EU AI Act compliance: what your company must do before August 2026
August 2026 is the EU AI Act's critical deadline. Here's what's already enforceable, what changes now, and a concrete action plan to get compliant in time.
August 2026 is the EU AI Act's most significant deadline. Most obligations for high-risk AI systems become fully enforceable then. Three-quarters of European businesses are not yet prepared. If you haven't inventoried which AI systems you use and how they're classified, the window to act is closing.
This article assumes you know the EU AI Act exists. What we cover here: what's concretely required of your company by August 2026, which obligations are already in force, and how to use the coming months effectively if compliance hasn't been a priority yet.
What's already in force — and what changes in August 2026.
The EU AI Act entered into force on 1 August 2024 but is being phased in. Not everything applies at once. Here's what's already enforceable and what becomes mandatory in August 2026.
| Date | What applies? |
|---|---|
| August 2024 | Regulation enters force. Definitions, scope, and general principles. |
| February 2025 | Ban on unacceptable-risk AI already enforceable. Social scoring systems, manipulative AI, and real-time biometric surveillance in public spaces are prohibited. |
| August 2025 | Obligations for providers of general-purpose AI models (GPAI) — large language models and foundation models. Primarily affects OpenAI, Anthropic, Google, and similar parties. |
| August 2026 | High-risk systems must be fully compliant: documentation, conformity assessment, risk management, human oversight, logging. Applies to both deployers and providers. |
| August 2027 | Remaining transition provisions for certain existing high-risk systems already on the market before 2 August 2026. |
It's not one single moment. But August 2026 is the deadline with the most impact on regular businesses that use AI in daily operations. The February 2025 bans are — hopefully — not your problem. The August 2025 GPAI rules apply to model providers. August 2026 is for you.
High-risk AI: the category that matters.
High-risk AI systems are those with significant potential impact on people. The EU AI Act defines eight domains where systems are classified as high-risk. For companies in construction, real estate, energy, and professional services, three domains are particularly relevant.
Employment and workforce management.
AI used in recruitment, selection, performance management, or termination of employment is high-risk. A CV-ranking tool, a system that flags attendance anomalies to HR, or an algorithm that generates bonus recommendations — all high-risk. If you use such tools — even if you didn't build them — deployer obligations apply.
Critical infrastructure.
AI systems used in the management of critical infrastructure — power grids, water management, traffic systems — fall into this category. Energy companies deploying AI for predictive maintenance or grid management need to include this in their risk assessment.
Access to essential services.
AI that influences decisions on credit, insurance, or applications for social benefits falls here. Financial services firms and companies with automated approval processes for customer applications need to review these systems.
Your obligations as an AI deployer.
The EU AI Act distinguishes between providers (who build and bring AI systems to market) and deployers (who use existing AI systems in their own organisation). Most SMEs are deployers. You buy a tool, integrate it into your processes, and in doing so take on responsibility.
For deployers of high-risk AI, these obligations apply from August 2026:
- Use the system in accordance with the provider's instructions. If you deviate from the intended use case, you partially become a provider — with corresponding obligations.
- Ensure meaningful human oversight. A person must be able to review and override the system's output before a decision affects an individual.
- Conduct a risk assessment before deployment. Document what the system does, which data it processes, and what the risks are.
- Actively monitor the system's operation. Report serious incidents or unexpected behaviour to the provider and, where required, to the relevant authority.
- Retain logs of the system's operation for at least six months after use.
- Inform affected employees or users that they are subject to a high-risk AI system.
Have you built or commissioned your own AI systems? Then you're also a provider, and additional requirements apply: technical documentation, conformity assessment, registration in the EU database for AI systems, and CE marking for certain categories. That's a substantial process — typically 3–6 months for an existing system.
What does non-compliance cost?
The maximum penalties are significant: up to €35 million or 7% of global annual turnover for the most serious violations (prohibited AI). For high-risk AI that doesn't meet requirements: up to €15 million or 3% of turnover. For supplying incorrect information to supervisory authorities: €7.5 million or 1.5%.
Early enforcement will focus on the highest-risk systems and on clear, structural negligence. But that doesn't mean you can safely ignore the deadline. Each EU member state is designating a national supervisory authority. Checks will come — the question is when, not whether.
Action plan for the next months.
There are just over two months until the deadline. That's tight for a full compliance programme for high-risk systems, but enough time to get the essentials in place. Here's a realistic plan.
Weeks 1–2: inventory.
Build a list of all AI systems used or developed within your organisation. Think broader than you expect: AI features in HR software, CRM systems, scheduling tools, content tools, and production planning are all in scope. For each system, note: the vendor, what it does, which data it processes, and whether it influences decisions that affect people.
Weeks 3–4: classify.
Apply the EU AI Act's eight domains as a test for each system. For most systems the classification will be quick: spam filters, recommendation algorithms, content tools — minimal or limited risk. Systems that (co-)decide on employment, credit, or infrastructure — high-risk. Document the classification and the reasoning.
Weeks 5–8: address high-risk systems.
For each high-risk system: conduct the risk assessment, establish human oversight, verify that logging is in place, and check whether your vendor has or will have a conformity declaration. If you're also a developer: start technical documentation now.
Weeks 9–12: close out limited risk and set policy.
For chatbots and other limited-risk systems: make sure transparency notices are in place. Establish internal policy on AI use — who can deploy which systems, how new AI tools are evaluated, and who owns compliance. This is also the right moment for a short training session for relevant staff.
| System type | Priority | Action before August 2026 |
|---|---|---|
| Prohibited AI (social scoring, manipulative) | Immediate | Stop use |
| High-risk — HR, credit, infrastructure | High | Risk assessment, human oversight, logging, vendor conformity check |
| Limited risk — chatbots, AI-generated content | Medium | Implement transparency notice, maintain a register |
| Minimal risk — spam filters, recommendations | Low | No mandatory action required |
Frequently asked questions.
Does the EU AI Act apply to SaaS tools we purchase?
Yes. As a deployer, you're responsible for how the system is used — regardless of whether you built it. The provider is responsible for the technical conformity of the system itself. Ask your vendor for a conformity declaration for any systems that classify as high-risk.
We're a small company. Do the rules apply to us too?
Yes, but there are exemptions and simplifications for micro-enterprises (fewer than 10 employees, turnover under €2 million). Small companies (up to 50 employees) benefit from a simplified documentation obligation. The core requirements — human oversight, transparency, risk assessment — apply to everyone.
What if our vendor doesn't have a conformity declaration yet?
Ask when it will be available. If the vendor can't give a concrete answer before the deadline, consider alternatives. As a deployer, you can't indefinitely pass liability to the vendor — you have your own responsibility for choosing and using systems appropriately.
Want to know whether your AI systems would classify as high-risk, or how to structure a risk assessment? We're happy to help. Let's talk through your specific situation — 30 minutes, no obligation.