EU AI Act August 2026 Deadline — What Businesses Must Do

1. What is the EU AI Act?

Regulation (EU) 2024/1689 — known as the EU AI Act — is the world's first comprehensive horizontal legal framework governing artificial intelligence systems. It entered into force on 1 August 2024 and applies progressively over a three-year transition period.

The AI Act adopts a risk-based approach: AI systems that pose higher risks to fundamental rights, safety or democratic values face stricter requirements. Lower-risk systems are subject only to transparency obligations or voluntary codes of conduct.

Who Does It Apply To?

The AI Act applies to providers (developers who place AI systems on the EU market), deployers (organisations that use AI systems in a professional context), importers and distributors of AI systems within the EU. It has extra-territorial effect — a US company deploying an AI system to EU users is subject to the AI Act.

The Act defines an "AI system" broadly as a machine-based system that infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content that can influence real or virtual environments. This covers not only large language models but also automated decision systems, computer vision tools, biometric systems, and recommendation engines.

2. Implementation Timeline

Date	Milestone
1 Aug 2024	EU AI Act enters into force (Regulation 2024/1689 published in the Official Journal)
2 Feb 2025	Prohibited AI practices banned — all unacceptable-risk AI systems must cease operation
2 May 2025	General-Purpose AI (GPAI) model rules apply; codes of practice for GPAI model providers published
2 Aug 2026	HIGH-RISK AI — full obligations in force for AI systems listed in Annex III (employment, education, biometrics, critical infrastructure, access to services, law enforcement, migration, justice)
2 Aug 2027	Obligations for AI systems embedded as safety components in regulated products (Annex I, e.g. medical devices, machinery, vehicles)
2 Aug 2030	Some legacy AI systems placed on market before Aug 2026 must be brought into compliance

Less Than 3 Months to August 2026

The high-risk AI obligations deadline is 2 August 2026. Organisations that have not yet conducted an AI system inventory and risk categorisation must act immediately — compliance assessments, fundamental rights impact assessments and technical documentation can take several months.

3. Four Risk Categories

Category	Description	Obligations
Unacceptable Risk (Prohibited)	AI that manipulates people subliminally, exploits vulnerabilities, enables social scoring by public authorities, or performs real-time biometric mass surveillance in public spaces	Banned outright since 2 February 2025. Providers and deployers must cease all use immediately.
High Risk (Annex III)	AI in sensitive areas: biometrics, critical infrastructure, education, employment, essential services (credit, insurance), law enforcement, migration, justice	Comprehensive obligations: conformity assessment, technical documentation, CE marking, human oversight, logging, registration in EU database. Deadline: 2 Aug 2026.
Limited Risk	AI systems that interact with people (chatbots, deepfakes, emotion recognition) or generate synthetic content	Transparency obligations: disclose AI interaction to users, label synthetic content (deepfakes). GPAI models require technical documentation.
Minimal Risk	Most AI applications — spam filters, AI in video games, AI-powered search suggestions, inventory management systems	No mandatory obligations. Voluntary adherence to codes of conduct encouraged.

4. Prohibited AI Practices (in force since 2 February 2025)

Article 5 of the AI Act lists AI practices that are banned outright because they are incompatible with EU fundamental rights values. These prohibitions have been in force since 2 February 2025 — any organisation still operating these systems is already in violation.

Subliminal manipulation below consciousness threshold AI techniques that influence behaviour subliminally — below a person's awareness — to cause harm or override informed decision-making.
Exploitation of vulnerabilities AI that exploits age, disability, or socio-economic circumstances to distort behaviour in a way that causes harm to that person or others.
Social scoring by public authorities General-purpose evaluation of individuals' trustworthiness based on social behaviour or personal characteristics by public authorities, leading to detrimental treatment unrelated to the original context.
Real-time remote biometric identification in public spaces Law enforcement use of live facial recognition in publicly accessible areas is prohibited with very narrow exceptions (imminent threat, locating missing children, preventing serious terrorist attacks) — requires prior judicial or administrative authorisation.
Emotion recognition in workplace and education Inferring the emotional state of natural persons in workplace or educational settings is prohibited, with limited exceptions for safety purposes (e.g., detecting driver drowsiness).
Untargeted facial image scraping for recognition databases Mass scraping of facial images from internet or CCTV footage to build facial recognition databases without a specific legal basis is prohibited.
Predictive policing based solely on profiling AI-based risk assessments of individuals' likelihood to commit criminal offences, relying solely on profiling characteristics, without objective factual basis tied to actual criminal activity.

5. High-Risk AI Systems (Annex III) — August 2026

The most operationally significant deadline is 2 August 2026, when full obligations apply to AI systems in the eight high-risk application areas listed in Annex III. If your organisation deploys AI in any of these areas, immediate action is required.

Annex III Area	Examples of High-Risk AI
Biometrics	Remote biometric identification systems (including post-hoc), biometric categorisation by sensitive characteristics, emotion recognition systems
Critical Infrastructure	AI managing safety components of road, rail, water, gas, electricity, or digital infrastructure
Education and Training	AI that determines access to educational institutions, evaluates learners, monitors students during exams, or allocates training opportunities
Employment and Workers	CV screening, sorting job applicants, AI for promotion decisions, task allocation in gig platforms, work performance monitoring used for consequential decisions
Access to Essential Services	Credit scoring, insurance risk assessment and pricing, eligibility for social benefits, assessment of life insurance claims
Law Enforcement	Polygraph-like systems, risk assessment of crime victimisation, emotion recognition in interrogations, profiling of persons in criminal investigations
Migration and Border Control	Lie detection at borders, risk assessment of asylum applicants, document authentication systems, migration risk assessment
Justice and Democracy	AI that assists courts in researching or interpreting facts and law, AI in electoral and voting processes

Many HR and Finance AI Systems Are High-Risk

Common enterprise AI tools often fall into Annex III. Applicant tracking systems with AI scoring, automated credit decisioning, insurance underwriting AI, and workforce analytics used for promotion or termination decisions are all likely high-risk. Audit your AI portfolio against the Annex III list — do not assume commercial off-the-shelf software is compliant.

6. Obligations for High-Risk AI Deployers

While providers (developers) bear the heaviest compliance burden, deployers — organisations that use high-risk AI systems in a professional context — have substantial obligations under Chapter 3 of the AI Act.

Use only CE-marked AI systems from compliant providers Deployers must verify the system carries a valid CE marking and has an EU Declaration of Conformity. Do not deploy AI systems that lack this documentation after August 2026.
Conduct a Fundamental Rights Impact Assessment (FRIA) Public bodies and private deployers providing essential services must assess the impact on fundamental rights before deploying certain high-risk AI systems. Document findings and mitigation measures.
Ensure meaningful human oversight Assign trained human operators who understand the AI system and can intervene, override, or halt the system when needed. Document oversight procedures and ensure operators have genuine authority — not rubber-stamp roles.
Maintain logs for a minimum of 6 months Keep automatically generated logs of the AI system's operation. For law enforcement, migration, and critical infrastructure systems, a 3-year retention applies. Logs must be available to market surveillance authorities on request.
Inform individuals about consequential AI decisions People subject to decisions made by or with high-risk AI must be informed that AI is involved. For decisions with significant effects on individuals, provide a meaningful explanation and the right to human review.
Register in the EU AI Act database (where required) Deployers of certain high-risk AI systems (particularly in public service areas) must register their use in the EU public transparency database maintained by the Commission.
Report serious incidents to market surveillance authority If a high-risk AI system causes death, serious injury, or significant infringement of fundamental rights, the deployer must report to the national market surveillance authority without undue delay.

7. Fines and Penalties

The AI Act sets one of the highest penalty scales of any EU regulation. Article 99 establishes a three-tier fine structure.

Violation Type	Maximum Fine
Use of prohibited AI practices (Article 5)	€35,000,000 or 7% of total worldwide annual turnover — whichever is higher
Violations of high-risk AI obligations (providers or deployers)	€15,000,000 or 3% of total worldwide annual turnover — whichever is higher
Providing incorrect, incomplete or misleading information to authorities	€7,500,000 or 1% of total worldwide annual turnover — whichever is higher

For SMEs and start-ups, the lower of the absolute or percentage threshold applies. For large multinational companies, the percentage thresholds will typically be higher. National market surveillance authorities (designated under Article 70) have enforcement powers including on-site inspections, document requests, and order to cease AI system operation.

Personal Liability of Management

While the AI Act itself imposes fines on legal persons, Member States may adopt national rules providing for individual liability of directors and senior managers who approve or fail to prevent prohibited AI practices. Data protection authorities in several Member States have indicated they will combine GDPR and AI Act enforcement actions where personal data is involved.

8. Compliance Checklist — Actions Before 2 August 2026

AI System Inventory

Catalogue every AI system used in your organisation — commercial tools, internally developed models, APIs. Include AI components embedded in larger software products (e.g., automated scoring in CRM, HR platforms with AI features). This is the prerequisite for everything else.

Risk Categorisation Against Annex III and Article 5

For each AI system, determine: is it prohibited (must cease immediately)? Is it high-risk under Annex III? Does it have transparency obligations (chatbots, deepfake generators)? Or is it minimal risk? Document your rationale for each classification.

Verify Provider Compliance for High-Risk Systems

Contact providers of high-risk AI systems and obtain their Declaration of Conformity, CE marking documentation, and technical documentation. If a provider cannot produce these by August 2026, assess whether to continue using the system.

Conduct Fundamental Rights Impact Assessments (FRIA)

For required high-risk deployers (public bodies and certain private deployers of Annex III systems), complete FRIAs. Document which fundamental rights are affected, who the impacted groups are, and what mitigation measures you have in place.

Establish Human Oversight Procedures

Define oversight roles: who monitors the AI system, what triggers escalation or override, who has authority to halt the system. Train oversight staff. Document procedures in writing — "human in the loop" must be substantive, not nominal.

Implement Logging and Audit Trail

Configure AI systems to generate and retain logs per the minimum retention periods. Define who can access logs, how they are stored securely, and the process for providing them to market surveillance authorities on request.

Update Individual Notices and Transparency Communications

Review customer and employee communications to ensure disclosure of AI use where required. Update privacy notices, job application processes, credit decision letters, and any other touchpoints where high-risk AI is used.

Register Where Required and Appoint AI Governance Owner

Check the EU AI Act database registration requirements for your high-risk systems. Appoint an AI governance lead or committee responsible for ongoing compliance, incident reporting, and periodic re-assessment as new AI systems are adopted.

If All Your AI is Minimal Risk

If your AI system inventory shows only minimal-risk applications (spam filters, recommendation engines without consequential decisions, AI-assisted search), you have no mandatory obligations under the AI Act — but documenting this assessment is advisable to demonstrate due diligence if questions arise.

9. AI Act Compliance Tool — aiact.saaslab.pl

aiact.saaslab.pl is a structured compliance management tool for organisations navigating the EU AI Act:

AI system inventory: register all AI systems, capture provider, purpose, data inputs, and deployment context
Risk categorisation wizard: guided questionnaire mapped to Annex III and Article 5 — outputs risk category and obligation summary for each system
Compliance tracking: checklist per high-risk system tracking progress against all deployer obligations with deadline alerts
Documentation templates: FRIA templates, human oversight procedure templates, incident reporting templates

Know where you stand before August 2026

Run your AI system inventory and get an instant risk categorisation. Identify which systems require compliance action before the August 2026 deadline — in minutes, not months.

Check your AI system compliance →

No credit card required. Free plan available.