2027, and AI embedded in regulated products (machinery, medical devices) to August 2028. More runway — but not a reason to wait.

The practical takeaway: if you deploy AI in customer service, marketing, HR screening, or operations, your first hard deadline is August 2026 transparency, not the high-risk regime. Knowing that difference is exactly where generic, scare-driven advice gets it wrong.

The four risk tiers — and where mid-market AI usually lands

  • Unacceptable — banned outright. Rare in normal business, but worth confirming you are clear of it.
  • High-risk — AI used for hiring, credit scoring, insurance, biometric identification, critical infrastructure, or as a safety component. Heavy duties: risk management, data governance, logging, human oversight, and conformity assessment. Most SMEs are deployers, not builders, of these systems.
  • Limited / transparency — chatbots, AI content generation, recommendation and personalisation tools. This is where most mid-market AI sits, and it triggers disclosure and labelling duties rather than the full high-risk burden.
  • Minimal — spam filters, most analytics. No specific obligations, though sound governance still pays off.

What non-compliance actually costs

Fines scale with the breach: up to €35 million or 7% of global turnover for prohibited practices, up to €15 million or 3% for high-risk and transparency violations, and up to €7.5 million or 1% for supplying misleading information. For SMEs the Act caps the fine at the lower of the fixed sum or the percentage. In practice, the commercial risk often bites first: enterprise procurement teams increasingly require an AI Act attestation before they sign, so a missing classification can cost you a deal long before it costs you a fine.

How Divine Solutions delivers compliance

We work in a fixed, four-step engagement — typically a 4–8 week pilot, the same delivery cadence behind the AI we build and run in production:

  1. AI system inventory and risk classification. We map every AI system, model, and vendor tool in use — including shadow AI adopted by teams on their own — then classify each against the Act's tiers and Annex III.
  2. Gap assessment. A prioritised, per-system list of what is missing, measured against the exact articles and deadlines that apply to you rather than a generic checklist.
  3. Build the controls. Technical documentation and event logging, human-oversight design, data-governance rules, and an internal AI-use policy your staff can actually follow — plus the chatbot and AI-content disclosure Article 50 requires.
  4. Ongoing monitoring. Your AI stack and the rules both keep moving, so we set up review cadences, model-change tracking, and audit-ready records.

The result is compliance that lowers legal risk and doubles as a trust asset — the same governance that makes it safe to scale the automation behind meaningfully lower operating costs. Engage us before the August 2026 transparency deadline and you convert a regulatory obligation into a competitive edge.

WHAT YOU GET

What is included

  • A complete inventory of every AI system, model, and vendor tool you run — including the shadow AI teams adopt on their own
  • Risk classification of each system against the Act's four tiers and Annex III, with the specific obligations that apply to it
  • A prioritised gap assessment mapped to the exact articles and 2026–2028 deadlines you must meet
  • Technical documentation and event logging built to survive a regulator's or auditor's review
  • Human-oversight design and data-governance rules that keep a real person meaningfully in control
  • An internal AI-use policy your staff will actually follow, plus Article 50 chatbot and AI-content disclosure
  • Ongoing monitoring: model-change tracking, review cadences, and audit-ready records as the rules evolve
HOW IT WORKS

From idea to results in a few steps

01

Discovery

We analyze your processes and find the highest-impact opportunities.

02

Prioritization

We rank use-cases by impact, feasibility and ROI.

03

Pilot

We deliver a working solution in 4–8 weeks.

04

Scale

Implementation, optimization and secure governance.

FAQ

Frequently asked questions

Does the EU AI Act apply to my company if we only use AI, not build it?

Yes. The Act regulates deployers, not just developers. If you use a chatbot, AI content generation, or AI in hiring or credit decisions — and you operate in or sell into the EU — obligations apply to you. Most mid-market companies are deployers whose main duties are transparency, governance, and documentation rather than the heavier high-risk regime.

What is the real deadline I need to worry about?

For most businesses it is 2 August 2026, when Article 50 transparency rules take effect: chatbots must disclose they are AI, and AI-generated content must be labelled. The heaviest high-risk obligations were deferred by the 2026 Digital Omnibus to December 2027 for stand-alone systems and August 2028 for AI in regulated products — so you have more time there, but classification and governance should start now.

How long does a compliance engagement take?

Our standard pilot runs 4–8 weeks: inventory and risk classification first, then a gap assessment, then building the documentation, oversight, and policy controls. Larger AI estates take longer, but you get a defensible position and a prioritised roadmap within the first weeks.

What are the penalties for getting it wrong?

Up to €35 million or 7% of global turnover for banned practices, and up to €15 million or 3% for high-risk or transparency breaches. For SMEs the fine is capped at the lower amount. In practice, lost enterprise deals — buyers increasingly require AI Act attestations — often hurt sooner than any fine.

Are we a high-risk company under the Act?

Probably not, unless you use AI for hiring, credit scoring, insurance, biometrics, or safety-critical functions. Most mid-market AI — chatbots, personalisation, content, analytics — falls under limited-risk transparency or minimal-risk. We confirm this in the classification step so you neither over-comply nor under-comply.

How is this different from the GDPR compliance we already have?

GDPR governs personal data; the AI Act governs AI systems and their risk, including systems that use no personal data at all. They overlap on data governance and documentation, so we build on your existing GDPR work rather than duplicating it — but AI-specific duties like risk classification, human oversight, and transparency disclosure are new.

CONTACT

Ready to take the next step?

Book a short call and we will show how AI can accelerate your operations.

Contact