Does the EU AI Act apply to mid-market companies?

Yes. The EU AI Act applies regardless of company size. What matters is the risk class of the AI system in use, independent of revenue. A mid-market company running a high-risk system carries the corresponding obligations.

Which deadlines apply after the Digital Omnibus?

The Digital Omnibus moved the high-risk obligations: standalone systems to December 2027, embedded product systems to August 2028. The prohibitions (Art. 5) and the AI literacy duty (Art. 4) have applied since February 2025, and the GPAI obligations since August 2025.

What is the AI literacy duty under Art. 4?

Art. 4 requires companies to ensure a sufficient level of AI literacy among everyone who works with AI systems. It has applied since February 2025 and affects the mid-market directly, even without a high-risk system.

How high are the penalties for breaching the EU AI Act?

Penalties reach up to 35 million euro or 7 percent of global annual turnover, whichever is higher. Prohibited practices are penalized most severely.

Where should a mid-market company start with EU AI Act readiness?

With an inventory: which AI systems are in use or planned, and which risk class do they fall into? That is followed by the Art. 4 AI literacy duty and, for high-risk systems, building risk management, data governance and documentation.

EU AI Act readiness for the mid-market

What the EU AI Act requires from mid-market companies: deadlines, risk classes and a practical readiness checklist, also after the Digital Omnibus.

The EU AI Act is the world’s first comprehensive AI regulation, and it does not only apply to tech corporations. Mid-market companies that use AI in customer service, hiring, lending or production also fall within its scope. The most common question in the mid-market is therefore: what do we really have to do, and by when?

In short: The EU AI Act applies regardless of company size. What matters is the risk class of the AI system, independent of revenue. Some obligations already apply, and the high-risk obligations take effect after the Digital Omnibus from December 2027 and August 2028.

The deadlines at a glance

The Digital Omnibus moved the dates, but the roadmap is clear:

Since February 2025: prohibited practices (Art. 5) and the AI literacy duty (Art. 4).
Since August 2025: obligations for general-purpose AI models (GPAI).
From December 2027: high-risk obligations for standalone systems.
From August 2028: high-risk obligations for embedded product systems.

The risk classes

The EU AI Act ranks AI systems by risk. For readiness, the correct classification is the first and most important step:

Prohibited practices. Unacceptable risk, such as social scoring or manipulative systems. These are banned.
High-risk systems. Applications in sensitive areas such as HR, creditworthiness, critical infrastructure or education. These carry the most extensive obligations.
Systems with transparency duties. Chatbots or generated content that must be marked as such.
Minimal risk. The majority of operational AI applications, for which the AI literacy duty is the core requirement.

A readiness checklist

A pragmatic starting point for the mid-market:

Inventory. Capture all AI systems in use and planned, including AI inside purchased software.
Classification. Assign each system to a risk class and derive the resulting obligations.
AI literacy (Art. 4). Role-based training for everyone working with AI, documented and repeatable.
Governance for high-risk. Build risk management, data governance, logging, human oversight and technical documentation.
Accountability. Clarify who owns AI governance in the company and whom it reports to.

Where the work really sits

A postponed deadline does not reduce the workload. Risk management, data governance and documentation for a high-risk system take months, tightly interwoven with how the system is built and operated. Companies that use the extra time build governance as part of delivery, well before the deadline. That is where it is decided whether AI in the mid-market makes it from pilot into reliable, auditable production.