Anyone who has read articles on the EU AI Act in recent months knows the pattern: a standard assessment of the regulation's significance, a rundown of the four risk classes, peppered with some shocking numbers on potential fines, and some kind of 'get active now' call to action. Sounds urgent, which is probably why it gets read so well. But an honest assessment sounds somewhat different. What is usually missing is a question that would be crucial for every mid-sized company: What does the AI Act actually bring that's really new for us - and what would have been necessary anyway?
Clearing up this question is more important than the hundredth repetition of the risk classes. Because the AI Act fits into an existing European regulatory framework that has already imposed certain requirements in many areas. Anyone who has seriously implemented GDPR (General Data Protection Regulation), who respects product liability law, who respects consumer protection and anti-discrimination law, has already fulfilled part of the AI Act requirements. What really comes on top needs to be determined much more precisely - and relieves some companies more than the shrill headlines suggest.
Before we get to this differentiation, though, we should briefly talk about what the AI Act actually is, how it works, and what deadlines apply.
Disclaimer: I am not a lawyer. Against this background, I cannot issue legally binding recommendations.
The Architecture of the AI Act in Three Sentences
The AI Act (officially Regulation 2024/1689) has been in force since 1 August 2024. It does not regulate AI itself, but rather AI systems that are offered or used in the EU - regardless of where the provider is based. It follows a risk-based approach with four classes:
- prohibited applications (such as social scoring by authorities),
- high-risk systems (such as AI in critical infrastructure, education, employment, essential services),
- systems with transparency obligations (such as chatbots, deepfakes),
- and finally systems with minimal risk that are not subject to any special obligations.
In addition, there is its own category for general-purpose AI (GPAI) - that is, the large general-purpose models like GPT, Claude, or Gemini. These models are regulated separately because they are increasingly becoming part of countless applications and therefore require quite specific transparency and documentation obligations.
The penalties are high. Up to 35 million euros or 7 percent of global annual turnover - higher than under GDPR with 20 million euros or 4 percent. Graduated thresholds apply for SMEs, but even for them it can be expensive in the event of serious violations.
The Timeline - and Current Delays
The most important characteristic of the AI Act is its staggered application. It does not take effect on a single date, but in several waves. This is a relief for companies - but also a trap, because many underestimate the transition periods.
The most important dates at a glance: Since February 2025, the bans on certain AI applications and the obligation for AI literacy (so that employees working with AI are appropriately trained) apply. Since August 2025, the obligations for GPAI models apply, and in parallel the member states had to designate their national supervisory authorities. The bulk of the high-risk provisions were supposed to take effect by 2 August 2026. However, in November 2025, the so-called Digital Omnibus Package was adopted, which links some of these high-risk obligations to the availability of supporting standards. In plain language: if the necessary technical standards are not available on time, parts of the law's application are postponed. From August 2027, the obligations for AI components in regulated products (such as toys or medical devices) apply, and 2028 to 2030 see further detailed deadlines.
For an SME, this means: the pressure is real, but it is not as acute as sometimes portrayed. It is worthwhile to actively track the status of postponements, rather than rushing into your own compliance initiative whose requirements may still change.
What Was Already Regulated Before
This is where the really interesting question comes in. What the AI Act regulates is not all genuinely new. Much of it was already covered by other EU regulations, and a company that is already operating cleanly there has already done a substantial part of its AI Act compliance.
GDPR has regulated the handling of personal data since 2018. If an AI system processes personal data - and many do - all GDPR requirements continue to apply: legal basis for processing, transparency to data subjects, data minimization, purpose limitation, right to information, data protection impact assessment. The AI Act does not change that. It supplements it. A company that has a proper GDPR architecture is already well along the way with high-risk AI systems.
The Product Liability Directive has long required that manufacturers are liable for defective products. Anyone who incorporates AI into products is affected by this. A faulty AI component in an industrial control system is already covered by product liability today, completely independently of the AI Act. In December 2024, moreover, a revised directive was adopted that explicitly incorporates AI-specific liability.
Anti-discrimination law already prohibits personnel decisions, credit granting, or insurance offers from being discriminatory on the basis of protected characteristics - whether made by humans or algorithmically. Whoever uses an AI-assisted application pre-screening was already not allowed before the AI Act to design it in a way that systematically disadvantages women or older applicants. That continues to apply.
Consumer protection and transparency obligations also already existed for many different areas. Whoever operates a chatbot was already not allowed before the AI Act to pretend it is a human being. Whoever makes automated decisions about consumers had to already inform them under GDPR Article 22.
Sector-specific law in finance, medicine, transport, and other regulated industries has long had requirements that capture AI applications. A medical imaging procedure with AI support had to already comply with the Medical Device Regulation, long before the AI Act came along.
When you add all this up, you'll find: the vast majority of what the AI Act requires supplements existing law rather than replacing it. A company that is reasonably set up on GDPR, product liability, consumer protection, and sectoral regulation has a significant head start.
What's Really New
So the question is: what does the AI Act actually add that did not already apply before? Here are the most important genuine innovations.
First, the risk classification itself. Before the AI Act, there was no systematic obligation to classify AI systems by risk. The fact that an application pre-screening AI counts as a high-risk system and triggers a specific set of obligations is conceptually new. The classification requirement initially seems trivial, but it has practical consequences: every company must create a classification for every AI system it uses or offers and document it.
Second, the Fundamental Rights Impact Assessment (FRIA). GDPR knows the data protection impact assessment (DPIA) for risky processing. The AI Act introduces a further impact assessment with the FRIA, which addresses not just data protection but general fundamental rights. For many high-risk systems, both assessments must be performed - that is a considerable additional documentation burden.
Third, conformity assessment before market entry. Unlike GDPR, which relies primarily on ongoing accountability, the AI Act requires conformity assessment before a system is brought to market for high-risk systems. And that is indeed a paradigm shift: not post-hoc control, but prior review. This resembles product liability law more than GDPR.
Fourth, specific GPAI obligations. Providers of large language models must document training data, respect copyright, publish a summary of training contents, and cooperate with authorities. This is a form of regulation that simply did not exist before, because such models did not exist in this form. It will be interesting to watch how OpenAI, Anthropic, Google - and particularly Meta - handle the requirements.
Fifth, AI literacy. The AI Act requires that employees who work with AI are appropriately trained. This obligation is formulated somewhat vaguely, but it is new - no other EU law requires a specific training obligation for a technology class.
Sixth, separate supervisory structures. The AI Act is not enforced by data protection authorities, but by newly created market surveillance authorities. At the EU level, the AI Office was created; in the member states, separate bodies had to be designated. This is a non-trivial new institutional build-out.
These six points are what's really new. Everything else - transparency, risk management, documentation, human oversight - are extensions or specifications of existing requirements.
Where It Gets More Complex
One point deserves special attention, because it unsettles many SMEs: the relationship between GDPR and the AI Act. Both regulatory frameworks apply in parallel when an AI system processes personal data - which is the case with most AI applications.
In practice, this means: if you use an AI software that processes employee data, you must comply with both GDPR and the AI Act. Both have their own authorities (data protection authorities for GDPR, market surveillance authorities for AI Act). Both can impose fines, but not for the same violation - Article 99(8) of the AI Act prevents double punishment. But different violations under the two laws can certainly both be sanctioned.
GDPR preparation is therefore a prerequisite, but not a substitute for AI Act compliance. If you have properly implemented GDPR, you have a better standing - but you have not yet done all your homework. What comes on top are the six points mentioned above: risk classification, FRIA (in addition to DPIA), conformity assessment, GPAI obligations (if relevant), AI literacy, and taking both mentioned supervisory authorities into account.
What You Should Assess Now
What does this mean for a mid-sized company? Three simple steps to prepare:
First, a simple inventory of the AI systems that are actually used in the company - from marketing tools to recruiting software to internal code-checking practices. Many companies do not even know how many AI components are already in use. Without an inventory, no classification is possible.
Second, an initial classification into the risk classes. Which of the systems in use could be high-risk systems? Which fall into the transparency category? Which play only a minor role? This classification does not need to be perfect - rather, it simply needs to happen. For most SMEs, the vast majority of systems will not count as high-risk, and that is an important insight.
Third, a gap analysis against your existing compliance status. Anyone who takes into account the aspects already familiar from GDPR can now specifically check which AI Act-specific requirements are actually newly added. With the help of this examination, diffuse concerns that arise around the subject can be converted into concrete tasks and actions.
What is certainly not required: panic into expensive consulting before you have clarified your own situation. The AI Act is a compliance topic, not an existential one - at least for most companies that do not develop or deploy high-risk systems. Whoever keeps a cool head and cleanly draws the distinction between 'really new' and 'necessary anyway' will get through the transition period far more relaxed than whoever follows the general alarmism.