The timeline, briefly
The EU AI Act is the world's first comprehensive AI regulation and enters into force in stages. Since 2 February 2025, certain practices are banned and AI-literacy requirements apply. Since 2 August 2025, obligations exist for providers of foundation models (GPAI). From 2 August 2026 the Act becomes largely applicable; some high-risk deadlines were partly deferred via the proposed “Digital Omnibus”.
Step 1: determine the risk class
Not every AI is “high-risk”. The Act distinguishes prohibited, high-risk, limited-risk (transparency) and minimal-risk applications. For the Mittelstand, many applications, internal assistants or document search, are low to limited risk. What matters is the concrete use, not the technology.
Step 2: ISO 42001 as a roadmap
ISO/IEC 42001:2023 is the first standard for AI management systems. It provides structure for responsibilities, risk assessment, data governance and documentation, and overlaps substantially with the AI Act's evidentiary duties.
Step 3: pull compliance into the architecture
Documentation, audit logs, data residency and access control belong in the technical solution, not in a folder hunted for during an audit. A sovereign platform produces the evidence as a by-product of operations.