EU AI Act: what it really means for mid-market companies
Plenty of deadline panic circulates around the EU AI Act. Most of it is wrong. Here is where things actually stand in July 2026, honest and without scaremongering: which rules already apply, which date moved, and where your AI use most likely falls.

Frequently asked
What is the EU AI Act?
The EU AI Act is the European law that sorts AI systems by risk: prohibited, high-risk, limited-risk and minimal-risk. The higher the risk, the heavier the obligations. The law applies to anyone offering or using AI in the EU, mid-market companies included.
Which deadlines apply right now?
Prohibited AI practices have applied since 2 February 2025, GPAI obligations since 2 August 2025. The high-risk rules (Annex III) moved via the Digital Omnibus to 2 December 2027. But 2 August 2026 is still a real deadline: transparency duties (Article 50), fining powers and market surveillance kick in regardless.
Is that high-risk deadline final?
Pretty much. The European Parliament approved the Digital Omnibus on 16 June 2026, and the Council gave final sign-off on 29 June 2026. Publication in the Official Journal is expected in July 2026, after which 2 December 2027 is formally locked in. Only the publication step is left.
What does this mean for mid-market companies?
For most SMEs, AI use falls under limited-risk or minimal-risk, not high-risk. Limited-risk mainly means transparency from 2 August 2026: tell people they are talking to AI, or that content was made by AI. Work out your real risk tier before you rush into action.
What are the fines?
For prohibited practices, fines reach up to 35 million euro or 7% of global annual turnover. Other breaches: up to 15 million euro or 3%. Supplying incorrect information to regulators: up to 7.5 million euro or 1%. SMEs and start-ups face proportionally lower fines.
Who supervises this in the Netherlands?
The Netherlands appoints 10 market surveillance authorities, each in its own domain (AFM and DNB for financial services). For areas without an existing supervisor, such as prohibited practices and transparency duties, the Dutch Data Protection Authority (AP) gets a central role, alongside the Rijksinspectie Digitale Infrastructuur. Consultation on the implementation law closed 1 June 2026; parliamentary debate is to come.
How do you make AI AI-Act-proof in production?
Start by classifying each AI use case, not "AI" in general. Many pilots stall not on the law but on the production gap: governance, compliance and maintenance that arrive too late. Our Scan reviews your AI work on ROI, risk and what the law asks.
The four risk tiers
Prohibited
AI the EU deems too harmful, such as social scoring or manipulating vulnerable groups.
Banned since 2 February 2025.
High-risk
AI in sensitive domains (Annex III), such as hiring, credit or critical infrastructure.
Strict requirements. Date moved to 2 December 2027 (Digital Omnibus, finally approved June 2026).
Limited-risk
AI people interact with or that creates content, such as chatbots and generated text.
Transparency (Article 50) from 2 August 2026: make clear it is AI.
Minimal-risk
Most AI: spam filters, recommendations, tools with no direct risk.
No specific obligations under the law.
The honest takeaway
No panic, but do not ignore it either. Most AI in mid-market companies falls under limited-risk or minimal-risk, not high-risk. The high-risk deadline is now settled at 2 December 2027, but 2 August 2026 still stands for transparency and oversight: exactly the part that hits most SMEs. The win is knowing which tier each use case falls under first.
This is not legal advice. The EU AI Act is still getting implementing rules and guidance; details can shift. For your own situation, have a lawyer look at it.
AI work AI-Act-proof in production?
The law is rarely the real blocker; the production gap is. In the Scan we review your AI work on ROI, risk and what the law asks, and tell you which ones we would put into production.