EU AI Act for mid-market companies.
Practical EU AI Act exposure mapping for mid-market operators. Vendor stack classification, customer data flow audit, EU AI Act risk classification against the Act categories, and a 90-day sequencing plan. Operating guidance, not compliance theatre.
The headline timing and penalties.
The EU AI Act's main obligations on high-risk AI systems take effect on 2 August 2026. General-purpose AI model obligations are already in force. Penalties for breaches scale up to 35 million EUR or 7 percent of global annual turnover, whichever is higher.
| Date | Obligation | Who it affects |
|---|---|---|
| Already in force | General-purpose AI model transparency and disclosure | Anyone deploying GPAI models in EU operations |
| 2 February 2025 | Prohibited AI practices (social scoring, predictive policing, manipulation, etc.) | Any provider or deployer in the EU market |
| 2 August 2026 | Main obligations on high-risk AI systems (Annex III categories) | Providers, importers, distributors, and deployers of high-risk AI |
| 2 August 2027 | Obligations on AI systems embedded in regulated products (medical devices, machinery, toys, etc.) | Manufacturers covered by EU product safety law |
Denmark was the first EU member state to implement the Act, with Law No. 467 introducing criminal penalties for breaches. Other member states are catching up at different speeds.
Three doors. Most US mid-market companies have walked through two of them already.
EU AI Act exposure for US and Nordic mid-market companies usually enters through three doors at once. Most companies have already crossed two of them without noticing. Mapping the doors is the first practical step toward operating clarity.
- Door one: vendor tools in your stack that have added AI features.Your CRM scores leads. Your HR platform ranks candidates. Your support tool talks to customers. If any of those AI features touch EU data, the Act applies. Most companies have not catalogued which of their vendors have AI components.
- Door two: customer or employee data flowing into your AI-enabled tools.Remote workers in the EEA. EU customer pipeline. Any AI-touched performance review of someone in the EU. This door tends to be obvious in legal review and invisible in operating practice.
- Door three: product features that ship into the EU market.If your product itself includes AI capability and is sold or made available in the EU, the Act applies to that AI as a product placed on the EU market. Risk classification determines obligations.
For the long-form breakdown including a first-week response for each door, read The EU AI Act Has Three Doors.
Where high-risk AI sits in the Act.
Annex III of the Act defines eight categories of high-risk AI systems. Most mid-market AI activity touches at least two of these categories indirectly through the vendor stack. Classification determines the obligations that apply.
| Annex III Category | Examples of AI in scope | Likely mid-market exposure |
|---|---|---|
| Biometrics | Remote identification systems, emotion recognition (where permitted) | Low for most mid-market, higher in retail and physical security |
| Critical infrastructure | AI controlling utilities, transport, traffic | Low unless operating in energy, transport, telecom |
| Education and vocational training | AI used in admissions, evaluation, assessment | Moderate where AI grading or candidate ranking is used |
| Employment, workers management, self-employment access | AI in hiring, ranking, evaluation, work allocation | High. Most ATS and HR platforms now have AI features |
| Access to essential services | AI in credit scoring, insurance pricing, welfare, emergency dispatch | High for financial services and insurance |
| Law enforcement | AI in profiling, polygraph alternatives, evidence evaluation | Specialised, mostly not mid-market |
| Migration, asylum, border control | AI in visa decisions, border risk profiling | Specialised, not typically mid-market |
| Administration of justice and democratic processes | AI in legal interpretation, electoral influence | Specialised, not typically mid-market |
Most mid-market companies are surprised to discover their HR, ATS, or customer-support platforms have added AI features that classify into Annex III without an internal owner.
Who this work fits.
EU AI Act readiness work fits mid-market operators with practical operating accountability for the outcome. The work is not philosophical; it produces a baseline that a CISO, COO, or CFO can act on within 30 days.
US companies with EU customer exposure. Most US scaleups discover they have EU exposure through customer data flows, EU remote employees, or features that ship into the EU. The Act applies; the only question is which doors are open.
Nordic mid-market with EU and global customer base. Denmark moved first on national implementation. Other Nordic countries are tracking. Nordic mid-market companies serve EU customers by default and are often the first regulator-pressured operators in their portfolios.
PE-backed companies with regulator exposure. Operating partners running value-creation plans where regulatory clarity is a precondition for the next funding round, IPO readiness, or strategic sale.
Regulated industries. Healthcare, financial services, defence, energy. Sector regulators are increasingly cross-referencing AI use against EU AI Act categorisation.
The practical first 30 days.
The single most useful EU AI Act work in the first month is not a legal opinion. It is operating visibility into where exposure already sits. Five concrete steps any mid-market operator can complete in 30 days with the right people in the room.
- Inventory every AI-enabled commercial software vendor in the stack.For each, document the AI feature, the data subjects it processes, and the risk category under Annex III. This is a one-day exercise with the right people.
- Map customer and employee data flows touching the EEA.Every AI-enabled tool gets a two-column row: AI system / data subjects it processes. Wherever EU data flows in, the Act applies.
- Classify product AI features.If your own product includes AI capability, the legal team probably already has a workstream. Ensure that workstream sits at the intersection of legal and product with a single accountable owner.
- Identify the operating sponsor.The work needs a CEO, COO, CFO, or board-level owner. Compliance ownership without operating sponsorship will not produce visible change inside the engagement window.
- Pick the first remediation.From the inventory, pick the single highest-likelihood, highest-impact gap. Close it within 60 days. Run the playbook on the next gap from there.
How Bragi engages differently.
Most EU AI Act work in the market comes from one of two places. Either a legal firm produces an opinion document, or a compliance consultancy produces a policy framework. Neither approach gives the operating team something they can act on inside the next 30 days. Bragi sits in the seam.
| Dimension | Legal firm | Compliance consultancy | Bragi |
|---|---|---|---|
| What you get | Legal opinion + risk register | Policy framework + training | Operating baseline plus first remediation in motion |
| Who reads it | General counsel | Compliance officer | CEO, COO, CFO, CISO, COO |
| Cadence | Project-based opinion | Multi-month build | Four-week diagnostic, optional retainer continuation |
| Anchor | Article-by-article interpretation | Policy library completeness | Vendor exposure heatmap and operating decisions |
| Output | Memo | Framework documentation | Scored baseline plus prioritised 90-day plan |
Bragi delivers EU AI Act exposure mapping through an AI Vendor Exposure Heatmap that classifies every commercial AI tool in your stack against the Act risk categories. The work produces a baseline an executive team can act on, plus a sequencing recommendation for the first 90 days. The intent is practical operating clarity, not compliance theatre.
EU AI Act is not a one-time project.
Compliance posture decays. New vendors get added. New AI features ship. The risk classification of an existing tool can shift when the vendor adds an Annex III-relevant capability. Most mid-market companies do not have a senior operating function watching this in real time. That is what a Fractional Chief AI Officer engagement absorbs.
Always-on governance. Vendor decisions, EU AI Act exposure changes, and policy updates run on a continuous cadence rather than annual review cycles.
Programme integration. EU AI Act work sits inside the same operating rhythm as the rest of the AI programme. No separate governance silo, no policy framework that nobody reads.
Board and regulator-ready reporting. Quarterly read-outs that the board and external auditors can review without translation.
Learn more about the Fractional Chief AI Officer engagement.
Questions leaders ask first.
Do US companies need to comply with the EU AI Act?
The EU AI Act applies to any AI system that affects individuals in the EU, regardless of where the operating company is headquartered. US companies are typically in scope if any of three things are true: they have EU customers, they have EU remote employees, or their product ships AI features into the EU market. Most US mid-market companies have at least one of these exposures.
When do the main obligations take effect?
The main obligations on high-risk AI systems take effect on 2 August 2026. General-purpose AI model obligations are already in force. Obligations on AI systems embedded in regulated products take effect 2 August 2027. Companies that operate AI in the EU market should be operationally ready before August 2026 to avoid the regulator-led catch-up window.
What are the penalties?
Penalties for breaches of the EU AI Act scale up to 35 million EUR or 7 percent of global annual turnover, whichever is higher, for the most serious infringements. Lower tiers apply for obligations on high-risk systems and incorrect information provided to regulators. National regulators in member states like Denmark have additional criminal penalties under domestic implementation law.
How do we know if our vendors are in scope?
Vendor scope depends on whether the AI features they have added classify into Annex III categories of the Act and whether those features process data on EU individuals. The practical answer is that any vendor with AI features touching EU customer or employee data is likely in scope. The first job is an inventory: every commercial AI-enabled vendor in the stack, classified against the Act.
Can Bragi do EU AI Act work for non-EU companies?
Yes. Most Bragi EU AI Act work is delivered to US companies with EU customer or employee exposure. The work surfaces three doors of exposure: vendor stack, data flows, and product features. The output is an operating baseline a US leadership team can act on without hiring a Brussels-based regulatory consultancy. Bragi operates from Copenhagen, which gives the work direct access to the Danish AI Act and the broader EEA picture.
Start with a scored baseline.
The four-week BRAGI Assessment includes EU AI Act exposure mapping through the Vendor Exposure Heatmap. Most engagements that include EU AI Act work start here.
Or discuss a Fractional Chief AI Officer engagement directly.