The European AI Office’s publication of preliminary guidelines on General Purpose AI (GPAI) models on 22 April 2025 marks a significant inflection point in the operationalisation of the EU AI Act. For mid-market companies navigating an already complex regulatory landscape — one that intersects GDPR, AML frameworks, ESG reporting mandates, and enterprise risk management obligations — these developments are not peripheral. They are board-level priorities.
With proposed amendments expanding SME exemptions to entities with up to 750 employees and €150 million in turnover, and with Member States required to establish AI regulatory sandboxes by 2 August 2026, the regulatory architecture is becoming both more defined and more demanding. The window for structured preparation is narrowing.
GPAI Guidelines: Reducing Uncertainty, Raising the Compliance Bar
The draft guidelines released by the European AI Office clarify the obligations applicable to providers of GPAI models — a category that encompasses a broad range of foundation models now embedded in enterprise workflows, from contract analysis tools to automated financial reporting systems. For compliance officers and General Counsel, the key development is the introduction of the AI Act Compliance Checker, a structured tool designed to help organisations self-assess their positioning under the Act’s risk-tiered framework.
This mirrors the approach taken during early GDPR implementation, where supervisory authorities published guidance to reduce interpretive ambiguity. The parallel is instructive: just as GDPR’s Article 35 Data Protection Impact Assessments became standard practice for high-risk data processing, AI impact assessments and bias monitoring protocols are now becoming baseline expectations for high-risk AI deployments.
Critically, providers of AI content generators deployed before 2 August 2026 must label AI-generated outputs by 2 November 2026. This obligation has direct implications for marketing, legal, and financial communications functions — areas where AI-assisted content generation has proliferated rapidly and often without formal governance structures.
SME Amendments and Sandbox Frameworks: A Calibrated Opening
The proposed amendments to the EU AI Act represent a deliberate policy calibration. By extending SME exemptions to companies with up to 750 employees and €150 million in annual turnover, the legislature is signalling that extensive compliance burdens — including mandatory audits, conformity assessments, and registration requirements — should be concentrated among large-scale deployers rather than growth-stage firms.
However, this relief is conditional and bounded. High-risk AI system obligations remain intact regardless of company size where the risk profile warrants them. The introduction of Real-World Testing Agreements for high-risk AI outside formal sandbox environments offers a pragmatic pathway for mid-market firms to pilot systems under regulatory oversight without full pre-deployment compliance costs.
The mandatory establishment of AI regulatory sandboxes by Member States under Article 57 by 2 August 2026 creates a concrete opportunity for companies to engage proactively with national authorities. For corporate governance teams, this is a mechanism worth integrating into innovation roadmaps now — not as a compliance afterthought, but as a strategic asset in managing enterprise risk.
Implications for Business: From Governance to Operational Readiness
For decision-makers across finance, legal, and technology functions, the convergence of EU AI Act requirements with existing data privacy, AML, and ESG reporting obligations creates both complexity and opportunity. The enforcement model — mirroring GDPR’s multilayered oversight structure with the European AI Office and national authorities conducting inspections — signals that regulatory scrutiny will be systematic, not episodic.
Boards and executive teams should prioritise the following:
- AI inventory and risk classification: Map all deployed and planned AI systems against the EU AI Act’s risk tiers before Q4 2025 to identify high-risk obligations and labelling requirements.
- Governance integration: Embed AI compliance into existing corporate governance and enterprise risk management frameworks, rather than treating it as a standalone workstream.
- Sandbox engagement: Identify national sandbox programmes relevant to your sector and begin dialogue with competent authorities ahead of the August 2026 deadline.
- Vendor due diligence: Reassess third-party AI providers — particularly GPAI model vendors — against the new guidelines, updating contractual obligations and data processing agreements accordingly.
- Cross-functional alignment: Ensure CFOs, CTOs, and General Counsel are operating from a shared compliance timeline, particularly given the November 2026 labelling deadline.
Key Takeaway
The April 2025 GPAI guidelines and the proposed SME amendments to the EU AI Act do not simplify the regulatory landscape — they stratify it. For mid-market firms, the net effect is a more navigable framework, but one that still demands structured, proactive engagement. Organisations that treat the August and November 2026 deadlines as distant horizons risk replicating the reactive posture that characterised early GDPR non-compliance. The firms best positioned will be those that begin governance integration, vendor reassessment, and sandbox engagement in the next two quarters.