Two texts, two scopes
First, two points of vocabulary that prevent confusion.
The EU AI Act is the European regulation 2024/1689 on artificial intelligence. It classifies AI systems into four risk levels and imposes obligations that differ by level. It is the substantive text.
The Digital Omnibus is a European legislative package proposed by the European Commission in November 2025 to amend the EU AI Act's application calendar. A provisional political agreement on this package was reached on 7 May 2026 between the Parliament and the Council. It postpones certain deadlines and extends protections to Small Mid Caps. Not a deregulation, a recalibration.
The central principle, use matters more than technology
The EU AI Act does not classify an AI system by the technology it embeds. It classifies it by its context of use. The same tool can shift from one regulatory category to another depending on what you do with it.
A generic conversational chatbot sits in limited risk. The same chatbot, plugged into a platform that pre-screens job applicants, shifts into high risk.
That nuance is what creates the blind spot. Many leaders believe they are in minimal risk while they are already operating systems that drive decisions, classified as high risk, without knowing it and without documenting anything.
Three answers, one category. And the category can shift with every new use case grafted onto an existing tool.
The four AI Act risk levels
Click on a level to jump directly to its section:
The prohibited practices listed under Article 5 have been applicable since 2 February 2025. No negotiation, no path to compliance.
Prohibited in the European market:
- Social scoring
- Subliminal or cognitive manipulation
- Exploitation of vulnerabilities linked to age, disability or socio-economic status
- Real-time remote biometric identification in public spaces by law enforcement
- Sensitive biometric categorisation (race, opinions, religion, sexual orientation)
- Emotion recognition in the workplace and in education
- Predictive policing of individuals
- Untargeted scraping of facial images
The Digital Omnibus has added two new prohibitions, applicable from 2 December 2026:
- AI-generated CSAM (Child Sexual Abuse Material) content
- Nudification tools (generation of non-consensual intimate images)
Up to EUR 35 million or 7 % of global annual turnover. Whichever is higher.
This is where the blind spot lives. The majority of decision-shaping AI projects deployed in Europe fall under high risk without leaders always being aware of it.
Annex III of the regulation lists 8 broad categories of use cases classified as high risk:
- Human resources (CV screening, interview scoring, algorithmic monitoring of employees)
- Credit and financial services (credit scoring, automated banking onboarding)
- Insurance (automated pricing in life and health)
- Justice and democratic processes (judicial decision support, AI in electoral processes)
- Critical infrastructure (traffic management, water and energy networks)
- Education (admissions, automated grading, algorithmic fraud detection)
- Healthcare (diagnostic support, emergency triage, AI medical devices)
- Migration, asylum and border control, and law enforcement (recidivism risk assessment, profiling)
Up to EUR 15 million or 3 % of global annual turnover.
2 December 2027 for standalone Annex III systems. 2 August 2028 for systems integrated into regulated products under Annex I (lifts, toys, machinery, medical devices). These dates stem from the Digital Omnibus postponement.
A single obligation, transparency (Article 50), applicable from 2 August 2026. The person must know, without ambiguity, that they are interacting with an AI or that a piece of content has been produced by AI.
In scope:
- Chatbots and conversational assistants
- Deepfakes (generated or manipulated images, videos, audio)
- Generative content published on matters of public interest
- Emotion recognition systems outside the workplace and outside schools
- Lawful biometric categorisation
Tier 2 of Article 99. Up to EUR 15 million or 3 % of global annual turnover.
A leader who fails to disclose that a chatbot, a deepfake or a piece of generative content is AI-produced is exposed to the same penalty ceiling as a breach of the Level 2 high-risk obligations.
No specific AI Act obligation applies to this category.
- Anti-spam filters
- Generic writing copilots
- Spell-checkers
- Basic e-commerce recommendations
General law still applies:
- GDPR (General Data Protection Regulation), up to EUR 20 million or 4 % of global annual turnover
- Labour law, consumer law, intellectual property
The cross-cutting obligation every leader overlooks
Article 4 of the EU AI Act requires every provider and deployer to ensure a sufficient level of AI literacy among its staff and among anyone acting on its behalf. This obligation has been applicable since 2 February 2025.
It moves under active supervision by national authorities on 2 August 2026.
Concretely, from that date, a leader must be able to demonstrate that an AI literacy plan has been structured. Who trains whom. On what. At what frequency. With what traceability.
For Belgian organisations of 20 employees or more, this plan fits into the mandatory annual training plan under the law of 3 October 2022.
It is the least costly obligation to implement, and the first one that will be inspected. With the postponement of high-risk obligations to end-2027, it is highly likely that the first interventions from national authorities will come, in practice, through AI literacy.
Three deadlines shape the next 18 months
AI literacy, transparency for chatbots and deepfakes, GPAI (General Purpose AI) penalties become enforceable.
New Article 5 prohibitions (CSAM, Child Sexual Abuse Material, and nudification), watermarking compliance for generative systems already on the market.
Standalone Annex III high-risk obligations become applicable.
The obligations that switch on in August 2026 cannot be retrofitted in a few weeks.
How to position yourself between SME, mid-cap and Small Mid Cap
Three categories of companies, three thresholds, one core question, which relief regime applies to you.
Fewer than 250 employees, turnover below EUR 50 million or balance sheet below EUR 43 million. European reference definition (Commission Recommendation 2003/361/EC).
Between 250 and 4,999 employees, turnover below EUR 1.5 billion or balance sheet below EUR 2 billion. French definition under the 2008 Loi de modernisation de l'économie, used as a reference across the EU for mid-sized companies.
Up to 750 employees, turnover below EUR 150 million or balance sheet below EUR 129 million. New category created by the agreement of 7 May 2026.
How they fit together in practice:
- An SME is always a SMC (below 250 employees, therefore below 750)
- A mid-cap company with fewer than 750 employees and below the turnover thresholds is a SMC
- A mid-cap company above 750 employees or above the turnover thresholds is not a SMC
It is this SMC threshold that opens a new operational window for many French, Belgian and other European mid-caps that believed themselves to be outside the SME perimeter.
A new window for Small Mid Caps
The agreement of 7 May 2026 extended to Small Mid Caps the relief measures previously reserved for SMEs.
- Simplified technical documentation
- Penalty modulation against the lower ceiling
- Priority access to national regulatory sandboxes
A large share of European mid-caps that believed themselves outside the SME perimeter now fall into this relief regime.
The four-workstream plan
Four workstreams to run in parallel over the next 90 days.
Map every AI system deployed, internal and external. Classify each one using the 3-question test. Deliverable: an AI systems register with provisional classification.
Define the scope (employees, contractors, suppliers), tailor content by level (leaders, managers, operational staff, support functions), set up traceability, issue participation certificates. Deliverable: a versioned literacy plan.
Audit undisclosed touchpoints, prepare disclosures, schedule watermarking compliance for 2 December 2026. Update Terms of Use, service notices and supplier contracts. Deliverable: a touchpoint matrix with status and compliance date.
Designate an AI Act lead, structure documentation under Articles 9, 10 and 11. Deliverable: a governance charter, a version 0 technical file for each high-risk system.
The Mestiza Lab™ hybrid delivery model
Mestiza Lab™ runs the full AI Act compliance programme. For legally binding instruments (drafting Terms of Use, supplier contracts, contractual addenda and delegation clauses), Mestiza Lab™ coordinates with a partner law firm specialised in the EU AI Act. The client keeps a single point of contact. Legal compliance is delivered by the partner law firm under Mestiza Lab™ coordination.
This setup ensures:
- A single strategic lead on the Mestiza Lab™ side
- Legally binding coverage on the partner law firm side
- A reduced number of providers for the leader to coordinate
Closing thoughts
The EU AI Act will not halt innovation in European companies.
The Digital Omnibus is not a deregulation, it is a recalibration.
It will force most organisations to structure what they are already doing in a disorderly way.
For leaders who get to work now, it is a competitive advantage. For the rest, it will be a hidden cost that surfaces at the worst possible moment:
- An inspection from national authorities
- A B2B (business-to-business) tender requiring compliance
- A customer incident
- A due diligence audit ahead of a capital event
The real question is not "am I in scope of the EU AI Act". It is, in what context is each of my systems being used, and what have I documented about it.
AI amplifies what already exists. Regulation does the same.