[EU AI Act · Mid-Market Guide]
What the EU AI Act requires
for mid-market companies.
By William McCann · ClearpathAI · Updated May 2026
The EU AI Act is the world's first comprehensive AI regulation. It applies to any organization that deploys AI systems affecting people in the European Union — regardless of where the organization is headquartered. A mid-market manufacturer in New Jersey that sells to EU customers, or uses AI that affects EU employees, is subject to the regulation.
NOW
Full enforcement began August 2, 2026
High-risk AI systems without documented governance frameworks are non-compliant. Penalties up to €35 million or 7% of global annual turnover — whichever is higher. The window to build a compliant framework before enforcement was open. It is now closed.
Does the EU AI Act apply
to your company?
The EU AI Act applies to you if any of the following are true:
→You sell products or services to customers in the European Union
→You employ people located in the EU
→You use AI systems that make decisions affecting EU residents — including employment decisions, credit decisions, or product safety systems
→You deploy AI in a product or service used by EU customers, even if you are based in the US
The regulation does not have a size threshold. A 50-person company with EU customers has the same obligations as a 50,000-person enterprise — the requirements scale by risk tier, not by company size.
The four risk tiers — and what
each one requires.
The EU AI Act uses a risk-based approach. Every AI system you deploy falls into one of four tiers. Your obligations depend entirely on which tier applies.
Prohibited — cannot be deployed
AI systems that pose unacceptable risks to fundamental rights are banned outright. No compliance path exists for these systems.
Examples: social scoring systems, real-time biometric surveillance in public spaces, subliminal manipulation, exploitation of vulnerable groups
Full compliance obligations — most demanding tier
AI systems used in consequential decisions affecting people's lives. Requires documented risk management, technical documentation, human oversight, logging, and registration before deployment.
Examples: AI in hiring/screening, credit scoring, medical diagnosis support, safety systems in manufacturing, student assessment, biometric identification
Transparency obligations only
AI systems that interact with people must disclose they are AI. AI-generated content must be labeled. Lighter compliance burden than high-risk.
Examples: customer-facing chatbots, AI content generators, deepfake tools, emotion recognition in non-workplace settings
No mandatory requirements
The vast majority of AI tools fall here. No mandatory compliance obligations, though voluntary codes of conduct are encouraged. Documenting these tools is still best practice for your AI inventory.
Examples: spam filters, AI-recommended playlists, basic process automation, grammar checkers
What high-risk AI systems
are required to do.
If any of your AI systems fall into the high-risk tier, these are the specific requirements under the EU AI Act. This is where most mid-market companies have compliance gaps.
Article 9
Risk management system
A documented risk management process that identifies, analyzes, and mitigates risks throughout the AI system's lifecycle. Must be maintained and updated continuously — not a one-time exercise.
Article 10
Data governance
Training, validation, and testing data must meet quality criteria. Data governance practices must be documented. Bias and discrimination risks must be assessed and addressed.
Article 11
Technical documentation
Detailed technical documentation must be prepared before deployment and kept current. Includes system description, design specifications, training methodology, performance metrics, and risk management measures.
Article 12
Automatic event logging
High-risk AI systems must automatically log events enabling post-market monitoring. Logs must be retained for a minimum of six months, or longer for certain categories.
Article 13
Transparency and information provision
Users of high-risk AI systems must receive clear instructions for use, including the system's purpose, accuracy levels, known limitations, and human oversight requirements.
Article 14
Human oversight
High-risk AI systems must be designed to enable effective human oversight. Humans must be able to understand, monitor, and override the system's outputs. This must be documented and trained.
Article 49
Registration
High-risk AI systems must be registered in the EU AI database before deployment. Registration requires the technical documentation from Article 11 to be complete.
What are the penalties for
non-compliance?
EU AI Act penalties are tiered by violation severity:
€35M
or 7% of global turnover — prohibited AI violations
€15M
or 3% of global turnover — other violations including high-risk non-compliance
€7.5M
or 1.5% of global turnover — providing incorrect information to authorities
What mid-market companies
need to do right now.
Most mid-market companies are not fully compliant. The most common gaps are:
✗No AI tool inventory — unable to classify what they're running by risk tier
✗No documented risk management process for high-risk AI systems
✗No AI Use Policy that employees have read and acknowledged
✗No technical documentation for high-risk systems
✗No logging infrastructure for high-risk AI outputs
✗No registration of high-risk systems in the EU AI database
The fastest path to compliance is a structured AI Readiness Audit — a full inventory of your AI systems, risk classification of each one, and a gap analysis against the specific articles that apply to your tier. That produces a 90-day roadmap with prioritized actions.
Find out where you stand.
30 minutes.
Book a discovery call. We'll identify which EU AI Act tier applies to your AI systems and what your specific compliance gaps are — before you pay anything.
