The August 2 Deadline: What Becomes Enforceable
The EU Artificial Intelligence Act entered into force on August 1, 2024, with a phased implementation timeline. The prohibited AI practices took effect on February 2, 2025. General-purpose AI model obligations began on August 2, 2025. But the most operationally demanding requirements — those governing high-risk AI systems under Annex III — become enforceable on August 2, 2026.
This deadline affects every organization deploying AI systems in contexts the regulation classifies as high-risk. Unlike the prohibited practices (which target a narrow set of clearly harmful AI applications), the high-risk classification captures AI systems that are widely deployed across industries. The operational impact is orders of magnitude larger.
What Qualifies as High-Risk
The AI Act defines high-risk AI systems through two mechanisms. Article 6 establishes classification rules based on whether the system falls under existing EU product safety legislation (Annex II) or serves purposes listed in Annex III.
Annex III high-risk categories include AI systems used in biometric identification and categorization, management and operation of critical infrastructure, education and vocational training (access, evaluation, proctoring), employment, workers management, and access to self-employment (recruitment, performance evaluation, task allocation), access to essential private and public services (credit scoring, insurance pricing, emergency dispatch), law enforcement (risk assessment, polygraph, evidence analysis), migration, asylum, and border control management, and administration of justice and democratic processes.
The breadth of this classification means that an AI-powered recruitment screening tool, a credit scoring algorithm, an AI system managing electricity grid operations, and a law enforcement risk assessment tool all fall under the same high-risk compliance framework — despite serving entirely different sectors.
The Compliance Requirements
Providers of high-risk AI systems must satisfy requirements across six compliance domains before placing their systems on the EU market or putting them into service.
Risk Management System: A continuous, iterative process that identifies, evaluates, and mitigates risks throughout the system’s lifecycle. This is not a one-time assessment but an ongoing obligation that must be documented and updated as the system evolves.
Data Governance: Training, validation, and testing datasets must meet quality criteria including relevance, representativeness, accuracy, and completeness. Organizations must document data provenance, preparation processes, and any biases identified and mitigated.
Technical Documentation: Comprehensive documentation must describe the system’s intended purpose, design specifications, development process, performance metrics, and known limitations. This documentation must be prepared before the system enters the market and maintained throughout its lifecycle.
Human Oversight: High-risk systems must be designed to allow effective oversight by natural persons. Oversight mechanisms must enable the human to understand the system’s capabilities and limitations, monitor operation, interpret outputs, and intervene or override when necessary.
Accuracy, Robustness, and Cybersecurity: Systems must achieve documented levels of accuracy appropriate to their intended purpose, demonstrate robustness against errors, faults, and attempts at manipulation, and implement cybersecurity measures proportionate to the risks.
Conformity Assessment: Before market placement, providers must complete a conformity assessment demonstrating compliance with all requirements. For most Annex III systems, this is a self-assessment based on internal controls. However, certain biometric identification systems require third-party assessment by notified bodies.
After completing the conformity assessment, providers must affix CE marking, register the system in the EU high-risk AI database, and establish post-market monitoring systems.
Advertisement
Enforcement and Penalties
Member states must designate national competent authorities responsible for AI Act enforcement. Penalties for non-compliance with high-risk requirements reach 15 million euros or 3% of global annual turnover, whichever is higher. For prohibited practices, penalties escalate to 35 million euros or 7% of turnover. For providing incorrect information to authorities, fines reach 7.5 million euros or 1% of turnover.
These penalty structures are calibrated to be significant even for large technology companies. For SMEs and startups, the regulation provides proportionate obligations, but the fundamental compliance requirements remain.
What Organizations Should Do Before August 2
Six preparation steps define the critical path. First, inventory all AI systems and classify them according to the Act’s risk categories. Second, for systems identified as high-risk, assess the gap between current documentation and practices and the regulation’s requirements. Third, implement risk management systems as continuous processes, not one-time exercises. Fourth, review and document data governance practices for training and validation datasets. Fifth, design and implement human oversight mechanisms appropriate to each system’s risk profile. Sixth, complete conformity assessments and prepare for EU database registration.
Organizations that have not begun this process face an increasingly compressed timeline. The conformity assessment alone — including technical documentation, testing, and internal audit — typically requires four to six months for complex AI systems.
Global Ripple Effects
The EU AI Act creates regulatory gravity that extends beyond European borders. Any organization deploying AI systems that affect people in the EU must comply, regardless of where the provider is established. This extraterritorial reach mirrors the GDPR’s impact on global data protection practices.
Several jurisdictions are developing AI regulation frameworks influenced by the EU approach. The UK’s AI Safety Institute conducts risk assessments for frontier models. Singapore’s AI governance framework uses a risk-based approach similar to the EU’s classification system. Canada’s proposed Artificial Intelligence and Data Act shares the EU’s focus on high-impact systems.
For multinational technology companies, the EU AI Act is becoming the de facto compliance baseline — building to EU standards and deploying globally is often more efficient than maintaining separate compliance regimes per jurisdiction.
The Classification Debate
The high-risk classification system has generated significant industry debate. Critics argue that the broad Annex III categories capture systems where actual risk varies enormously — a simple automated resume screening tool and a complex autonomous recruitment decision system face the same regulatory burden despite fundamentally different risk profiles.
The European Commission has the power to update the high-risk classification through delegated acts, and ongoing guidance from the AI Office is expected to clarify edge cases. But for August 2026, organizations must classify based on the current Annex III text — waiting for clarification is not a compliance strategy.
Frequently Asked Questions
Does the EU AI Act apply to companies outside Europe?
Yes. The regulation applies to any provider placing an AI system on the EU market or putting it into service in the EU, regardless of where the provider is established. It also applies to deployers of AI systems located within the EU and to providers and deployers located outside the EU when the output produced by their AI system is used in the EU. Algerian companies selling AI-powered products or services to EU customers must comply.
What is the difference between prohibited and high-risk AI under the Act?
Prohibited AI systems (Article 5) are banned entirely — these include social scoring by governments, real-time biometric identification in public spaces (with narrow exceptions), and manipulative AI that exploits vulnerabilities. High-risk systems (Annex III) are permitted but must meet strict compliance requirements: risk management, data governance, technical documentation, human oversight, accuracy and robustness standards, and conformity assessment before market placement.
How much does EU AI Act compliance cost?
Costs vary dramatically based on system complexity and organizational maturity. The European Commission’s impact assessment estimated compliance costs for high-risk systems at 6,000 to 7,000 euros for the conformity assessment procedure, plus ongoing costs for risk management, documentation maintenance, and post-market monitoring. However, for complex AI systems requiring significant technical documentation and testing, total compliance costs can reach hundreds of thousands of euros, particularly for the first system assessed.
Sources & Further Reading
- EU AI Act Implementation Timeline — AI Act Portal
- Article 6: Classification Rules for High-Risk AI Systems — AI Act Portal
- EU AI Act 2026 Updates: Compliance Requirements — Legal Nodes
- The EU AI Act: 6 Steps to Take Before August 2026 — Orrick
- EU AI Act 2026 Compliance Guide — Secure Privacy
- Timeline for Implementation of the EU AI Act — AI Act Service Desk
