Last reviewed: April 9, 2026
Jurisdictions covered: EU
Reading time: 18 minutes
This is a living page. We update it monthly as the deadline approaches.
Regulatory uncertainty: The European Commission’s Digital Omnibus proposal (November 19, 2025) would push the high-risk AI deadline from August 2, 2026 to December 2, 2027 for Annex III standalone systems. The Council agreed its negotiating position on March 13, 2026. The proposal has not been adopted. Until it is, August 2, 2026 remains the legally enforceable deadline. Last checked: 2026-03-24.
EU AI Act August 2026 Deadline: What to Do Now
131 days. That is the gap between today and August 2, 2026, the date when the EU AI Act’s high-risk AI system obligations become enforceable (EU AI Act Art. 113(a)). Penalties for non-compliance reach EUR 15 million or 3% of global annual turnover, whichever is higher (EU AI Act Art. 99(4)). Harmonised standards do not exist yet. The official FRIA template has not been published. Commission guidelines on high-risk classification are overdue. And a legislative proposal could push the entire deadline back by 16 months.
This is the compliance environment you are working in. Uncertain, but with a hard date on the calendar.
This article breaks down exactly what becomes enforceable on August 2, 2026, what is already in effect, what might change, and what to do between now and then. We update it monthly.
Key Takeaways
What Happens on August 2, 2026
The EU AI Act phases in over three years. August 2, 2026 is the second major enforcement date, and it activates the heaviest compliance obligations in the regulation.
High-Risk AI System Requirements (Articles 6-49)
Providers of Annex III high-risk AI systems must comply with all Chapter III, Section 2 obligations. Here is what that means in practice:
| Obligation | Article | What It Requires |
|---|---|---|
| Risk management system | Art. 9 | Continuous, iterative risk identification, analysis, and mitigation throughout the system’s lifecycle |
| Data governance | Art. 10 | Training, validation, and testing datasets must be relevant, representative, free of errors, and complete. Bias examination mandatory |
| Technical documentation | Art. 11 | Detailed documentation per Annex IV before market placement |
| Record-keeping | Art. 12 | Automatic logging of events during operation, traceable to specific decisions |
| Transparency | Art. 13 | Instructions for use that allow deployers to understand the system’s capabilities and limitations |
| Human oversight | Art. 14 | Design features enabling effective human oversight during use, including the ability to override or reverse outputs |
| Accuracy, robustness, cybersecurity | Art. 15 | Appropriate levels of all three throughout the system’s lifecycle |
| Quality management system | Art. 17 | Documented QMS covering development, testing, deployment, and post-market processes |
| Conformity assessment | Art. 43 | Self-assessment or third-party assessment depending on the AI system’s domain |
| EU database registration | Art. 49 | Registration in the EU database before placing the system on the market |
| Post-market monitoring | Art. 72 | Documented system for monitoring performance after deployment |
| FRIA (for covered deployers) | Art. 27 | Fundamental Rights Impact Assessment before first use. See our FRIA template guide |
This is not a checklist you complete once. Art. 9 requires a risk management system that operates “throughout the entire lifecycle” of the AI system. Art. 72 requires post-market monitoring that runs as long as the system is in use.
GPAI Enforcement Powers
General-purpose AI model obligations have applied since August 2, 2025, but the AI Office gains full enforcement teeth on August 2, 2026 (EU AI Act Art. 88-91). After that date, the AI Office can issue binding information requests to GPAI providers, conduct evaluations of models with systemic risk, and impose fines of up to EUR 15 million or 3% of global annual turnover (EU AI Act Art. 101). The GPAI Code of Practice was finalized on July 10, 2025, with signatories including Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, OpenAI, Cohere, and xAI.
Market Surveillance
National competent authorities gain their full supervisory powers. Several Member States have not yet completed NCA designation (EU AI Act Art. 70), though this was due by August 2, 2025. The practical effect: enforcement intensity will vary by Member State.
The Full EU AI Act Timeline
The EU AI Act does not switch on at once. It phases in over 36 months. Here is every milestone, past and future.
Already in effect
| Date | What happened | Legal basis |
|---|---|---|
| August 1, 2024 | EU AI Act entered into force (20 days after Official Journal publication on July 12, 2024) | Art. 113 |
| February 2, 2025 | Prohibited AI practices ban enforceable | Art. 5 |
| February 2, 2025 | AI literacy obligation enforceable | Art. 4 |
| February 2, 2025 | Commission guidelines on AI system definition published (C(2025) 924, updated July 2025 as C(2025) 5053) | Art. 3(1) |
| February 2, 2025 | Commission guidelines on prohibited practices published | Art. 5 |
| July 10, 2025 | GPAI Code of Practice finalized (3 drafts, 1,000+ participants) | Art. 55-56 |
| July 18, 2025 | Commission GPAI guidelines published | Art. 51-53 |
| August 2, 2025 | GPAI model obligations enforceable (Chapter V) | Art. 113(b) |
| October 14-16, 2025 | CEN-CENELEC adopted exceptional acceleration measures for AI standards | Art. 40 |
| October 30, 2025 | First AI harmonised standard (prEN 18286, QMS) entered public enquiry — subsequently FAILED Enquiry vote Feb 2026 (1,288 comments) | Art. 17 |
| November 19, 2025 | Digital Omnibus proposal published | Commission proposal |
Coming next
| Date | What happens | Legal basis | Status |
|---|---|---|---|
| August 2, 2026 | High-risk AI system obligations enforceable (Annex III standalone) | Art. 113(a) | 131 days away |
| August 2, 2026 | AI Office gains full GPAI enforcement powers | Art. 88-91 | 131 days away |
| 2027 at earliest | First harmonised standards — prEN 18286 FAILED vote Feb 2026 | Art. 40 | In progress |
| December 9, 2026 | Product Liability Directive transposition deadline (AI-specific provisions) | Directive 2024/2853 | 265 days away |
| August 2, 2027 | Annex I embedded product rules enforceable (medical devices, machinery, etc.) | Art. 113(b) | ~500 days away |
| August 2, 2027 | GPAI enforcement for models placed on market before August 2, 2025 | Transitional provisions | ~500 days away |
If the Digital Omnibus is adopted
| Original date | New date (proposed) | Scope |
|---|---|---|
| August 2, 2026 | No later than December 2, 2027 | Annex III standalone high-risk AI systems |
| August 2, 2027 | No later than August 2, 2028 | Annex I embedded products |
The Digital Omnibus would also allow the Commission to activate rules earlier if compliance tools (standards, guidelines) become available sooner.
The Digital Omnibus Question: Could the Deadline Move?
Yes. But it has not moved yet, and the legislative timeline makes a last-minute shift unlikely.
What it is
On November 19, 2025, the European Commission published the Digital Omnibus proposal. Among other things, it would delay the August 2, 2026 high-risk AI deadline by linking enforcement to the availability of harmonised standards. The backstop date: December 2, 2027. If standards become available earlier, the Commission can activate rules earlier.
The proposal also introduces SME relief. “Small mid-caps” (fewer than 750 employees, annual turnover under EUR 150 million) would get simplified documentation requirements. The classification framework itself does not change. Annex III is untouched.
Source: European Commission, AI Act Standardisation page, updated March 11, 2026.
Where it stands
The Council agreed its negotiating position on March 13, 2026. The European Parliament’s IMCO and LIBE committees have scheduled a vote. Trilogues between the Parliament, Council, and Commission are expected but have not started. Even under accelerated procedure, adoption, Official Journal publication, and entry into force take months.
Our view
We do not recommend planning around the Digital Omnibus. Three reasons:
First, the timeline does not work. For the Digital Omnibus to move the August 2, 2026 deadline, it would need to complete trilogues, pass a plenary vote, and be published in the Official Journal before August 2. Given that trilogues have not begun as of March 2026, this is improbable.
Second, the scope is narrower than it appears. The Digital Omnibus delays *enforcement* of high-risk obligations, not the obligations themselves. Organizations that wait until December 2027 to start compliance work will face the same volume of requirements compressed into a shorter window. The obligations under Articles 9-15 require systems and processes that take months to build.
Third, partial preparation has standalone value. An AI system inventory, a risk classification exercise, and a documentation framework are useful regardless of the exact enforcement date. Organizations that start now will be better positioned whether the deadline holds or shifts.
Regulatory uncertainty callout: This section reflects the legislative status as of March 24, 2026. If the Digital Omnibus advances through trilogues, we will update this article. Check the “Last reviewed” date above for currency.
What Is Already in Effect
Two categories of obligations are already enforceable. If you have not addressed these, start here before turning to the August 2026 deadline.
Prohibited AI Practices (since February 2, 2025)
Art. 5 bans AI systems that pose unacceptable risks. Penalties are the highest in the regulation: up to EUR 35 million or 7% of global annual turnover (EU AI Act Art. 99(3)). The banned practices include:
Quick compliance check: Review your AI inventory. Does any system fall into these categories? If yes, stop using it. The Commission published guidelines on prohibited practices in February 2025.
AI Literacy (since February 2, 2025)
Art. 4 requires providers and deployers of AI systems to ensure that their staff and anyone else dealing with the operation and use of AI systems on their behalf have a “sufficient level of AI literacy.” This applies to all AI systems, not just high-risk. The obligation is proportionate to context, but it is enforceable now.
Quick compliance check: Have you provided AI literacy training to staff who work with AI systems? Can you document it?
GPAI Model Obligations (since August 2, 2025)
Chapter V obligations for general-purpose AI model providers are enforceable (EU AI Act Art. 53-55). Providers must maintain technical documentation, provide information to downstream providers, comply with copyright law, and publish a sufficiently detailed summary of training data. Models with systemic risk (the threshold is 10^25 FLOPs) face additional obligations including adversarial testing and serious incident reporting.
The GPAI Code of Practice, finalized July 10, 2025, provides the compliance framework. Full AI Office enforcement powers activate August 2, 2026.
Your Compliance Countdown: Month-by-Month Action Plan
131 days is not generous. It is enough if you start now and focus on what is achievable. Below is a month-by-month plan that separates what you can do today from what requires further Commission action.
March 2026: Inventory and Classify
Objective: Know what AI systems you have and which ones are high-risk.
1. Build your AI system inventory. Document every AI system your organization provides or deploys. Include vendor-provided systems. Include systems in development. Include systems you use internally for HR, finance, and operations.
2. Classify each system against Annex III. For each system, determine whether it falls into one of the 8 Annex III categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, or democratic processes. Our Annex III classification guide walks through each category with real-world examples and a decision tree.
3. Document your Art. 6(3) reasoning. If you believe a system listed in Annex III qualifies for the exception because it does not pose a “significant risk of harm,” document that reasoning in writing. Commission guidelines on this exception are overdue since February 2026. We recommend treating systems as high-risk until guidance clarifies. Record your reasoning either way (EU AI Act Art. 6(4)).
4. Assign an internal owner for each high-risk AI system. Someone needs to be accountable for each system’s compliance journey.
April 2026: Risk Management and Data Governance
Objective: Build the risk management system required by Art. 9 and assess your data practices.
1. Establish your risk management system. Art. 9 requires a “continuous iterative process” running throughout the AI system’s lifecycle. Start by identifying known risks, estimating their severity and probability, and documenting existing mitigation measures.
2. Audit your training data. Art. 10 requires that training, validation, and testing datasets be relevant, representative, free of errors, and complete. Assess whether your datasets meet these requirements. If you use vendor-provided AI, request documentation from your vendor about their data governance practices.
3. Begin technical documentation. Art. 11 and Annex IV specify what technical documentation must contain. Starting now gives you time to fill gaps. Do not aim for perfection; aim for a working draft you can refine.
4. Map your vendor obligations. If you deploy AI systems from third-party providers, identify which obligations fall on you as deployer and which fall on the provider. The AI Act distributes obligations across the value chain (EU AI Act Art. 25-27).
May 2026: FRIA, Human Oversight, and Transparency
Objective: Complete your Fundamental Rights Impact Assessment and design human oversight processes.
1. Conduct your FRIA if you are a covered deployer (public bodies, public-service providers, credit scoring and insurance pricing deployers). Use our FRIA template guide as a working framework until the AI Office publishes the official template. Art. 27 requires this assessment to be completed before first use of the system.
2. Design human oversight mechanisms. Art. 14 requires that high-risk AI systems be designed so that natural persons can effectively oversee them during use. Define who oversees each system, what decision authority they have, and how they can override or reverse outputs.
3. Prepare transparency documentation. Art. 13 requires instructions for use that enable deployers to interpret outputs and use the system appropriately. If you are a provider, draft these instructions. If you are a deployer, request them from your provider.
June 2026: Conformity Assessment and QMS
Objective: Complete or substantially advance your conformity assessment and quality management system.
1. Determine your conformity assessment path. Most Annex III systems use internal self-assessment (EU AI Act Art. 43(2)). Biometric identification systems used by law enforcement require third-party assessment by a notified body (EU AI Act Art. 43(1)). Note: no notified bodies have been formally designated under the AI Act as of March 2026.
2. Document your quality management system. Art. 17 requires a QMS covering your entire AI lifecycle. If you already have ISO/IEC 42001 certification, it provides a useful starting point, though it does not grant presumption of conformity under the AI Act.
3. Prepare your EU declaration of conformity. Art. 47 and Annex V specify the template. Have a draft ready for each high-risk system.
July 2026: Testing, Registration, and Final Checks
Objective: Test your systems, attempt EU database registration, and close compliance gaps.
1. Conduct accuracy, robustness, and cybersecurity testing. Art. 15 requires appropriate levels of all three. Document your testing methodology, results, and any limitations identified.
2. Register in the EU database. Art. 49 requires registration before market placement. The database is not yet publicly accessible as of March 2026, but monitor the AI Office website for launch announcements.
3. Establish your post-market monitoring system. Art. 72 requires documented monitoring of AI system performance after deployment. Define what you will monitor, how often, and what triggers a corrective action.
4. Run an internal audit. Walk through each Article 9-15 obligation against your documentation. Identify remaining gaps and assign owners with deadlines.
5. Brief your leadership. The compliance deadline is real. Ensure senior management understands the state of readiness and any residual risks.
August 2026: Enforcement Begins
On August 2, 2026, market surveillance authorities gain the power to inspect, request information, and impose corrective measures on high-risk AI systems. This does not mean enforcement actions begin on day one. Authorities will need time to build capacity, and early enforcement will likely focus on the most visible violations. But the legal liability exists from this date.
If you have followed the steps above, you will have: a documented AI system inventory, risk classifications with reasoning, a risk management system, data governance documentation, technical documentation drafts, human oversight procedures, a FRIA (if required), a conformity assessment, a QMS, and a post-market monitoring plan. Not all of these will be perfect. The goal is documented, good-faith progress.
Missing Pieces: Guidelines the Commission Has Not Published
Organizations face a structural problem: the deadline is fixed, but several tools needed for compliance are not available. This section tracks what is missing and what to do in the meantime.
Art. 6(2) Classification Guidelines — OVERDUE
What they are: Commission guidelines explaining when a high-risk classification does *not* apply to an Annex III system because it does not pose a “significant risk of harm” to health, safety, or fundamental rights.
When they were due: February 2, 2026 (EU AI Act Art. 6(5)).
Current status: Not published as of March 24, 2026.
What to do now: Treat your Annex III systems as high-risk unless you have strong, documented reasons to believe the exception applies. Record your reasoning per Art. 6(4). When guidelines are published, review and adjust your classification. Civil society organizations including AccessNow and AlgorithmWatch have argued the exception should be interpreted narrowly; industry groups favor a broader reading. Until the Commission speaks, this remains an open question. See the Art. 6(3) section in our Annex III classification guide for the full debate.
FRIA Template — NOT PUBLISHED
What it is: The mandatory questionnaire format for Fundamental Rights Impact Assessments.
Legal basis: The AI Office must develop this with the EU Fundamental Rights Agency (EU AI Act Art. 27(5)).
Current status: In development. Not published as of March 24, 2026.
What to do now: Use our FRIA template guide, which follows the Art. 27(1)(a)-(f) structure and draws on the FRA’s 2025 guidance report. When the official template is published, map your existing assessment to its format.
Harmonised Standards — BEHIND SCHEDULE
For the full picture of the EU AI Act standards crisis, see our dedicated standards analysis.
What they are: Technical standards that, once referenced in the Official Journal, give providers a “presumption of conformity” with the corresponding AI Act obligations (EU AI Act Art. 40).
Current status: The Commission’s standardisation request (C(2025)3871 / M/613) covers 10 key areas. CEN-CENELEC adopted exceptional acceleration measures in October 2025. The first standard, prEN 18286 (AI quality management systems), entered public enquiry on October 30, 2025, but failed its Enquiry vote in February 2026 after receiving 1,288 comments. It failed both the national member count and weighted population criteria. The scope was amended in March 2026 and a re-vote is pending, but realistic timelines now point to 2027 at earliest. No harmonised standard has been published as of April 2026.
What to do now: Comply with the regulation text directly. Organizations are using ISO/IEC 42001 (AI management systems) and ISO/IEC 23894 (AI risk management) as interim frameworks. These do not grant presumption of conformity, but they provide structured approaches that align with the AI Act’s requirements. If harmonised standards are not ready by August 2, 2026, the Commission has the power to issue common specifications as a fallback under Art. 41. None have been issued so far.
Additional Guidelines Not Yet Published
Several additional sets of Commission guidelines are due before August 2, 2026 but have not appeared:
The Commission has published 4 of approximately 50 required secondary measures. That is 8%. This is the structural gap behind the compliance uncertainty.
Penalties for Non-Compliance
The EU AI Act uses a three-tier penalty structure. All tiers apply from their respective enforcement dates.
| Violation | Maximum Fine | Article |
|---|---|---|
| Prohibited AI practices (Art. 5) | EUR 35 million or 7% of global annual turnover (whichever is higher) | Art. 99(3) |
| High-risk obligations (Art. 6-49) and GPAI obligations (Art. 51-55) | EUR 15 million or 3% of global annual turnover | Art. 99(4) |
| Incorrect information to authorities | EUR 7.5 million or 1% of global annual turnover | Art. 99(5) |
For SMEs and startups, the regulation specifies that the lower of the two amounts applies (the fixed amount or the turnover percentage), rather than the higher (EU AI Act Art. 99(6)). This is a meaningful difference for smaller organizations.
Enforcement will be split. National market surveillance authorities handle high-risk AI system compliance. The AI Office handles GPAI model enforcement at EU level. The practical question is how aggressively authorities will enforce in the early months. GDPR enforcement history suggests a ramp-up period, but that is not guaranteed.
What to Do Next
If you have read this far, here are the immediate next steps. (For a comparison with how Asia-Pacific jurisdictions are approaching AI regulation, see our Vietnam AI Law guide and South Korea AI Basic Act guide.), ordered by priority:
1. Classify your AI systems. Read our Annex III classification guide and determine which of your AI systems are high-risk. This is the single most important step because everything else depends on it.
2. Start your FRIA if required. If you are a public body, public-service provider, or use AI for credit scoring or insurance pricing, use our FRIA template guide to begin your Fundamental Rights Impact Assessment.
3. Begin documentation. Even without harmonised standards, you can start building technical documentation per Annex IV. Incomplete documentation that you improve over time is better than no documentation on August 2.
4. Monitor the Digital Omnibus. Watch for trilogue developments. If the deadline shifts, you will have a head start. If it does not, you will be ready.
5. Bookmark this page. We update it monthly. As Commission guidelines are published, standards progress, and the Digital Omnibus moves through the legislative process, this page will reflect the current state.
Future articles in this series will cover conformity assessment procedures, a compliance checklist for high-risk AI providers, and sector-specific guidance. We will link them here as they publish.
*Disclaimer: This content is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for jurisdiction-specific compliance guidance.*
*Last verified: 2026-04-09*