The EU AI Act (Regulation (EU) 2024/1689) is the world's first horizontal law on artificial intelligence, and it reaches any company that develops, sells, or simply uses AI systems in the EU — including mid-market firms in Croatia, Slovenia, and Serbia that sell into the single market. Divine Solutions runs your compliance end to end: we inventory every AI system you use, classify each one against the Act's risk tiers, close the gaps, and hand you the documentation, human-oversight controls, and internal policy that stand up to a regulator's review. The point is not paperwork — it is to remove legal exposure and turn "we use AI responsibly" into something you can prove to customers and auditors.
Which EU AI Act deadlines actually apply to you
The timeline matters, and it shifted in 2026. Here is the current state of play:
- Since 2 February 2025 — bans on unacceptable-risk practices (social scoring, manipulative or exploitative AI, untargeted facial-recognition scraping) are already enforceable.
- Since 2 August 2025 — obligations for general-purpose AI (GPAI) models apply to model providers.
- 2 August 2026 — transparency obligations (Article 50) take effect: chatbots and virtual assistants must tell people they are interacting with AI, and AI-generated or manipulated content (deepfakes, synthetic media) must be labelled. This is the deadline that binds most mid-market companies.
- 2 December 2027 and 2 August 2028 — under the 2026 "Digital Omnibus" simplification package, the heaviest high-risk obligations were deferred: stand-alone Annex III systems to December 2027, and AI embedded in regulated products (machinery, medical devices) to August 2028. More runway — but not a reason to wait.
The practical takeaway: if you deploy AI in customer service, marketing, HR screening, or operations, your first hard deadline is August 2026 transparency, not the high-risk regime. Knowing that difference is exactly where generic, scare-driven advice gets it wrong.
The four risk tiers — and where mid-market AI usually lands
- Unacceptable — banned outright. Rare in normal business, but worth confirming you are clear of it.
- High-risk — AI used for hiring, credit scoring, insurance, biometric identification, critical infrastructure, or as a safety component. Heavy duties: risk management, data governance, logging, human oversight, and conformity assessment. Most SMEs are deployers, not builders, of these systems.
- Limited / transparency — chatbots, AI content generation, recommendation and personalisation tools. This is where most mid-market AI sits, and it triggers disclosure and labelling duties rather than the full high-risk burden.
- Minimal — spam filters, most analytics. No specific obligations, though sound governance still pays off.
What non-compliance actually costs
Fines scale with the breach: up to €35 million or 7% of global turnover for prohibited practices, up to €15 million or 3% for high-risk and transparency violations, and up to €7.5 million or 1% for supplying misleading information. For SMEs the Act caps the fine at the lower of the fixed sum or the percentage. In practice, the commercial risk often bites first: enterprise procurement teams increasingly require an AI Act attestation before they sign, so a missing classification can cost you a deal long before it costs you a fine.
How Divine Solutions delivers compliance
We work in a fixed, four-step engagement — typically a 4–8 week pilot, the same delivery cadence behind the AI we build and run in production:
- AI system inventory and risk classification. We map every AI system, model, and vendor tool in use — including shadow AI adopted by teams on their own — then classify each against the Act's tiers and Annex III.
- Gap assessment. A prioritised, per-system list of what is missing, measured against the exact articles and deadlines that apply to you rather than a generic checklist.
- Build the controls. Technical documentation and event logging, human-oversight design, data-governance rules, and an internal AI-use policy your staff can actually follow — plus the chatbot and AI-content disclosure Article 50 requires.
- Ongoing monitoring. Your AI stack and the rules both keep moving, so we set up review cadences, model-change tracking, and audit-ready records.
The result is compliance that lowers legal risk and doubles as a trust asset — the same governance that makes it safe to scale the automation behind meaningfully lower operating costs. Engage us before the August 2026 transparency deadline and you convert a regulatory obligation into a competitive edge.
