See also (wiki): eu-ai-act-compliance
Executive Summary
- On August 2, 2026, the EU AI Act’s core high-risk obligations become enforceable. Any mid-market company with EU operations, EU employees, or EU customers is in scope — U.S. headquarters does not provide immunity.
- The European Commission’s own impact assessment puts per-system compliance at up to €400,000 for a small business (≤50 employees, €10M turnover) deploying one high-risk AI product requiring a quality management system. External conformity assessment alone can reach €1M. (Source: EC impact assessment as re-analyzed by the Center for Data Innovation, July 2021.)
- Several tools already in mid-market stacks are likely high-risk when used for specific decisions: HR screening platforms (HireVue, Workday Talent, Eightfold), credit/underwriting engines, clinical triage tools, education admissions/proctoring, and general-purpose AI (Copilot, Gemini) when deployed to make hiring, firing, promotion, or credit decisions.
- Maximum fines are structured in three tiers: €35M or 7% of global turnover (prohibited practices), €15M or 3% (provider/deployer obligation violations), €7.5M or 1% (false information). SMEs get the lower of the two amounts.
- The question for most mid-market CIOs and GCs is not “are we in scope?” — it is “which of our existing deployments just quietly became high-risk, and what is the minimum credible compliance posture before Aug 2?”
What Aug 2, 2026 Actually Enforces
The Act entered force Aug 1, 2024, with phased obligations. Prohibitions and AI literacy duties began Feb 2, 2025. GPAI model duties, notified bodies, and the penalty regime began Aug 2, 2025. On Aug 2, 2026, the remainder of the Act applies — critically, the high-risk obligations in Annex III. (Article 6(1) embedded-product high-risk obligations follow on Aug 2, 2027.)
What “high-risk” obligations mean operationally (Articles 8–29):
- A documented risk management system across the AI system’s lifecycle
- Data governance: training/validation/test datasets must be “relevant, representative, and free of errors” to the extent possible
- Technical documentation sufficient to prove conformity
- Automatic event logging across operation
- Human oversight designed into the workflow — not bolted on
- Accuracy, robustness, and cybersecurity appropriate to the use case
- A quality management system covering design, development, and post-market monitoring
- Conformity assessment before placing on market; re-assessment on substantial change
- EU database registration
- Post-market monitoring and incident reporting
Deployer (user) obligations are lighter but real: follow the provider’s instructions, maintain logs, monitor operation, notify the provider and authorities of serious incidents, and — for some Annex III systems — complete a fundamental rights impact assessment before first use.
The Eight Annex III Categories — Translated for Mid-Market
| Annex III category | What it covers | Mid-market tools commonly in scope |
|---|---|---|
| Biometrics | Remote ID, emotion recognition, sensitive attribute inference | Video interview analysis, office security cameras with face ID |
| Critical infrastructure | Safety components in digital, transport, utility systems | OT/ICS AI monitoring (manufacturers, utilities) |
| Education | Admissions, assessment, behavior monitoring | Proctorio, Respondus, corporate L&D platforms scoring learners |
| Employment | Recruitment, screening, promotion, evaluation, termination | HireVue, Workday Talent, Eightfold, Pymetrics, Lattice AI, performance-review copilots |
| Essential services | Benefit eligibility, credit scoring, emergency dispatch | FICO AI, Zest AI, Upstart, insurance pricing engines |
| Law enforcement | Crime risk, evidence evaluation, profiling | Not typically mid-market |
| Migration & border | Visa, health risk, ID | Not typically mid-market |
| Justice & democracy | Legal interpretation, election systems | Some LegalTech research tools when used for judicial outcomes |
The trap: a general-purpose tool like Microsoft 365 Copilot, Gemini, or ChatGPT Enterprise is not itself high-risk. The use case is. A recruiting team using Copilot to draft rejection letters is probably fine. A recruiting team using Copilot to score, rank, or shortlist candidates is deploying a high-risk system and inherits the deployer obligations for it. Shadow AI turns into shadow high-risk.
What It Costs — The €400K Number
The Center for Data Innovation’s 2021 re-analysis of the European Commission’s own impact assessment produced the most-cited figure: a small European business (≤50 employees, €10M turnover) faces up to €400,000 in compliance costs for one high-risk AI product requiring a QMS. With a typical 10% SME profit margin, this works out to a ~40% profit reduction at €10M revenue for a single high-risk deployment.
Components of that €400K:
- Quality management system build and maintenance (the largest single line item)
- Technical documentation preparation and upkeep
- Conformity assessment — internal for most Annex III systems; external third-party can run up to €1M when required (biometrics, some critical infrastructure)
- Human oversight process design and training
- Post-market monitoring infrastructure and incident reporting
- EU database registration and change management
- Cross-compliance with GDPR, sectoral rules, and product safety law
For 200–2,000 employee companies with multiple high-risk use cases, the cost scales. GDPR is the best precedent: 34% of large EU enterprises spent over €1M on GDPR compliance, and Fortune 500 firms collectively spent $8B. The AI Act has a broader scope and heavier technical documentation burden than GDPR, so those are floor numbers, not ceilings.
Source caveat: CDI is partly tech-industry funded, and its aggregate €31B figure is contested. The €400K per-SME-per-system figure is derived from the EC’s own impact assessment and has held up across critical reviews. Predates the final Act text (2021), so edge cases may differ, but the order of magnitude stands.
The Fines
Article 99 establishes three tiers:
| Tier | Trigger | Maximum |
|---|---|---|
| 1 | Prohibited practices (Art. 5) | €35M or 7% of global annual turnover, whichever is higher |
| 2 | Provider/deployer obligations (Arts. 16, 22–24, 26, 50) | €15M or 3% of turnover, higher |
| 3 | Incorrect/incomplete/misleading info to authorities | €7.5M or 1% of turnover, higher |
SMEs and startups get the lower of the two (amount vs. percentage). For a €50M-revenue mid-market firm, a Tier 2 violation ceiling is €1.5M (3% of €50M), not €15M.
Key Data Points
| Data point | Source | Date |
|---|---|---|
| Aug 2, 2026 — high-risk Annex III obligations enforceable | EU AI Act Article 113 | Aug 2024 |
| Up to €400K compliance cost for SME per high-risk AI system | EC impact assessment (CDI re-analysis) | Jul 2021 (Tier 4 — predates final Act) |
| External conformity assessment up to €1M | CDI analysis of EC data | Jul 2021 |
| AIA adds ~17% overhead to AI spending | EC impact assessment | Jul 2021 |
| Tier 1 max fine: €35M or 7% global turnover | AI Act Art. 99 | Jul 2024 |
| 8 Annex III high-risk categories | AI Act Annex III | Jul 2024 |
| Fortune 500 GDPR spend: $8B (cost comparable) | IAPP / Ovum estimates | 2018 (historical benchmark) |
What This Means for Your Organization
If the company has EU employees, EU customers, or an EU-established subsidiary, the question is not whether the Act applies — it is which tools already in use quietly crossed the high-risk line. The highest-probability exposures for a 200–2,000-employee U.S. company: a recruiting/HR platform that scores candidates, any underwriting or pricing AI if in financial services, any clinical decision support if in healthcare, and any use of general-purpose AI to make or support employment decisions involving EU staff.
The practical pre-Aug 2 move is not to build a full QMS for a speculative use case. It is to complete an AI inventory, tag each system by Annex III category and use case, and make the buy/build/retire decision now. For a mid-market company, the €400K figure is best read as a threshold: a high-risk deployment has to produce materially more than €400K of annual value to justify the compliance load. Most shadow HR-screening deployments do not clear that bar. Several should be retired rather than brought into compliance.
If the stack includes systems likely to be high-risk and the Aug 2 date is creating planning pressure specific to your situation, I’d welcome the conversation — brandon@brandonsneider.com.
Sources
- EU AI Act full text, Article 99 (penalties), Annex III (high-risk) — Regulation (EU) 2024/1689, published July 12, 2024. https://eur-lex.europa.eu/eli/reg/2024/1689/oj. HIGH credibility (primary legal text).
- Implementation timeline — artificialintelligenceact.eu/implementation-timeline/. HIGH credibility (Future of Life Institute–maintained; tracks official EC dates).
- High-level summary of obligations — artificialintelligenceact.eu/high-level-summary/. HIGH credibility.
- “How Much Will the Artificial Intelligence Act Cost Europe?” — Benjamin Mueller, Center for Data Innovation, July 2021. https://www2.datainnovation.org/2021-aia-costs.pdf. MEDIUM credibility (industry-funded think tank; figures derive from the EC’s own impact assessment, which strengthens the per-SME cost number; aggregate projections contested). Tier 4 date (2021) — predates the final Act and current model generation, but remains the most-cited cost benchmark.
- European Commission regulatory framework page — https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai. HIGH credibility (EC primary source).
Brandon Sneider | brandon@brandonsneider.com April 2026