EU AI Act: Is my company affected?
The EU AI Act applies in stages. Here is what small and mid-sized companies need to know, which obligations kick in, and why panic is the wrong advisor.

The EU AI Act is causing uncertainty among mid-sized companies. Many are wondering whether they now have to fear a bureaucratic monster just because they automate a little. The short answer: for the vast majority of everyday applications, the situation is more relaxed than the headlines suggest.
What the EU AI Act is
The AI Act is the European regulation that governs the use of AI according to risk. It does not apply all at once, but in stages across several effective dates. The higher the risk an application poses to people, the stricter the obligations. That is the whole basic idea.
The four risk classes
The AI Act roughly sorts applications into four levels:
- Prohibited: AI that, for example, manipulates people or scores them socially. Not an issue for ordinary businesses.
- High-risk: AI in sensitive areas such as personnel selection or critical infrastructure. Strict obligations apply here.
- Limited risk: chatbots, for instance. Here the main requirement is a transparency obligation, meaning a notice that you are talking to AI.
- Minimal risk: the bulk of everyday automation, from invoice processing to reporting. Practically no special obligations.
Most automations in mid-sized companies fall into the minimal-risk class. Effort arises above all where AI makes decisions about people.
When it becomes relevant for you
The AI Act becomes relevant for you when AI makes or prepares decisions about people, for example with job applications, creditworthiness, or access to important services. If, on the other hand, you book receipts, generate reports, or answer internal questions, you are almost always in uncritical territory.
What it makes sense to do now
Panic is the wrong adviser, but so is ignoring it. A simple inventory makes sense: where do we use AI, and which risk class does it fall into? This overview creates clarity and is the basis should an application trigger stricter obligations after all. In concrete terms, a short list of all AI applications in the company is enough, each with its purpose and risk class. When in doubt this half a page is worth more than any precautionary alarm, because it shows in black and white where action is really needed and where it is not.
We help with the classification and preparation as part of our AI consulting. This article is a guide, not legal advice: the binding assessment in any individual case belongs in expert hands.
How to classify an application in practice
The classification is less complicated than it sounds. Take an agent that reads and posts incoming invoices: it does not make decisions about people, so it falls into the minimal-risk class, with no special obligations at all. A chatbot on your website falls under limited risk; here it is enough to note that you are speaking with an assistant. Only a system that pre-sorts job applications lands in the high-risk area with real requirements. The same tool, three use cases, three levels of obligation.
Transparency is the most common obligation
For most businesses it comes down to a single practical obligation: disclosing where AI is involved. Anyone using a chatbot or a voice agent points out that it is an AI. This transparency is quickly implemented and, as a rule, the whole hurdle.
Provider or deployer: which role you have
The AI Act distinguishes whether you develop and place an AI on the market yourself or use a finished AI in your own operation. For the Mittelstand the second role almost always applies: you are a deployer, not a provider. This matters because the strictest obligations lie with the provider, while more manageable requirements apply to the deployer, above all the intended use and transparency towards people. In practice, documentation for you does not mean technically certifying a model, but recording which AI you use for what, which data goes into it and who in the company is responsible. When in doubt, this short overview is your most important proof that you use AI deliberately and under control, and it can be kept with manageable effort.
Frequently asked questions
When does the EU AI Act take effect?
The AI Act applies in stages across several effective dates between 2025 and 2027. The first prohibitions are already in force, and further obligations are being added step by step. Which date matters for you depends on the application.
Is my SME affected by the EU AI Act?
You are affected in the sense of strict obligations above all if you use high-risk AI, for example for personnel selection. Pure process automation usually falls into the uncritical class with minimal requirements.
Do I need a lawyer now?
For an initial classification, a clean inventory of your AI applications is enough. If one of them is classified as high-risk, legal advice makes sense. We help you establish the overview.
NordFlux UG (haftungsbeschränkt)
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
Unsure whether the AI Act applies to you?
In a free initial assessment, we map your AI applications to the risk classes so you know where you need to act and where you do not.
- One dedicated contact, no call centre
- First results in around 30 days
- German data sovereignty, DPA in place