Estimated reading time: 8 minutes

Key Takeaways:

  • From 2026 onwards, all midsize businesses within the EU are legally required to organize their AI use transparently and with proper legal safeguards.
  • The EU AI Act sets strict requirements for AI systems, with risk categories and extensive obligations around training, oversight, privacy, and governance.
  • Fines for violations can reach up to €7.5 million or 1% of turnover, also for midsize organizations.
  • Early and well-organized compliance not only increases legal certainty, but also strengthens innovation capacity and reputation.
  • Practical guidance and accessible AI training are now indispensable, regardless of the extent of AI use.

Table of Contents

  1. What the European AI regulation means for your organization
  2. Why 2026 is a turning point for Dutch midsize businesses
  3. Important AI Act milestones heading into and during 2026
  4. Risk categories: Under which does your AI use fall?
  5. The most important obligations for AI users in 2026
  6. Process automation and AI agent teams: where do we stand?
  7. Enforcement, fines & reputational risk
  8. Practical steps for midsize businesses
  9. How we guide midsize businesses toward compliance
  10. Conclusion
  11. FAQ

What the European AI regulation means for your organization: whether you work with AI or are curious about it

The new year starts with an important moment for Dutch midsize businesses: the official entry into force of the EU AI Act. In 2026, every organization that uses AI, or is considering using it, faces new rules.
Whether you are already experimenting with automation through tools like Copilot or other AI assistants, only use basic digital processes, or are still thinking about taking the first step with AI:
2026 is the year you need to know what the obligations are. The regulation targets everyone in the midsize business sector who uses AI to support business processes, but also those considering AI adoption.
This blog concretely discusses what the EU AI Act means in 2026, which obligations now apply, and how you as a decision-maker in a midsize business can respond. We conclude with practical advice and show how our AI consulting and workflow services guide your organization toward compliance and innovation.

1. Why 2026 is a turning point for Dutch midsize businesses

Previously, AI legislation was only relevant for large technology companies. Now, the EU AI Act applies to all organizations within the EU that deploy AI systems, regardless of their size or degree of automation. Midsize businesses, from around ten employees, also fall under the rules, whether they deploy advanced AI or are only experimenting with automation.

Once an organization applies AI to support or automate processes, it is classified as a "deployer" under the AI Act with clear responsibilities. This applies both to businesses that train their own models and those that use standard SaaS AI applications. Recent research shows that 44% of midsize businesses expect to be impacted by the AI Act, although only 2-3% are actually preparing for it.

Important: In 2026, you are legally required to organize your AI use transparently and with proper legal safeguards. More information can be found at Ondernemersplein.

2. Important AI Act milestones heading into and during 2026

The EU AI Act is being introduced in phases. 2025 is now behind us, and with it the first obligations and prohibitions are already in place:

  • February 2, 2025: Ban on AI systems with unacceptable risk such as manipulative AI and social scoring, plus mandatory AI literacy training.
  • August 2, 2025: Start of enforcement, especially for large language models (foundation models) and AI providers. Stricter documentation requirements took effect.
  • Now, in 2026: From August 2, 2026, the core obligations for AI users take effect. Every midsize business must then comply with stricter requirements around transparency, human review, and documentation according to their risk classification. Especially for high-risk applications, demonstrable safety, fairness, and transparency are required.
  • August 2, 2027: Full implementation: from this point, all systems must be fully compliant.

In short: The awareness phase is behind us; now it's time for implementation and compliance.

3. Risk categories: Under which does your (future) AI use fall?

The AI Act recognizes four risk categories:

  • Unacceptable risk: AI for manipulation, social scoring. Banned since 2025.
  • High risk: Think of AI in recruitment & selection, assessments, credit lending, access to essential services. Strict obligations already apply here.
  • Low risk: Generative AI for internal tasks, simple process automation. Transparency is mandatory.
  • Minimal risk: Spell checkers, trivial assistants. No additional requirements.

In particular, HR processes, financial analyses, and systems that decide on access to services often fall under high risk. Even simple AI applications, such as automation and internal assistants, require at minimum a transparency declaration for employees and users under this legislation.

"AI is not inherently risky, but once your model affects people or money, stricter requirements apply."

4. The most important obligations for AI users in 2026

If you use AI, even if this is limited to standard tools, as a deployer you must comply with, among others:

  1. Transparency: Employees and customers know they are dealing with AI. Communicate purpose, operation, and limitations.
  2. AI Literacy & Training: Employees must be trained in safe, responsible, and critical use of AI. This is mandatory for high-risk AI, strongly recommended for other cases.
  3. Human Oversight: For decisions with significant impact, human control is always required; AI must not be a "black box."
  4. Data & Privacy: Clarity about data use and safeguarding privacy and fairness, for example through bias management and traceable datasets for high risk.
  5. Risk Management & Governance: System knowledge, documentation, classification by risk level, and if necessary a "Fundamental Rights Impact Assessment" (FRIA). See also the Deloitte analysis on governance requirements.
  6. Supplier Contracts: Request compliance certification and document responsibilities.
  7. Registration & Conformity for High Risk: European registration, extensive reporting, and monitoring.

For leaders: Both policy and execution are mandatory; this is no longer a luxury in 2026.

5. Process automation and AI agent teams: where do we stand?

AI no longer only supports text generation, but increasingly takes over tasks in processes such as back-office, (future) customer service, and simple HR analyses. Those now automating with simple AI workflows generally fall within low risk, but must ensure transparency and control.
Are you considering teams of AI agents that recognize patterns or make decisions in the future? Then the higher requirements apply once these agents make binding choices about people, finances, or essential access.

Note: Having an advanced AI agent team is not a requirement; most businesses are currently automating simpler tasks. But it is important to know this growing trend and the associated framework of obligations.

6. Enforcement, fines & reputational risk

The fines are significant: up to €7.5 million or 1% of annual turnover, including for midsize businesses. Enforcement is in the hands of regulators; however, negligent AI use can lead to more than financial damage: reputational damage often weighs even heavier.

7. Practical steps for midsize businesses (from 2026)

Whether you have already started, are considering AI, or only automate on a limited basis, here is what you need to do now:

  1. Conduct an AI inventory: Map all applications and determine the risk category per system.
  2. Establish policy and governance: Document guidelines, roles, and procedures. Organize continuous oversight.
  3. Achieve transparency and human oversight: Design clear communication about AI use and determine when human intervention is required.
  4. Invest in AI literacy: Provide broad (cross-functional) training, from IT to HR and operations. The European Commission provides guidelines for AI training.
  5. Update supplier contracts: Ensure compliance and the distribution of responsibilities.
  6. For high-risk AI: Start or improve your compliance trajectory now, with extra focus on risk analysis and reporting.

Advice for decision-makers: Those who start early will be legally covered and more future-proof.

8. How we guide midsize businesses toward compliance and AI adoption

We support your organization, even if you work little or not at all with AI, through:

  • AI Assessment: Analysis of processes, risks, and automation opportunities, including risk classification.
  • AI Policy & Governance: Setting up governance, compliance-by-design, and privacy structure.
  • n8n Agent Teams and Workflow Automation: Future-proof automation of processes, fully EU-compliant.
  • Training and Workshops: Practical and accessible training on responsible AI use, for all job functions.
  • Ongoing Guidance: From initial analysis to implementation, monitoring, and support during audits.

Want to learn more? Read about our services or schedule an introductory conversation.

9. Conclusion

2026 is the year in which AI in midsize businesses is officially regulated. For everyone who works with (or is considering) AI, now is the moment to organize policy, training, and governance. This way you not only prevent legal risks, but also strengthen the trust and innovation capacity of your organization.

Do you have questions about the EU AI Act or want to know what this concretely means for your processes? Feel free to contact our experts. We are happy to help you with a practical, safe, and future-proof approach to AI!

For the official text and further information: see artificialintelligenceact.eu.

Sources

FAQ

Does the EU AI Act also apply to my business if I only use standard AI tools like Copilot?

Yes, standard AI tools also fall under the law. If you use AI to support business processes, you are a "deployer" under the AI Act. You must at minimum be transparent about AI use toward employees and customers, even with simple tools.

What are the fines for violating the EU AI Act?

Up to €7.5 million or 1% of annual turnover. This also applies to midsize businesses. In addition to financial penalties, negligent AI use can lead to reputational damage, which for many organizations weighs even heavier.

When does my AI use fall under "high risk"?

When decisions about people, finances, or access to services are involved. Think of AI for recruitment & selection, personnel assessments, credit lending, or access to essential services. These systems require extensive documentation, risk analysis, and human oversight.

What is AI literacy and is training mandatory?

Yes, AI literacy has been mandatory since February 2025. Employees who work with AI must be trained in safe, responsible, and critical use. For high-risk AI this is strictly mandatory, for other applications it is strongly recommended.

How do I start with compliance for the EU AI Act?

Start with an AI inventory. Map all AI applications, determine the risk category per system, and establish policy and governance. Invest in training and update supplier contracts. We are happy to help with a quickscan or assessment.