**German AI Becomes a Documentation Trap for Mid-Sized Enterprises**
8 min read
On 2 August 2026 the EU AI Act will fully apply to general-purpose AI models. Only 70 days remain before mandatory documentation requirements for General-Purpose-AI usage in companies take effect-including ChatGPT, Copilot and Claude licences that many DACH SMEs already use daily. Starting now keeps the stress low; waiting for summer builds your own audit-finding checklist.
Key Takeaways
- Deadline 2 August 2026: GPAI obligations under the EU AI Act kick in-impacting not only providers but also companies embedding GPAI models into their workflows.
- Mandatory documentation covers four blocks: risk classification per use-case, data-category inventory, human-oversight mechanisms, conformity-assessment records.
- Fine framework: up to €15 million or 3 % of global group turnover-whichever is higher.
- SME trap: ChatGPT Enterprise, Microsoft Copilot and Claude Pro are GPAI-using them for customer communication, HR decisions or contract drafting brings you under scope.
- What matters now: a documented use-case catalogue with risk ratings, an escalation hierarchy for high-risk applications and an internal audit protocol ready for inspection.
Related:Google Gemini in the enterprise: what the AI Act demands / Tech mandates on supervisory boards: NIS2, EU AI Act and the skills gap
What is a GPAI obligation? General-Purpose-AI models (GPAI) are AI systems such as ChatGPT, Microsoft Copilot or Claude designed for broad tasks. From 2 August 2026 companies embedding such models into production workflows must classify, document and monitor their use-cases-regardless of whether they are providers or users.
Why the GPAI obligations will catch many SMEs off guard
Public debate on the EU AI Act has long focused on high-risk systems like biometric identification or credit scoring. The GPAI obligations-rules for general-purpose AI models-have often been dismissed as a “provider issue.” That is only half true. Providers such as OpenAI, Anthropic or Mistral must supply model cards, training-data summaries and systemic risk assessments. Yet the real operational headache lands on the user side.
Once a company embeds a GPAI model into a production workflow-whether a ChatGPT plug-in in the CRM, a Copilot in contract management or a bespoke RAG system on Claude-it becomes an AI system under the regulation. This triggers duties on risk classification, transparency, oversight and documentation. Most DACH SMEs we have recently surveyed believe they fall under the “user” category and are largely exempt. That misconception could prove costly come August.
The four documentation blocks that now need to be established
Block 1 – Use-case inventory with risk classification. Every AI-powered application in the company must be recorded: which task is supported, which model is used, what data flows in, which business unit uses it, and how binding is the output? This leads to classification into one of four risk classes – “minimal,” “limited,” “high,” or “prohibited.” The classification drives everything that follows.
Block 2 – Data-category documentation. Which personal, business-critical, or confidential data types are fed into the AI system? This inventory intersects with GDPR topics but goes beyond them: non-personal data categories such as draft contracts, source code, or strategic plans must also be documented – including whether the model is permitted to use them for training.
Block 3 – Human-oversight mechanisms. For each use case it must be clear who reviews the AI output, who may escalate, and who ultimately takes responsibility. For limited-risk cases, spot checks often suffice. For high-risk applications – such as personnel decisions or credit assessments – a documented four-eyes rule with a traceable escalation path is required.
Block 4 – Conformity-assessment records. This is the audit-ready folder: vendor model cards, internal risk assessments, implemented measures, and training certificates. A scattered Excel sheet is not enough – regulators expect an orderly structure proving the company took its obligations seriously.
Three use-case examples from DACH mid-market companies
Example A – CRM with ChatGPT plug-in for mail drafts: a mechanical-engineering company in Baden-Württemberg lets its sales staff generate draft replies to customer inquiries via a ChatGPT-Enterprise plug-in. Risk: minimal to limited. Obligations: document the use case, conduct spot checks, notify customers if AI-generated text is sent without review.
Example B – Pre-selection of job applicants with Microsoft Copilot: a mid-sized IT services provider uses Copilot to sort incoming applications against qualification criteria. Risk: high – personnel decision. Obligations: document bias testing, enforce four-eyes rule for rejections, inform applicants, keep conformity assessment audit-ready.
Example C – Contract drafting with Claude Pro: a trading company generates contract clauses via Claude-Pro interactions. Risk: limited – yet clauses are sent without final legal review. Obligations: define escalation hierarchy, audit output samples, clearly mark AI-assisted contract sections in internal documentation.
“The EU AI Act is not the next GDPR disaster – but it will put exactly those companies under pressure who believed AI licenses automatically confer compliance. The regulator’s sample checks will arrive, and they will ask for documentation.”
What needs to be in place by 2 August
Six operational steps that can fill 70 days over the summer-or run in the background for ten weeks:
- Use-case inventory across the entire organisation – record every AI-supported workflow, including shadow usage.
- Risk classification per use-case – internally or with external support.
- Define data-category schema – which data types may feed which models, and at what protection level?
- Set human-oversight obligations – who reviews what, and with what response time?
- Document employee training – regulators will check whether staff know what they’re using.
- Compile conformity-assessment folder – a central repository where all evidence is collected.
Mid-sized companies with 200–500 employees and three to five productive AI use-cases typically need eight to twelve weeks to complete these six steps cleanly-provided the project has a clear owner. Without a named responsible party, the initiative risks fizzling out over the summer.
Frequently Asked Questions
Does the EU AI Act also apply to non-EU companies?
Yes – as soon as an AI system is placed on or used in the EU market, the AI Act applies regardless of the provider’s or user’s headquarters. DACH firms with subsidiaries in Switzerland or the UK must still meet their obligations for EU operations.
What happens if the 2 August deadline is missed?
The obligations kick in automatically. Violations can trigger fines up to €15 million or 3 % of global group turnover-whichever is higher. EU supervisory authorities have already begun their sampling programmes.
Is a compliance declaration from the AI vendor sufficient?
No. Responsibilities are split: providers must supply model cards, training-data summaries and systemic-risk assessments, while users must document, classify and monitor their own use-cases. An OpenAI or Microsoft compliance statement only covers the provider side.
Will the BSI provide concrete templates?
The BSI is preparing a GPAI application guideline expected by mid-July; it will include templates for the four documentation blocks. Those unwilling to wait can draw on existing ENISA materials and recommendations from national data-protection authorities.
More from the MBF Media Network
- cloudmagazin: Google Gemini in the enterprise: what the AI Act demands
- SecurityToday: Adaptive MFA: default settings aren’t enough
- Digital Chiefs: Tech mandates for the supervisory board: NIS2, EU AI Act and the skills gap
Feature image source: Pexels / RDNE Stock project (px:7414013)
