Skip to content

Law & compliance

The EU AI Act in 2026: what the Mittelstand actually has to do now

Bans, GPAI duties, high-risk: we map the timeline and show a practical roadmap with ISO 42001.

Updated 2026-06-24 · Beyonetix Engineering · 8 min read

The timeline, briefly

The EU AI Act is the world's first comprehensive AI regulation and enters into force in stages. Since 2 February 2025, certain practices are banned and AI-literacy requirements apply. Since 2 August 2025, obligations exist for providers of foundation models (GPAI). From 2 August 2026 the Act becomes largely applicable; some high-risk deadlines were partly deferred via the proposed “Digital Omnibus”.

Step 1: determine the risk class

Not every AI is “high-risk”. The Act distinguishes prohibited, high-risk, limited-risk (transparency) and minimal-risk applications. For the Mittelstand, many applications, internal assistants or document search, are low to limited risk. What matters is the concrete use, not the technology.

Step 2: ISO 42001 as a roadmap

ISO/IEC 42001:2023 is the first standard for AI management systems. It provides structure for responsibilities, risk assessment, data governance and documentation, and overlaps substantially with the AI Act's evidentiary duties.

Step 3: pull compliance into the architecture

Documentation, audit logs, data residency and access control belong in the technical solution, not in a folder hunted for during an audit. A sovereign platform produces the evidence as a by-product of operations.

FAQ

Frequently asked

Does the EU AI Act also affect small companies?

Yes, depending on the application, but many Mittelstand use cases are low to limited risk. Obligations follow the risk class.

What is the fastest sensible first step?

Classifying your AI use cases into the risk tiers plus a register, that creates clarity and is the basis for all further measures.

Sovereign AI for your organisation?

Let's walk through your use case.