Key insights: EU AI Act 2026: What Mid-Sized Companies Need to Know

Frequently asked questions about EU AI Act 2026: What Mid-Sized Companies Need to Know

Do we need a designated AI officer?

There is no one-size-fits-all substitute for clear ownership: often a named lead with deputy suffices — aligned with your organisation. High-risk contexts require stronger QM-style evidence.

How do we label AI-generated content?

Where transparency duties apply, users should recognise AI — format depends on channel (UI hint, footer, voice disclosure). Internal guidelines prevent inconsistent practice.

Must we log ChatGPT answers?

For high-risk or decision-adjacent flows, document purpose, inputs and human review — technically via tickets or governance tools; avoid storing unnecessary personal data.

What if our product is high-risk AI?

Clarify provider vs deployer obligations, implement risk management and documentation — involve counsel; we supply architecture and logging foundations.

How does the AI Act relate to GDPR?

Both apply in parallel — AI Act focuses on risk/market rules; GDPR protects personal data; map data flows and legal bases jointly.

When do GPAI duties affect us?

Timelines are phased — confirm effective dates for your provider tier and model generation against the Official Journal text.

What about open-source models?

Roles and documentation duties still matter — open weights are not a free pass for high-risk deployment without governance.

Which technical basics matter first?

SSO/MFA for AI tools, secrets management, data classes for RAG, minimal logging and human escalation paths.

Topics & Topic Pages

Browse all expert topics by service in our Topics overview. For project-related consulting and our service portfolio, see Services. Key terms are explained in our IT Glossary.