The EU AI Act is no longer a future topic. It's in force, phasing in stage by stage, and 2026 is the year it becomes concrete for most companies. As a Mittelstand leader, you don't need to become a legal expert. You just need to understand enough to make good decisions. Here's the practical version.
What the EU AI Act is
The EU AI Act is the first comprehensive AI law of its kind. Instead of regulating AI as one single thing, it sorts AI systems by the risk they pose and attaches obligations to match. The higher the risk to people, the more a provider, and a company deploying the system, has to do.
It came into force in 2024 and applies in phases. Some parts already apply, and others land in 2026 and 2027.
The four risk levels, briefly
Unacceptable risk: a small set of AI uses that are simply banned. These prohibitions already apply.
High risk: AI used in sensitive areas like recruitment, worker evaluation, credit decisions, or critical infrastructure. This is the category with real obligations, including documentation, human oversight, transparency, and risk management.
Limited risk: systems like chatbots, where the main duty is transparency. People should know they're dealing with AI.
Minimal risk: the large majority of business AI uses, with no specific obligations.
The honest takeaway for most Mittelstand companies: a lot of everyday AI use sits in the lower tiers. But the moment AI touches hiring, evaluation, or other decisions that affect people, you're likely in high-risk territory, and that changes what you need to be able to show.
The dates that matter
The Act phases in over several years. The prohibitions and the AI-literacy duties already apply, and so do the rules for general-purpose AI models. The next major milestone is in August 2026, when a broad set of high-risk obligations and transparency rules are scheduled to take effect, with further obligations following in 2027.
One thing worth knowing: the exact timing of the high-risk obligations is still being negotiated at EU level and may shift. The sensible posture isn't to wait for a final date. It's to be ready for the version already written into law.
Why this favours on-premise AI
Here's the part that matters for an architecture decision. Almost every high-risk obligation is easier to meet when the AI runs on infrastructure you control.
Documentation and auditability: high-risk use means you have to show how a system works and what it did. A local system with complete, in-house logs makes that straightforward.
Data protection: the Act sits alongside the GDPR. An AI that never sends data outside your network removes a whole category of data-transfer questions before anyone asks them.
Human oversight: the Act expects a person to be able to oversee the system and step in. A helper built around human approval, rather than autonomous action, fits that expectation by design.
A cloud deployment can be made compliant, but it usually means assuring a chain of external processing. An on-premise deployment starts much closer to where stricter rules want you to be.
A practical posture for 2026
You don't have to solve the EU AI Act all at once. A reasonable approach looks like this. Know which of your AI uses are low-risk and which touch decisions about people. For anything sensitive or regulated, prefer architectures that keep data and logs in-house. And treat documentation as something you build in from the start, rather than retrofit later.
How HJALPARI fits
HJALPARI helpers are built for exactly this environment. They run on-premise, every action is logged inside the customer's network, and they're designed around human approval rather than autonomous decisions. That doesn't make your compliance work disappear, but it does mean the AI architecture is working with the regulation instead of against it.
In a regulatory environment that's only getting stricter, that alignment is worth more than raw capability.
This article is a general overview, not legal advice. For your specific obligations, please consult a qualified advisor.
