LinkedIn ran hot today. Compliance apocalypse, doomsday posts, consulting firms selling their packages in capslock headlines. My inbox this morning: twelve messages from mid-sized companies asking whether they need to shut down their AI pilots on 2 August 2026. The answer is no. They do not need to shut down. But they should invest one focused hour today - not tomorrow, not in July.
The EU AI Act has been in force since August 2024. Its main application stages are known, prepared, and communicated. What actually happens this Wednesday is not the surprise arrival of an unannounced regulation. It is the next milestone in a multi-year, calibrated rollout. Anyone who has been paying attention for the last 24 months is ready. Anyone caught off guard has confused the headlines with reality. That applies to both camps - the alarmists and the head-in-the-sand crowd.
This text is a sober assessment. It is long because the subject is long. It is concrete because most of today's posts were not. It differentiates between startup, SME, Mittelstand, and large corporation, because a high-risk conformity assessment for a three-person team means something different from what it means for a DAX-listed conglomerate. And it calls the thing by its proper name: Robotic & AI Governance is not compliance theatre. It is the precondition for autonomous systems to earn trust in a democratic society. That is the thesis behind everything that follows.
Let us start with the facts that shifted in recent weeks and that are missing from most of today's posts. On 19 November 2025 the European Commission proposed the digital omnibus package, a set of targeted amendments to streamline the AI Act. On 7 May 2026 the Council and the European Parliament reached political agreement. On 13 May 2026 the final compromise text was published. The result: central high-risk obligations have been time-shifted. Not because Brussels caved, but because the supporting infrastructure - harmonised standards, notified bodies, market surveillance authorities - is not yet broadly in place. That is grown-up regulatory practice, not retreat.
Concretely: the Chapter III high-risk obligations originally scheduled for 2 August 2026 have been postponed. Standalone high-risk systems under Annex III now apply from 2 December 2027. AI systems embedded as safety components in products covered by sectoral EU safety legislation under Annex I apply from 2 August 2028. That is the single most important correction to today's panic narrative. A mid-sized company using an HR tool with AI-supported applicant screening - a classic Annex III case - has eighteen months, not six weeks, to get its conformity assessment in order. That is relevant. That is calming. That changes the priority list.
What does take effect on 2 August 2026 is the transparency layer. Article 50 becomes operative: labelling obligations for AI chatbots, deepfakes, AI-generated content in public communication, emotion recognition, and biometric categorisation. Generative AI systems already on the market before 2 August 2026 receive a four-month grace period until 2 December 2026 for the Article 50(2) watermarking obligation. That is the operational reality of this week. Nothing more, nothing less.
In parallel, the GPAI obligations that have been in force for general-purpose AI model providers since August 2025 continue to run. The EU AI Office published draft guidelines on high-risk classification on 19 May 2026 and draft guidelines on Article 50 transparency on 8 May. Providers of generative systems who sign the Code of Practice on Transparency benefit from streamlined supervision and reduced administrative burden. The list of signatories will be published in July 2026, ahead of the Article 50 application date. None of this was in most of today's LinkedIn posts either.
On 11 June 2026 - six days ago - the German Bundestag passed the AI Market Surveillance and Innovation Promotion Act, known as KI-MIG. It still needs to clear the Bundesrat, but the target is clear: entry into force before 2 August. The KI-MIG is Germany's national implementing law for the AI Act. It adds no new substantive obligations; it designates competent authorities and creates enforcement infrastructure.
Three points matter operationally. First: the Federal Network Agency (BNetzA) becomes Germany's central AI supervisory and market surveillance authority outside regulated sectors. Sectoral oversight remains in place - BaFin for AI in finance, BfArM for AI in medical devices, the Federal Data Protection Commissioner (BfDI) for data protection and biometric systems. If your company already deals with one of these authorities, nothing new to look up.
Second: a new body called KoKIVO is being set up - the Coordination and Competence Centre for the AI Regulation, housed at BNetzA. It operates a free AI Service Desk for companies, with particular focus on SMEs. Compliance questions can be raised at a low threshold. This is a structure that is unusual for Germany and one that I have been calling for in keynotes for years. Whether it delivers operationally remains to be seen. But the architecture is right.
Third: KoKIVO runs AI regulatory sandboxes where new applications can be tested under supervisory guidance. SMEs and startups have priority access. Every Member State must establish at least one such testing environment by 2 August 2027. This is a real innovation opportunity, not marketing.
What I appreciate about the German solution: it does not delay, it does not over-centralise, and it creates a clear contact point. What I see critically: the DIHK rightly noted that the emphasis is on administration rather than on supporting innovation. That is the classic German trap, and the KI-MIG risks reproducing it unless KoKIVO acts proactively and quickly.
The AI Act follows a risk-based approach with four tiers. This is the central architecture, and it is decisive, because 90 percent of all AI applications in German companies do not fall into the top two tiers.
Prohibited systems under Article 5 have been banned since February 2025. These include social scoring by public authorities, manipulation through subliminal techniques, exploitation of vulnerabilities, untargeted scraping of facial images from the internet, real-time remote biometric identification in public spaces with narrowly defined exceptions. The omnibus package added an explicit prohibition of AI systems generating child sexual abuse material or non-consensual intimate content, with a compliance deadline of 2 December 2026. If you are not building or deploying such systems, this tier is irrelevant to you. Full stop.
High-risk systems under Annex III form the operationally most important tier for the German Mittelstand. These include AI-supported recruitment and HR decisions, automated creditworthiness assessment, AI in quality control with safety-relevant impact, predictive maintenance in critical production processes, AI in critical infrastructure, AI in education and law enforcement. Providers and deployers must hold full technical documentation, a risk management system, a conformity assessment, and where applicable CE marking by 2 December 2027. Systems placed on the market before that date and operated without significant design changes benefit from grandfathering - a point absent from today's posts and one that significantly eases the compliance profile of many legacy installations.
Annex I systems, that is, AI as safety component in products already subject to sectoral EU safety legislation - machinery, medical devices, lifts, in-vitro diagnostics, civil aviation - apply only from 2 August 2028. The omnibus package also sharpened the high-risk definition: an AI system qualifies as a safety component only if its intended purpose is to prevent or mitigate risks to human health and safety or property. This refinement removes pressure from the system without lowering the protection standard.
Limited risk systems form the second most important category for most companies. Article 50 applies here from 2 August 2026: chatbots, deepfakes, AI-generated content, emotion recognition, biometric categorisation. The point is not prohibition, it is transparency. Users must know they are speaking with an AI. Synthetic media must be identifiable. This is not a technical heavy lift. It is a sign, a notice, a watermark. Companies that already communicate honestly will face minimal additional effort.
Minimal risk means no specific obligations under the AI Act. Spam filters, translation tools, e-commerce recommendation systems, simple chatbots without decision authority, AI in video games, intelligent weather forecasting. This is by far the largest category. Companies operating here have nothing to do beyond the general competence obligation under Article 4 - more on that in a moment.
The only AI Act obligation that already affects every company today is Article 4: AI literacy. Anyone deploying AI must ensure that staff working with it have a sufficient level of competence, knowledge, and understanding. This has applied since February 2025. The omnibus package did not weaken Article 4 but clarified it as an obligation of effort, not of result. The AI Board will issue recommendations, including common learning objectives.
What does this mean in practice? A documented training concept, regular awareness sessions, clear accountability. It does not require external certification. But it must be demonstrable. A manager who cannot produce training records in the event of an audit has a problem. This is the homework that every CEO should put on the desk this evening.
The fine ceilings sound dramatic. Up to 35 million euro or 7 percent of global annual turnover for violations of the prohibited practices catalogue. Up to 15 million euro or 3 percent for violations of most other obligations, including Article 50. Up to 7.5 million euro or 1.5 percent for false or misleading information provided to authorities. The EU AI Office can additionally impose periodic penalty payments of up to 5 percent of average daily income or daily turnover for each further day of non-compliance. A five-year limitation period applies.
That is the headline. The reality is more differentiated and worth knowing. First: the lower amount always applies. A company with 20 million euro turnover and an Article 50 violation risks a maximum of 600 000 euro, not 15 million. Second: the omnibus package explicitly stipulates that Member States must consider the interests of SMEs and startups in the penalty framework, with specific adjustments. Third: penalty proceedings require intent or negligence. They are not strict liability. Fourth: the German KI-MIG provides for the low-threshold service desk - a clear signal that BNetzA will advise first and sanction later, as long as companies cooperate.
For Mittelstand companies that act cooperatively, document their work, and visibly engage with the topic over the coming months, the practical sanction risk is very low. For those who ignore, wait, and have no answers if an audit comes, it is high. That is the real distribution. It does not fit in a panic headline.
Differentiation is everything here. A consultancy selling every client the same 30-point compliance plan has missed the point. Here are the four realistic paths.
If you are building an AI product, the AI Act is not a burdensome obligation for you. It is a market-ordering framework that arguably protects you more than it burdens you. You compete in a market where large players can no longer deploy data and models at will. That is good for you. Practically: clarify today which risk class your product falls into. If you sit in limited or minimal risk, you only need transparency notices by 2 August. If you fall under high-risk, you have until 2 December 2027, but start with a light documentation framework now. You have priority access to AI sandboxes. Use them. The Service Desk is free. Ask there first, before paying four-figure consulting fees while your picture is still unclear.
This is the core customer base for the AI Service Desk. You probably use several AI tools - Microsoft Copilot, Google Workspace AI, a CRM with AI features, perhaps an HR tool with a preselection algorithm. Your risk profile is heterogeneous. First task by end of July: an AI inventory. A table with three columns - tool, risk class, internal owner. Second task: check Article 50 labelling wherever you deploy chatbots, generative content, or voice systems. Third task: document Article 4 training. If an HR tool is used for preselection, that is Annex III - but you have until December 2027 for that. Do not delay, but do not panic either.
It gets more complex here. You almost certainly operate at least one high-risk system, often several. Predictive maintenance in production, AI-driven quality control, HR tools, creditworthiness scoring in B2B sales. You need an AI governance structure: a named owner, an inventory, a risk management framework for high-risk systems, an audit trail. This is not trivial, but it is doable. Today you should designate a person to structure the topic through end of 2026. That person does not need to be full-time on it but needs a clear mandate and 20 percent capacity. The grandfathering provision for systems that remain on the market without significant design change before 2 December 2027 is your operationally most important lever. Take stock now, plan a version freeze, decide deliberately which systems migrate into grandfathering before the cutoff and which move into full compliance after.
This has presumably been on your agenda for 18 months. If not, you have a problem larger than the AI Act. The requirements are clear: enterprise-wide AI inventory, governance board, clearly defined pathways for foundation model provider relationships, contracts with GPAI providers that regulate disclosure duties and liability, conformity assessment for all Annex III systems, post-market monitoring plans as living documents. Add the interactions with GDPR, NIS2, the Cyber Resilience Act, and sectoral regulation. Compliance here is not a sprint but a running programme. The relevant point: large corporations should not discuss compliance today but strategic options. The omnibus package creates a one-stop-shop supervision regime for GPAI-based systems where model and system come from the same provider. That is an architectural question with consequences for make-or-buy decisions, vendor strategy, location choice. Here Robotic & AI Governance becomes a strategic differentiator, not a cost line.
So this text is more than an assessment, here is a concrete seven-point list for the next six weeks. It is deliberately short. More is fine, but this here is the non-negotiable minimum.
More is good, but this is not negotiable. Companies that tick off these seven points by end of July are in the top tier of compliance readiness in Germany - not because the programme is particularly ambitious but because the majority of Mittelstand firms have not even completed step one.
Anyone treating the AI Act as a compliance burden alone has missed the leverage. Robotic & AI Governance - the term I have worked with for years and that I deliberately keep unified rather than splitting into Robotic Governance and AI Governance - is the institutional answer to the fact that autonomous systems now make decisions in domains where humans alone used to decide. Hiring. Lending. Quality control. Logistics. Care. Education. A society that performs this shift without an ordering framework risks losing trust. A society that performs it with a framework creates the conditions for Generation R - the generation growing up with robots and AI as a given - to find its place in a democratic, value-oriented industrial nation.
This is also why the Magnifica Humanitas encyclical of May 2026 and the AI Act are two voices in the same conversation. The encyclical lays the anthropological foundation - human dignity is not delegable. The AI Act lays the regulatory operationalisation - accountability, transparency, risk gradation. Thinking one without the other misses both. I have laid out the encyclical's implications in the analysis of Magnifica Humanitas. The broader ordering framework in which all of this fits together I have developed in the foundational text on Robotic Governance. Today's LinkedIn posts mostly ignore this dimension. They talk about fines, not about trust. They talk about obligations, not about purpose.
A note on the discourse climate. The AI Act is not perfect. It is in places over-regulatory, in others gappy. The omnibus package addressed several of the sharpest criticisms - the timing shift on high-risk obligations, the SME adjustments on sanctions, the integration with sectoral safety law. There is work left. But the path is recognisably pragmatic. Anyone writing today that the AI Act destroys European AI either has not read the final compromise text of 13 May or has interests other than the truth. Both are legitimate as market positions, but neither is information.
One table. Three columns. Tool, risk class, owner. If you have nothing yet: 30 minutes, now. If you already have something: review, extend, date it. This one hour is the most important AI hour of your year. It is concrete. It is doable without consulting fees. It is the foundation for everything else.
Then, tomorrow morning, a second hour: who owns this? One person, one mandate, a recurring slot in the calendar every four weeks, one hour each, for the next twelve months. That is the minimum programme. More is good. Less is negligent.
I have called them Generation R for years - the generation growing up with robotics and AI not as innovation but as a given. An eight-year-old today speaks with language models as a matter of course, sees autonomous logistics in port operations, knows drones above agricultural fields. That child will enter the labour market in twelve years. They will ask questions we cannot yet adequately answer. They will want to know why we allowed systems to decide whose logic no one can any longer reconstruct. They will want to know why we did not set standards sooner.
The AI Act is the imperfect but real European answer to that coming question. It makes us globally the region with the highest regulatory ambition for AI systems. That is not a burden. That is a position. A position that makes visible our ability to handle autonomous systems in a pluralistic, democratic, ageing industrial society. Anyone who has understood this does not see 2 August 2026 as a threat but as a milestone.
We knew it was coming. Now it is here. It is not as bad as many say today. But there is moderate action required. That is the honest story. It does not fit in a capslock headline. It fits in a long text. Here it is.
This article does not constitute legal advice. It offers expert assessment from the perspective of a professor of business informatics specialising in Robotic & AI Governance. Legal evaluation of any individual case is the responsibility of qualified lawyers, particularly those specialising in IT law, data protection law, and product safety law. The content reflects the state of knowledge as of 17 June 2026 and takes into account the final compromise text of the digital omnibus package of 13 May 2026 and the KI-MIG passed by the German Bundestag on 11 June 2026, which at the time of publication had not yet been considered by the Bundesrat. Changes are possible. Binding information is provided by the competent authorities, in particular the Federal Network Agency (BNetzA) through KoKIVO and the sectoral supervisors BaFin, BfArM, and BfDI.
On that date the transparency obligations of Article 50 of the AI Act become operative. This covers labelling for AI chatbots, deepfakes, AI-generated content in public communication, emotion recognition, and biometric categorisation. The Chapter III high-risk obligations originally scheduled for that date were postponed by the digital omnibus package to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). Generative AI systems already on the market before 2 August receive a four-month grace period for watermarking until 2 December 2026.
Theoretically yes, practically very unlikely. The lower amount always applies between absolute sum and turnover percentage. A company with 20 million euro turnover facing an Article 50 violation risks a maximum of 600 000 euro, not 15 million. The omnibus package explicitly requires Member States to consider the interests of SMEs and startups in the penalty framework, with specific adjustments. Penalty proceedings require intent or negligence. Companies that act cooperatively and document their work face a very low sanction risk.
Standalone high-risk systems under Annex III must meet full obligations from 2 December 2027 - technical documentation, risk management system, conformity assessment, CE marking, post-market monitoring. Embedded AI as a safety component in Annex I products applies from 2 August 2028. Systems on the market before these dates without significant design change benefit from grandfathering and become subject to full compliance only upon substantive modification.
The AI Market Surveillance and Innovation Promotion Act was passed by the German Bundestag on 11 June 2026. It is Germany's national implementing law for the EU AI Act. It designates the Federal Network Agency (BNetzA) as the central AI supervisory and market surveillance authority outside regulated sectors and establishes KoKIVO, the Coordination and Competence Centre for the AI Regulation. KoKIVO operates a free AI Service Desk and organises AI regulatory sandboxes. The law still requires Bundesrat approval, with entry into force targeted before 2 August 2026.
The Federal Network Agency becomes the central contact for AI compliance questions outside regulated sectors. Sectoral authorities retain their competence: BaFin for AI in finance, BfArM for AI in medical devices, BfDI for data protection and biometric systems. At EU level, the EU AI Office holds exclusive supervisory and enforcement competence for AI systems built on GPAI models where model and system come from the same provider - the so-called one-stop-shop oversight from the omnibus package.
You must clearly and visibly inform users on first interaction that they are communicating with an AI. A note such as 'Powered by AI' alone is not sufficient. The 'obvious context' is not enough either as a reason to omit the notice. The information must precede the first real exchange, be clearly worded, and be visible. This applies from 2 August 2026. Penalties for violations reach up to 15 million euro or 3 percent of annual turnover - whichever is lower.
Article 4 obligates all providers and deployers of AI systems to take appropriate measures so that staff working with AI hold the necessary level of AI literacy. This obligation has applied since February 2025 and covers every company deploying AI - regardless of risk class. The omnibus package clarified Article 4 as an obligation of effort, that is, a duty to make reasonable efforts rather than to guarantee a result. What you need: a documented training concept, regular awareness sessions, a participant list. External certification is not required, but demonstrability is.
Build a light compliance foundation today. Concretely: clarify your risk class, document technical decisions, keep an eye on data provenance, write a short model card for each production model. That costs a few hours per month and protects you from significant rebuild work later. You have priority access to the BNetzA AI sandboxes. Use them. The AI Service Desk is free. Ask your questions there before engaging a consulting firm. And keep Article 4 in mind - the competence obligation has applied since February 2025, including to you.
Build an AI inventory with three columns: tool, risk class, internal owner. Most of these tools fall into minimal or limited risk. Check whether you deploy AI-generated content in customer communication - if yes, you need visible labelling from 2 August 2026. Check whether any tool is used for applicant preselection or HR decisions - that would be Annex III and high-risk, but you have until 2 December 2027 for that. Document Article 4 training. Use the free AI Service Desk at BNetzA for concrete questions.
The digital omnibus package introduced a transitional mechanism: high-risk systems already on the market before the date of application of Chapter III - 2 December 2027 for Annex III, 2 August 2028 for Annex I - become subject to full obligations only when they undergo a significant design change after that date. This is a significant lever for the Mittelstand. Existing systems running in current design enjoy grandfathering. What 'significant design change' precisely means will be clarified through guidelines. Operationally this means: take stock today, plan deliberately which systems you keep stable before the cutoff and which you move into full compliance after.
The Code of Practice on Transparency is a voluntary commitment for providers and deployers of generative AI systems to meet the AI Act transparency obligations and go beyond Article 50. Signatories benefit from focused supervision, higher legal certainty across the EU, and reduced administrative burden. The list of signatories will be published in July 2026. Signing is particularly worthwhile for companies offering or extensively deploying generative AI products, because the code becomes a consistent implementation compass. Registration is via the EU AI Office signatory form.
Both regulations apply in parallel but are constructed differently. The GDPR governs the processing of personal data - it is data-centric. The AI Act governs the placing on the market and operation of AI systems - it is shaped by product safety law. Overlap is the rule, not the exception. An HR tool with AI-supported preselection is simultaneously a GDPR case and an Annex III high-risk case. You therefore need both compliance threads thought together. In practice, the data protection officer and the AI accountable owner should talk to each other, ideally in the same governance forum.
AI regulatory sandboxes are environments in which companies can test new AI applications under supervisory guidance in real-world conditions before full compliance obligations apply. In Germany, KoKIVO at BNetzA organises these sandboxes. Every Member State must establish at least one such testing environment by 2 August 2027. SMEs and startups have explicit priority access. Real-world testing outside the sandbox is also possible for certain high-risk systems. This is a real innovation opportunity - with regulatory backing rather than legal uncertainty.
The digital omnibus package gave the EU AI Office exclusive supervisory and enforcement competence for AI systems built on GPAI models, where model and system come from the same provider. This one-stop-shop architecture significantly reduces regulatory fragmentation because providers no longer need to coordinate with different national authorities across 27 Member States. For integrated providers - typically the large foundation model providers - this is a clear simplification. For Mittelstand deployers it means clarity in the supply chain: the GPAI provider is directly accountable to the EU AI Office, not the downstream user.
GPAI obligations cover providers of general-purpose AI models - foundation models usable across a wide range of tasks. They have applied since August 2025. Providers must supply technical documentation, ensure copyright and data-provenance transparency, publish model cards covering capabilities and limitations, and for systemic-risk models conduct additional safety tests including adversarial testing. Mittelstand deployers using GPAI models via API are not subject to GPAI obligations themselves, but can contractually require disclosure and cooperation rights that ease downstream compliance.
The digital omnibus package introduced an important simplification for AI-enabled machinery. These previously fell under both the Machinery Regulation and the full high-risk AI Act obligations - a double compliance burden. Under Article 2(2) of the AI Act, only limited provisions now apply to AI-enabled machinery. The Commission will clarify by 2 August 2027 which systems are precisely affected and which requirements are dropped. For machine builders this is a noticeable relief, without lowering safety. Other product-safety sectors such as medical devices or lifts retain dual compliance as a baseline, with exceptions where sectoral rules already provide equivalent or higher protection.
The AI Act is one of the central instruments of Robotic & AI Governance, but it is not the whole. Robotic & AI Governance is the broader ordering framework that combines regulatory instruments such as the AI Act with ethical standards, technical norms, organisational governance, and societal deliberation into a coherent architecture. The AI Act addresses the regulatory dimension. Standards such as VDA 5050 or IEEE TechEthics initiatives address the technical-organisational dimension. Anthropological documents such as the Magnifica Humanitas encyclical address the normative foundation. Only together do these three layers produce a viable ordering framework for Generation R.
The EU AI Act applies directly in all Member States - it requires no national law to take effect. If KI-MIG does not pass the Bundesrat before 2 August 2026, the EU-level obligations remain effective. What would be missing is the German enforcement architecture: the formally designated market surveillance authorities, the AI Service Desk, the sandboxes. The Federal Network Agency could act in practice, but the formal legal enforcement basis would be weakened. In practice a pragmatic transitional solution would probably be found. But it would be a credibility hit that it is in everyone's interest to avoid.
Typical Annex III high-risk applications in companies include: AI-supported applicant screening and HR decisions, automated creditworthiness assessment in B2B and B2C, AI in quality control with safety-relevant impact, predictive maintenance in critical production processes, AI in law enforcement and migration control, AI in education at evaluation or admission stages, remote biometric identification. A full list with practical examples is in the draft guidelines on classification of high-risk AI systems that the Commission published on 19 May 2026.
The AI Act distinguishes between provider and deployer. A provider develops an AI system or has it developed and places it on the market under its own name or brand. A deployer uses an AI system under its own authority - they operate it. The obligations differ substantially. Providers bear the main load on technical documentation, conformity assessment, and risk management. Deployers must operate the system as intended, keep records, perform safety and fundamental rights assessments, and inform users. Anyone who substantially modifies a purchased tool or rebrands it becomes a provider themselves and assumes full provider liability.
For startups and SMEs I recommend first contacting the free AI Service Desk at the Federal Network Agency and building your own AI inventory. External consulting becomes worthwhile if you operate or provide a high-risk system under Annex III or Annex I, if you operate at corporate scale, if you bring an AI product to market, or if legal questions overlap with GDPR, product safety, or sectoral regulation. For simple AI use with standard tools such as Microsoft Copilot, Google Workspace AI, or common CRM AI features, external consulting is not initially needed - a clearly structured internal approach implementing this checklist is enough.
Dominik Bösl
Olympiastrasse 6a
DE-86179 Augsburg
E-Mail info@boesl.org
Imprint Privacy Policy ©2024 | Dominik Bösl. All rights reserved.