The EU AI Act entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI systems applied from February 2025. Obligations for high-risk systems are now phasing in. And yet most mid-market organisations have done very little to prepare.
This is not ignorance. It is a combination of complexity, competing priorities, and the reasonable hope that someone else will figure out what this means before enforcement fully activates. That window is closing.
What the Act actually does
The EU AI Act is the world's first comprehensive legal framework governing artificial intelligence. It applies to organisations that develop, deploy, or use AI systems in the EU — regardless of where those organisations are based. A company headquartered in Phoenix, Arizona that sells software to EU customers and uses AI in that software is within scope.
The Act introduces a risk-based classification system. AI systems are assigned to one of four tiers: prohibited, high-risk, limited-risk, and minimal-risk. The tier your system falls into determines your documentation obligations, your conformity assessment requirements, your human oversight obligations, and your potential fine exposure.
What high-risk actually means
High-risk is defined in Annex III and is more expansive than most organisations expect. It covers AI used in recruitment and employment decisions, credit and insurance scoring, law enforcement applications, access to education, critical infrastructure management, and systems used in the administration of justice — among others.
If you use an AI tool to screen CVs, score loan applications, flag anomalies in financial transactions, or make automated decisions that affect individuals in material ways, you need to understand whether that system falls within Annex III scope. Many organisations are surprised to discover they have multiple high-risk systems they had not formally identified.
The compliance obligations for high-risk systems
For each high-risk system, the EU AI Act requires technical documentation prepared before deployment and kept current, a systematic risk management process applied throughout the lifecycle, data governance practices ensuring training data is relevant and representative, transparency documentation enabling meaningful human oversight, accuracy and robustness testing, and registration in an EU-maintained public database.
These are not checkbox exercises. Technical documentation for a high-risk AI system is a substantive body of work — comparable in rigour to what a regulated financial institution would produce for a material systems change. For many mid-market organisations, producing this documentation for the first time will require external expertise.
What mid-market organisations should do now
The first step is not compliance. The first step is classification. You cannot manage obligations you have not identified, and you cannot identify them without a structured assessment of your AI system inventory against Annex III criteria.
Start by building a complete inventory of all AI systems your organisation develops, deploys, or uses in ways that affect EU residents. Include systems your third-party vendors operate on your behalf — the Act places obligations on both developers and deployers. Then apply the Annex III criteria to each system to determine its risk classification and the obligations that flow from it.
That assessment gives you a defensible baseline — a documented view of your AI posture that you can present to regulators, auditors, board members, or prospective clients who ask about your AI governance practices.
Why the mid-market opportunity is different
Large enterprises can absorb the cost of prolonged compliance programmes. They have legal teams, compliance functions, and the budget for Big 4 advisory. Mid-market organisations do not have any of those luxuries — but they face the same regulatory obligations.
The organisations that get this right will use their agility as an advantage. A mid-market company that builds credible AI governance early positions itself as a trustworthy counterparty for enterprise clients, regulated-sector buyers, and international partners who are beginning to require AI governance evidence as part of procurement and due diligence processes.
Governance is increasingly a commercial differentiator. The question is not whether to invest in it. The question is when.
Book a free discovery call to discuss what EU AI Act readiness looks like for your organisation.
About author
Sonia is a technology risk and AI governance leader with 12+ years of international consulting experience across PwC, EY, and KPMG, spanning London, East Africa, and the Middle East. She has led complex IT audit, controls testing, and data analytics engagements for major regulated institutions including Lloyds Banking Group, Prudential PLC, Shell, RELX Group, McDonald's, and Tesco. She founded VeridianTech Co. to make enterprise-quality AI governance accessible to mid-market organisations — the companies that need it most and have historically been priced out of it.
Sonia Kentaro
Founder & Principal AI Governance Advisor
Subscribe to our newsletter
Sign up to get the most recent blog articles in your email every week.
