With less than fourteen months until the EU AI Act’s high-risk AI obligations become fully enforceable, regulatory compliance has moved from a legal team agenda item to a board-level priority. For mid-market companies deploying AI in hiring, credit decisioning, biometrics, or customer-facing financial services, the compliance window is narrowing — and the cost of inaction is no longer theoretical.
A Tightening Regulatory Timeline That Demands Immediate Action
The EU AI Act does not arrive as a single deadline. Its obligations have been rolling out in phases since the regulation entered force in August 2024. Prohibited AI practices and AI literacy requirements have applied since February 2025. Governance rules for General Purpose AI models became applicable in August 2025. The final and most operationally demanding tier — high-risk AI system obligations — takes full effect in August 2026.
High-risk classifications under Annex III of the Act cover AI systems used in employment and workforce management, access to essential private and public services, credit scoring, biometric identification, and critical infrastructure. For any organisation operating in these categories, the Act mandates documented risk management systems, technical documentation, automatic logging of system operations, meaningful human oversight mechanisms, and conformity assessment processes before deployment or continued use.
Critically, this framework does not replace existing GDPR obligations. It operates alongside them. Firms whose AI systems process personal data — which describes the vast majority of enterprise AI deployments — now face a dual-regime compliance model that requires coordinated governance across data privacy and AI risk management simultaneously.
From Policy Documents to Evidence-Based Controls
The most significant shift in compliance guidance over recent months is the move away from policy drafting toward operational, evidence-based controls. Regulatory advisors and enterprise compliance platforms are converging on a consistent message: documentation alone is insufficient. What regulators will scrutinise is whether controls are embedded, monitored, and auditable in practice.
For General Counsel and Chief Compliance Officers, this means aligning AI Act requirements with existing GDPR data governance workflows — particularly Data Protection Impact Assessments, which share structural logic with the AI Act’s conformity assessments. For CTOs and engineering leads, it means instrumenting AI systems to produce the audit logs and performance records that both regimes require.
Recommended operational priorities include:
- AI asset inventory and risk classification: Every AI system in use must be catalogued and assessed against the Act’s risk tiers. This is a prerequisite for all downstream compliance work.
- Technical documentation and logging: High-risk systems must maintain automatic logs sufficient to enable post-hoc auditing of system outputs and decisions.
- Human oversight protocols: Governance structures must demonstrate that human review is meaningful, not nominal — a distinction regulators are expected to scrutinise closely.
- DPIA and conformity assessment alignment: Where AI systems process personal data, GDPR DPIAs and AI Act conformity assessments should be integrated into a single governance workflow to avoid duplication and close control gaps.
Material Risk Exposure for Mid-Market Firms
Large enterprises with dedicated legal, compliance, and engineering functions have begun mobilising. The more acute pressure falls on mid-market companies — typically those with 250 to 3,000 employees — that rely on AI-enabled tools for HR, fraud detection, or client onboarding but lack the internal capacity to build compliance infrastructure from first principles.
The financial exposure is substantial. Non-compliance with the AI Act can trigger fines of up to €30 million or 6% of global annual turnover for violations involving prohibited AI practices, with lower but still significant penalties for high-risk system failures. GDPR enforcement, which continues independently, adds further exposure. For mid-market firms, the combined liability risk is a material balance sheet consideration that CFOs and audit committees should be actively quantifying.
Board-level oversight is no longer optional. Enterprise risk management frameworks must now incorporate AI governance as a distinct risk category, with clear ownership, escalation paths, and reporting lines to the audit committee or equivalent body.
Implications for Business Leaders
The convergence of AI governance and data privacy into a unified compliance operating model represents a structural shift in how regulated businesses must manage technology risk. For decision-makers, the near-term imperatives are clear: conduct a comprehensive AI system inventory, assign accountability at the executive level, and begin integrating AI Act controls with existing GDPR and corporate governance frameworks before the August 2026 deadline creates enforcement pressure.
Firms that treat this as a compliance exercise will incur cost. Firms that treat it as a governance maturity opportunity — building audit-ready, transparent AI operations — will be better positioned with regulators, institutional counterparties, and increasingly, with customers.
Key takeaway: The EU AI Act’s August 2026 high-risk deadline is not a distant horizon. For any mid-market firm using AI in regulated use cases, the compliance build must begin now — integrated with GDPR, owned at board level, and grounded in operational evidence rather than policy documentation alone.