Many managing directors associate the EU AI Act with a reassuring assumption: "We don't build AI, so it doesn't concern us." That assumption is wrong. The EU AI Act addresses not only providers that build AI, but explicitly also deployers that use it. If you run a recruiting tool, operate a service chatbot or score creditworthiness with an algorithm, you are a deployer – and you have duties that already apply today.
How much this is underestimated shows in the numbers: according to the Bitkom AI study report (February 2026), 93 percent of affected companies expect a high implementation effort from the AI Act (49 percent "very high", 44 percent "rather high"), and 56 percent consider the law net-negative for the German economy. That concern is understandable – but it often stems from uncertainty about what is actually required. That is exactly what we clarify here.
Who is affected: deployers, not only developers
The decisive term in the EU AI Act is "deployer" – and it means exactly the companies that use AI in daily operations without having built it themselves. Regulation (EU) 2024/1689 separates roles along the value chain. A provider develops an AI system, or has it developed, and places it on the market under its own name. A deployer uses such a system under its own authority. For the typical mid-sized company the second role is almost always the relevant one: you buy HR software with candidate ranking, subscribe to an AI chatbot or use a scoring module – and become a deployer with your own duties.
This is not a niche issue. According to data from the IW Cologne (2025), 56.1 percent of medium-sized companies (50–249 employees) already use AI, rising to 66.3 percent among large ones. What stands out is how shallow that use often remains: only 13.0 percent buy AI as a service and just 3.6 percent develop it themselves. The large majority are pure users – that is, deployers. It is precisely this group that often assumes it is unregulated, and is mistaken.
Obligations by risk class and timeline
The EU AI Act staggers obligations by risk and by date – and both have already begun. The regulation has been in force since 1 August 2024 and applies in phases. Prohibited practices (such as social scoring or certain biometric surveillance) have been banned since 2 February 2025; the AI-literacy duty has applied since the same day. The rules for general-purpose AI models (GPAI) have applied since 2 August 2025, the Article 50 transparency obligations from 2 August 2026. The stricter Annex III high-risk obligations were postponed in late 2025 via the Digital Omnibus.
To know which obligations apply concretely, you first assign your system to a risk class. The overview below summarises the four tiers and the central deployer duties.
| Risk class | Examples in an SME | Deployer duties (selection) | Deadline |
|---|---|---|---|
| Prohibited | Social scoring, manipulative systems | Use banned | since 2 Feb 2025 |
| High-risk (Annex III) | Recruiting/HR AI, creditworthiness | Oversight, logging, informing affected people | postponed |
| Limited risk | Service chatbots, AI content | Transparency under Art. 50 | from 2 Aug 2026 |
| Minimal risk | Spam filters, AI in standard tools | AI literacy (Art. 4) | since 2 Feb 2025 |
Fines are staggered by severity: up to EUR 35 million or 7 percent of global annual turnover for prohibited practices, up to EUR 15 million or 3 percent for breaches of deployer and transparency duties, and up to EUR 7.5 million or 1 percent for incorrect information – the higher amount in each case, and for SMEs the lower cap (Article 99).
What this means concretely for an SME
Three duties affect mid-sized companies almost always – and none of them requires an in-house AI department. First, AI literacy: Article 4 has required, since February 2025, that the people working with AI have an appropriate understanding of what the system can do, where its limits are and which risks exist. That is not a certificate but a demonstrable process of training, context and clear usage rules. Second, transparency: anyone operating a chatbot or publishing AI content must make that recognisable from August 2026 (Article 50).
Third, and most often underestimated, recruiting. AI in the employment context – screening applications, ranking candidates, preparing HR decisions – falls under Annex III and therefore counts as high-risk. That triggers additional deployer duties: human oversight of the results, logging of the use and informing the affected applicants. Many HR departments already use such features, often as part of a larger HR suite, without being aware of the classification.
The first practical step is therefore unspectacular: an inventory. Which AI systems are in the house, in which department, with which purpose and which risk class? Only then can duties be assigned precisely instead of fearing effort across the board. How we embed AI into existing processes in a safe and traceable way is shown in our AI integration; we go deeper into the governance side in managing AI risk in software projects.
Compliance-by-design instead of expensive retrofitting
The AI Act's obligations are expensive when bolted on at the end – and cheap when they sit in selection and architecture from the start. That is the core of compliance-by-design. When you select an AI system, you check the risk class before the contract is signed, not after. When you build a chatbot, you plan the transparency label as part of the interface rather than retrofitting it in 2026. When you deploy a high-risk system, you build logging and human oversight as a function, not as a manual workaround.
This is exactly where an experienced partner adds value. KfW Research, in Fokus Volkswirtschaft No. 533 (February 2026), names the skills shortage and missing internal competence as central barriers to AI use in the Mittelstand – and recommends, as the remedy, investing in employee qualification and the systematic strengthening of in-house competencies and data infrastructure. An agency that builds and integrates AI systems knows the obligations anyway and translates them into technical requirements: documented data flows, clean logs, transparency notices, role and permission models. That turns an abstract regulation into a list of concrete, solvable tasks. We describe the same approach for internal knowledge chatbots in enterprise knowledge chatbot. Where the strategic classification is still missing, we start with an AI strategy that brings risk classes, obligations and roadmap together.
Next steps
Three questions quickly show where your company stands on the AI Act:
- Inventory: Which AI systems are in use – including those embedded in standard software – and for which purpose?
- Risk class: Are there recruiting, HR or scoring functions among them that should be classed as high-risk?
- Literacy and transparency: Is the AI-literacy duty demonstrably met, and are chatbots or AI content labelled as such?
If these points are unclear, the first step is not a compliance project but a sober stocktake. Tell us which AI systems you use today and which you are planning – then book an intro call, and we will classify obligations, risk and the next sensible steps together.
