The EU AI Act was designed with Big Tech in mind — the companies building foundation models, deploying facial recognition at scale, and running social media algorithms that shape public discourse. But the regulation applies to everyone who develops or deploys AI systems in the EU, including the €30M industrial supplier, the €100M insurance broker, and the €200M e-commerce retailer.

The question for Mittelstand companies is not "does the AI Act apply to us?" — it does — but "what does it actually require from us, given what we are building?" The answer, for most, is significantly less than the headlines suggest.

The Mittelstand AI landscape

Across our engagements with DACH mid-market companies, we see a consistent pattern in what they build with AI:

  • Document classification and processing: Incoming invoices, contracts, support tickets, claims — classified, extracted, routed
  • Internal knowledge retrieval: Company wikis, technical documentation, policy databases made searchable with RAG
  • Process automation: Order processing, quality checks, report generation, data reconciliation
  • Customer communication: Chatbots for FAQs, automated email triage, response drafting
  • Forecasting: Demand planning, supply chain optimisation, capacity utilisation

None of these are high-risk under the AI Act. Most are minimal risk. A few — customer-facing chatbots, content generation — fall under limited risk with transparency obligations.

This is the good news that gets lost in the compliance panic: the EU AI Act's heaviest requirements — conformity assessments, risk management systems, EU database registration — do not apply to the vast majority of Mittelstand AI use cases.

Where the Mittelstand does encounter high-risk

There are exceptions, and they matter:

HR and recruiting: If you use AI to screen CVs, rank candidates, assess interview performance, or monitor employee productivity, that is high-risk. This applies even if you use a third-party tool — you are the deployer and carry deployer obligations.

Many Mittelstand companies use HR software with embedded AI features they are barely aware of. An applicant tracking system that auto-ranks candidates by "fit score"? High-risk. A performance management tool that uses AI to flag underperformers? Potentially high-risk.

Insurance and financial services: If your business involves credit decisions, insurance risk assessment, or claims adjudication powered by AI, those workflows are high-risk. A €50M insurance brokerage using AI to triage claims falls squarely here.

The audit question: Review your software stack. Which tools use AI? What do they use it for? If any touch employment decisions or essential service access, you may have high-risk systems you did not know about.

What the AI Act does not require from most Mittelstand companies

Let's be explicit about what you probably do not need:

  • Conformity assessments — only for high-risk systems. If your AI portfolio is minimal and limited risk, this does not apply.
  • EU database registration — only for high-risk AI systems.
  • Risk management systems — the formal requirement under Article 9 is for high-risk systems. Good practice for any AI, but not legally mandated for minimal/limited risk.
  • Technical documentation to the depth specified in Annex IV — again, high-risk only.
  • Fundamental rights impact assessment — deployer obligation for high-risk systems.

What you do need, regardless of risk level:

  • An AI system inventory. You need to know what AI systems you use. This is governance baseline, not an AI Act requirement per se, but you cannot classify what you have not catalogued.
  • Classification documentation. For each system, a documented rationale for why it falls into its risk category. If an auditor asks "how do you know this is minimal risk?" — you need an answer.
  • Transparency disclosures for limited-risk systems (chatbots, AI-generated content).
  • DSGVO compliance for any AI system processing personal data — this was already required before the AI Act.

The SME provisions

The AI Act includes specific provisions for small and medium enterprises:

  • Reduced fines. The penalty ceilings for SMEs are proportionally lower than for large enterprises. For SMEs and startups, the maximum fine is the lower of the percentage or the absolute amount — not the higher.
  • Regulatory sandboxes. Member states must establish AI regulatory sandboxes that provide a controlled environment for testing innovative AI systems. SMEs and startups get priority access.
  • Simplified compliance measures. The European Commission may develop simplified compliance guidelines for SMEs. National authorities must consider the needs of SMEs in enforcement.
  • Support and guidance. National competent authorities must provide guidance and support tailored to SME needs.

These provisions are helpful but do not eliminate the core obligations. If you have a high-risk system, you must comply — the SME provisions reduce the penalty risk, not the compliance requirements.

A practical compliance path for the Mittelstand

Here is what a typical Mittelstand compliance effort looks like:

Phase 1: Inventory and classification (1–2 weeks)

List every AI system in use. Include:

  • Production AI workflows you have built or commissioned
  • AI features embedded in your SaaS tools (CRM, ERP, HR software, marketing platforms)
  • Shadow AI: teams using ChatGPT, Claude, Copilot, or other tools informally
  • Pilot projects and proofs of concept

Classify each by risk level using the EU AI Act classification guide. For most Mittelstand companies, this produces a list that is predominantly minimal risk, with a smaller share of limited risk and, in some cases, a handful of high-risk systems.

Phase 2: Address limited-risk obligations (1–2 weeks)

For chatbots, AI content generators, and other limited-risk systems:

  • Implement transparency disclosures: users must know they are interacting with AI
  • Label AI-generated content where applicable
  • Document the disclosures

This is straightforward and usually involves adding a notice line to chatbot interfaces and content workflows.

Phase 3: Address high-risk obligations (if applicable, 2–6 months)

If you have high-risk systems — typically in HR or financial decision-making:

  • Determine whether you are provider or deployer
  • For deployers: review provider documentation, implement human oversight, conduct fundamental rights impact assessment, set up monitoring and logging (see Compliance by Design for architectural patterns)
  • Run a DPIA if the system processes personal data
  • Assign a named person responsible for human oversight

Phase 4: Ongoing governance (continuous)

  • Quarterly review of AI system inventory
  • Update classifications when systems change
  • Monitor regulatory guidance from the Bundesnetzagentur and Datenschutzaufsichtsbehörden (see the EU AI Act timeline for key dates)
  • Train teams on AI Act obligations relevant to their roles

The real risk for the Mittelstand

The biggest AI Act risk for Mittelstand companies is not the regulation itself. It is using the regulation as an excuse not to deploy AI.

Compliance panic — stoked by headlines about €35 million fines and sweeping regulation — causes decision paralysis. Companies that were ready to deploy their first AI workflow in Q1 decide to "wait for clarity." They lose 6–12 months of operational advantage while their competitors move.

The pattern from our engagements is clear: for the majority of Mittelstand AI use cases, the AI Act requires minimal additional effort beyond what good governance already dictates. An AI inventory. A risk classification. Transparency disclosures for chatbots. That is it.

The companies that will win are the ones that classify their systems, understand their obligations, and deploy — not the ones that wait for someone else to go first.

If you want to know exactly where your AI portfolio stands under the AI Act — without guesswork — run our diagnostic. It maps your systems, classifies them, and tells you what (if anything) you need to do before the August 2026 deadline.

Related: