The EU AI Act and the blind spot for SMEs: Why AI in standard software could result in millions in fines for you

More than just bureaucracy: How to turn the EU AI Act into a strategic competitive advantage now

The AI ​​hype of recent years is giving way to a harsh legal reality: With the EU AI Act, the European Union is setting globally unique and binding limits on the use of artificial intelligence. From August 2026, things will get serious for the vast majority of companies – yet alarmingly few are prepared. Those who haven't done their homework by this deadline risk drastic fines of up to €35 million or seven percent of their global annual revenue. A dangerous misconception is that the law only affects tech companies or developers of their own AI models. In fact, the strict requirements also apply if companies merely purchase AI functions or unknowingly use them in everyday standard software. The following article examines the obligations that organizations now face in the various risk categories, why an immediate AI inventory is essential, and how astute business leaders can use the new governance structures not as burdensome bureaucracy, but as a strategic competitive advantage.

Fines of up to 35 million euros, and most companies are not yet ready

The countdown is on – and the clock is ticking audibly.
It's one of those regulatory turning points that many companies have been talking about for years, but which shockingly few have seriously prepared for. On August 2, 2026, the EU AI Act enters its crucial implementation phase for the vast majority of affected organizations: The full requirements for high-risk AI systems become mandatory, governance structures must be demonstrated, transparency obligations for generative AI come into effect, and fines of up to €35 million or seven percent of global annual turnover are no longer an abstract threat, but a real legal risk. The transitional periods granted since the regulation officially entered into force in August 2024 are expiring.

Those who had hoped the European Commission would postpone the deadline again are faced with mixed results. A so-called Digital Omnibus Package, which includes targeted adjustments and simplifications, particularly for small and medium-sized enterprises (SMEs), is under discussion and aims to make the obligations clearer, more manageable, and more conducive to innovation. Individual obligations, especially the particularly complex requirements for high-risk AI in safety-critical products such as medical devices or elevators, have been postponed until August 2027. However, this should not obscure the fact that the majority of the obligations will come into force on the aforementioned deadline and must be implemented by companies of all sizes.

The core of the regulation: Risk classification

The conceptual foundation of the EU AI Act is a risk-based approach that categorizes AI systems into four groups. AI practices with unacceptable risk, such as systems for socially rating people or manipulatively influencing decisions, are completely prohibited and can trigger fines of up to €35 million or seven percent of annual turnover. High-risk AI systems used in eight defined areas—including lending, human resources management, biometric identification, education, law enforcement, and critical infrastructure—are subject to comprehensive compliance and documentation requirements. Limited-risk AI must meet certain transparency obligations, such as labeling AI-generated content. Everyday, low-risk AI applications are largely unregulated.

In practice, this sounds clearer than it actually is. Classifying a specific AI system into the correct risk category is often not a trivial task. Article 6, paragraph 3 of the regulation explicitly obliges companies to provide a written justification for their classification decision, even if the result is that a system should not be classified as high-risk. This means that even those who conclude that their AI systems fall into the low-risk category must document this conclusion and provide auditable evidence. This requirement applies to virtually every company that currently uses AI functions in its software – and according to recent surveys, that already includes 41 percent of all German companies with more than 20 employees.

What high-risk obligations actually mean

For organizations whose AI systems are indeed classified as high-risk, the scope of the requirements is considerable. By August 2026, these systems must have undergone a full conformity assessment, have technical documentation, bear CE markings, and be registered in the EU's public database for high-risk AI. The requirements go far beyond administrative formalities. A risk management system must be implemented for the entire lifecycle management of the AI ​​system, from development and operation to decommissioning.

Training data must be checked for quality, representativeness, and potential biases. Automatic logging of all relevant system actions is mandatory during operation. In the event of serious incidents, the responsible market surveillance authority must be informed within fifteen days. Any significant changes to an existing high-risk system require a complete reassessment of the conformity assessment. This is not bureaucratic red tape; it is an attempt to enforce a level of safety and quality for AI systems that has been standard practice in safety-critical sectors such as aviation and the pharmaceutical industry for decades.

The blind spot in German SMEs

For German SMEs, the EU AI Act is an issue that, despite its far-reaching implications, has not yet received the attention it deserves in many companies. The reason is understandable: the regulations are complex, the terminology technical, the classification issues legally demanding, and many SMEs simply lack the internal resources required for a thorough compliance analysis. At the same time, the law applies not only to AI developed in-house, but also to AI functions purchased or integrated into third-party software, significantly broadening its scope for SMEs.

In addition, there is a structural challenge: Unlike the GDPR, which essentially required organizational and procedural adjustments to existing data practices, the AI ​​Act demands a deep technical understanding of the systems used. Anyone who doesn't know whether the AI ​​module in their ERP software influences credit decisions, whether the recruiting tool uses AI screening, or whether the chatbot processes personal data to influence purchasing decisions cannot conduct a sound risk classification. The first and most urgent action for every medium-sized company is therefore a complete inventory of all AI systems used within the company, including AI functions in standard software. This AI inventory step is not optional; it is the legally mandated prerequisite for all further compliance measures.

A new dimension of digital transformation with 'Managed AI' (Artificial Intelligence) – Platform & B2B solution | Xpert Consulting - Image: Xpert.Digital

Here you will learn how your company can implement customized AI solutions quickly, securely and without high entry barriers.

A managed AI platform is your all-inclusive, worry-free solution for artificial intelligence. Instead of dealing with complex technology, expensive infrastructure, and lengthy development processes, you receive a ready-made solution tailored to your needs from a specialized partner – often within just a few days.

The key advantages at a glance:

⚡ Rapid implementation: From idea to ready-to-use application in days, not months. We deliver practical solutions that create immediate added value.

🔒 Maximum data security: Your sensitive data stays with you. We guarantee secure and compliant processing without sharing data with third parties.

💸 No financial risk: You only pay for results. High upfront investments in hardware, software, or personnel are completely eliminated.

🎯 Focus on your core business: Concentrate on what you do best. We take care of the entire technical implementation, operation, and maintenance of your AI solution.

📈 Future-proof & scalable: Your AI grows with you. We ensure continuous optimization and scalability, and flexibly adapt the models to new requirements.

More information here:

• The Managed AI Solution - Industrial AI Services: The Key to Competitiveness in the Services, Industry and Mechanical Engineering Sectors

Governance as a strategic architecture, not as a bureaucratic obligation

The core of the EU AI Act is not the system of fines, however substantial the sanctions may be. It is the requirement for a genuine AI governance structure that makes AI decisions within the company accountable, transparent, and comprehensible. The regulation requires the appointment of an AI compliance officer or the creation of a comparable responsibility, the establishment of an internal AI governance body, regular risk reports and audits, and ethical guidelines for the use of AI.

These requirements sound like bureaucratic red tape, and for many smaller companies, implementation will indeed involve considerable organizational effort. However, viewed from a strategic perspective, they essentially describe the infrastructure that any company wishing to use AI responsibly and sustainably would need to build. A company that doesn't know which AI systems it's using, what decisions these systems are making, and how those decisions can be reviewed is not only exposed to regulatory risks. It's operating a technology it blindly trusts, with all the risks that this entails in critical business processes.

The sanctions structure and what it means in practice

A closer look at the penalty system reveals that the EU AI Act is structured according to a three-tiered principle, reflecting the severity of the infringement. The most severe penalties are imposed for violations of the prohibited AI practices outlined in Article 5: up to €35 million or seven percent of global annual turnover, whichever is higher. Violations of the high-risk requirements carry fines of up to €15 million or three percent of annual turnover. False or misleading statements to authorities are punishable by fines of up to €7.5 million or 1.5 percent of turnover.

These figures put the costs of compliance in a completely different light. A medium-sized company with €50 million in annual revenue that commits a high-risk violation could face a fine of up to €1.5 million. By comparison, professional compliance consulting and the implementation of the necessary governance structures cost a fraction of that. For an internationally operating company with billions in revenue, the fines can reach a level that threatens its very existence, even if the company is otherwise financially sound. The regulatory risk costs of non-compliance exceed the implementation costs of compliance in almost all realistic scenarios.

Who benefits from the new regulation?

It would be one-sided to describe the EU AI Act solely as a cost burden and a source of risk. Companies that invest early in compliance infrastructure and internally understand it as a quality standard for their AI use will gain tangible competitive advantages. Customers, especially institutional clients and public sector clients, will increasingly value a supplier's ability to demonstrate the responsible use of AI when awarding contracts. In the B2B sector, CE marking for AI systems is becoming a quality indicator that builds trust and limits liability risks.

Furthermore, regulation compels companies to confront their AI systems, something many have previously avoided. Those who create a comprehensive AI inventory, conduct risk classifications, and establish governance processes gain transparency into their technological operations, resulting in better management decisions, reduced error rates, and greater trust among all stakeholders. Compliance is not an end in itself, but rather a byproduct of good corporate governance in the AI ​​age.

The practical timetable for the remaining months

For companies that haven't yet begun systematic preparation, time is short, but not yet out. The recommended implementation roadmap begins with an immediate inventory of all AI systems within the company, followed by a risk classification of each system according to the criteria of the AI ​​Act. The second step involves clarifying responsibilities: What role does the company play—provider, operator, distributor, or importer—and what specific obligations arise from this? In parallel, governance structures, documentation processes, and internal monitoring mechanisms should be established.

By spring 2026, at least the basic governance structures should be established, contracts with AI suppliers reviewed, and complaint procedures defined. By August 2026, transparency obligations for AI-generated content must be implemented, and all relevant measures under Article 50 of the AI ​​Act must be fulfilled. Collaboration with specialized consulting firms is particularly recommended for medium-sized companies without in-house AI legal expertise. Automated monitoring tools that continuously check and document compliance not only facilitate implementation but also significantly reduce long-term compliance operating costs.

Between regulation and innovation: Europe's path into the AI ​​era

The EU AI Act reflects a fundamental political conviction that distinguishes Europe from other AI regulatory approaches: that technological progress and the legal protection of fundamental rights are not opposites, but must be considered together. Whether this approach strengthens or hinders Europe in the global AI race is a legitimate and difficult question with no easy answer. What is already clear today is that regulation is coming, that the deadlines are real, and that companies that take it seriously are in a better position than those that wait.

For Xpert.Digital and similar companies in the field of digital transformation and B2B technology consulting, the EU AI Act presents a strategic opportunity. The ability to guide clients through the compliance process, correctly classify AI systems, establish governance structures, and demonstrate responsible AI use will become a key area of ​​consulting in the coming years. Companies investing in this expertise today will be well-positioned to support their clients in a regulatory landscape that will become even more complex in the years to come. The EU AI Act is not the end of unrestricted use of AI; it is the beginning of a mature, responsible AI economy in Europe.

☑️ Our business language is English or German

☑️ NEW: Correspondence in your native language!

Konrad Wolfenstein

I and my team are happy to be available to you as your personal advisor.

You can contact me by filling out the contact form here or simply call me at +49 7348 4088 965. My email address is: [email protected]

I'm looking forward to our joint project.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the digital strategy and digitization

☑️ Expansion and optimization of international sales processes

☑️ Global & Digital B2B trading platforms

☑️ Pioneer Business Development / Marketing / PR / Trade Fairs

The quasi-in-house solution: How Xpert.Digital closes operational gaps in B2B marketing and sales – Smart Content-Driven Business - Image: Xpert.Digital

Xpert.Digital is a data-driven B2B industry hub led by Konrad Wolfenstein . The company acts as an external, quasi-in-house solution for industrial partners, closing operational gaps in marketing, content, and sales – without requiring additional resources on the client side.

More information here:

• The quasi-in-house solution: How Xpert.Digital closes operational gaps in B2B marketing and sales – Smart Content-Driven Business