Skip to content

EU AI Act August 2026 Deadline: What to Do Now

Last reviewed: April 9, 2026

Jurisdictions covered: EU

Reading time: 18 minutes

This is a living page. We update it monthly as the deadline approaches.

Regulatory uncertainty: The European Commission’s Digital Omnibus proposal (November 19, 2025) would push the high-risk AI deadline from August 2, 2026 to December 2, 2027 for Annex III standalone systems. The Council agreed its negotiating position on March 13, 2026. The proposal has not been adopted. Until it is, August 2, 2026 remains the legally enforceable deadline. Last checked: 2026-03-24.

EU AI Act August 2026 Deadline: What to Do Now

131 days. That is the gap between today and August 2, 2026, the date when the EU AI Act’s high-risk AI system obligations become enforceable (EU AI Act Art. 113(a)). Penalties for non-compliance reach EUR 15 million or 3% of global annual turnover, whichever is higher (EU AI Act Art. 99(4)). Harmonised standards do not exist yet. The official FRIA template has not been published. Commission guidelines on high-risk classification are overdue. And a legislative proposal could push the entire deadline back by 16 months.

This is the compliance environment you are working in. Uncertain, but with a hard date on the calendar.

This article breaks down exactly what becomes enforceable on August 2, 2026, what is already in effect, what might change, and what to do between now and then. We update it monthly.

Key Takeaways

  • August 2, 2026 is the enforceable deadline for high-risk AI system obligations under the EU AI Act. This covers risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), and accuracy, robustness, and cybersecurity (Art. 15).
  • Two phases are already live. Prohibited AI practices and the AI literacy obligation took effect February 2, 2025. GPAI model obligations have been enforceable since August 2, 2025.
  • The Digital Omnibus proposal could extend the deadline to December 2, 2027 for Annex III standalone high-risk systems. The Council agreed its negotiating position on March 13, 2026. But the proposal has not been adopted and trilogues have not concluded. Do not plan around it.
  • Critical compliance infrastructure is missing. Art. 6(2) classification guidelines are overdue. No harmonised standards have been published. The FRIA template mandated by Art. 27(5) does not exist. The EU database for high-risk AI registration is not publicly accessible.
  • Start now anyway. Organizations that wait for perfect clarity will not be ready by August. Begin with AI system inventory, risk classification, and documentation. Adjust as guidance arrives.

  • What Happens on August 2, 2026

    The EU AI Act phases in over three years. August 2, 2026 is the second major enforcement date, and it activates the heaviest compliance obligations in the regulation.

    High-Risk AI System Requirements (Articles 6-49)

    Providers of Annex III high-risk AI systems must comply with all Chapter III, Section 2 obligations. Here is what that means in practice:

    Obligation Article What It Requires
    Risk management system Art. 9 Continuous, iterative risk identification, analysis, and mitigation throughout the system’s lifecycle
    Data governance Art. 10 Training, validation, and testing datasets must be relevant, representative, free of errors, and complete. Bias examination mandatory
    Technical documentation Art. 11 Detailed documentation per Annex IV before market placement
    Record-keeping Art. 12 Automatic logging of events during operation, traceable to specific decisions
    Transparency Art. 13 Instructions for use that allow deployers to understand the system’s capabilities and limitations
    Human oversight Art. 14 Design features enabling effective human oversight during use, including the ability to override or reverse outputs
    Accuracy, robustness, cybersecurity Art. 15 Appropriate levels of all three throughout the system’s lifecycle
    Quality management system Art. 17 Documented QMS covering development, testing, deployment, and post-market processes
    Conformity assessment Art. 43 Self-assessment or third-party assessment depending on the AI system’s domain
    EU database registration Art. 49 Registration in the EU database before placing the system on the market
    Post-market monitoring Art. 72 Documented system for monitoring performance after deployment
    FRIA (for covered deployers) Art. 27 Fundamental Rights Impact Assessment before first use. See our FRIA template guide

    This is not a checklist you complete once. Art. 9 requires a risk management system that operates “throughout the entire lifecycle” of the AI system. Art. 72 requires post-market monitoring that runs as long as the system is in use.

    GPAI Enforcement Powers

    General-purpose AI model obligations have applied since August 2, 2025, but the AI Office gains full enforcement teeth on August 2, 2026 (EU AI Act Art. 88-91). After that date, the AI Office can issue binding information requests to GPAI providers, conduct evaluations of models with systemic risk, and impose fines of up to EUR 15 million or 3% of global annual turnover (EU AI Act Art. 101). The GPAI Code of Practice was finalized on July 10, 2025, with signatories including Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, OpenAI, Cohere, and xAI.

    Market Surveillance

    National competent authorities gain their full supervisory powers. Several Member States have not yet completed NCA designation (EU AI Act Art. 70), though this was due by August 2, 2025. The practical effect: enforcement intensity will vary by Member State.


    The Full EU AI Act Timeline

    The EU AI Act does not switch on at once. It phases in over 36 months. Here is every milestone, past and future.

    Already in effect

    Date What happened Legal basis
    August 1, 2024 EU AI Act entered into force (20 days after Official Journal publication on July 12, 2024) Art. 113
    February 2, 2025 Prohibited AI practices ban enforceable Art. 5
    February 2, 2025 AI literacy obligation enforceable Art. 4
    February 2, 2025 Commission guidelines on AI system definition published (C(2025) 924, updated July 2025 as C(2025) 5053) Art. 3(1)
    February 2, 2025 Commission guidelines on prohibited practices published Art. 5
    July 10, 2025 GPAI Code of Practice finalized (3 drafts, 1,000+ participants) Art. 55-56
    July 18, 2025 Commission GPAI guidelines published Art. 51-53
    August 2, 2025 GPAI model obligations enforceable (Chapter V) Art. 113(b)
    October 14-16, 2025 CEN-CENELEC adopted exceptional acceleration measures for AI standards Art. 40
    October 30, 2025 First AI harmonised standard (prEN 18286, QMS) entered public enquiry — subsequently FAILED Enquiry vote Feb 2026 (1,288 comments) Art. 17
    November 19, 2025 Digital Omnibus proposal published Commission proposal

    Coming next

    Date What happens Legal basis Status
    August 2, 2026 High-risk AI system obligations enforceable (Annex III standalone) Art. 113(a) 131 days away
    August 2, 2026 AI Office gains full GPAI enforcement powers Art. 88-91 131 days away
    2027 at earliest First harmonised standards — prEN 18286 FAILED vote Feb 2026 Art. 40 In progress
    December 9, 2026 Product Liability Directive transposition deadline (AI-specific provisions) Directive 2024/2853 265 days away
    August 2, 2027 Annex I embedded product rules enforceable (medical devices, machinery, etc.) Art. 113(b) ~500 days away
    August 2, 2027 GPAI enforcement for models placed on market before August 2, 2025 Transitional provisions ~500 days away

    If the Digital Omnibus is adopted

    Original date New date (proposed) Scope
    August 2, 2026 No later than December 2, 2027 Annex III standalone high-risk AI systems
    August 2, 2027 No later than August 2, 2028 Annex I embedded products

    The Digital Omnibus would also allow the Commission to activate rules earlier if compliance tools (standards, guidelines) become available sooner.


    The Digital Omnibus Question: Could the Deadline Move?

    Yes. But it has not moved yet, and the legislative timeline makes a last-minute shift unlikely.

    What it is

    On November 19, 2025, the European Commission published the Digital Omnibus proposal. Among other things, it would delay the August 2, 2026 high-risk AI deadline by linking enforcement to the availability of harmonised standards. The backstop date: December 2, 2027. If standards become available earlier, the Commission can activate rules earlier.

    The proposal also introduces SME relief. “Small mid-caps” (fewer than 750 employees, annual turnover under EUR 150 million) would get simplified documentation requirements. The classification framework itself does not change. Annex III is untouched.

    Source: European Commission, AI Act Standardisation page, updated March 11, 2026.

    Where it stands

    The Council agreed its negotiating position on March 13, 2026. The European Parliament’s IMCO and LIBE committees have scheduled a vote. Trilogues between the Parliament, Council, and Commission are expected but have not started. Even under accelerated procedure, adoption, Official Journal publication, and entry into force take months.

    Our view

    We do not recommend planning around the Digital Omnibus. Three reasons:

    First, the timeline does not work. For the Digital Omnibus to move the August 2, 2026 deadline, it would need to complete trilogues, pass a plenary vote, and be published in the Official Journal before August 2. Given that trilogues have not begun as of March 2026, this is improbable.

    Second, the scope is narrower than it appears. The Digital Omnibus delays *enforcement* of high-risk obligations, not the obligations themselves. Organizations that wait until December 2027 to start compliance work will face the same volume of requirements compressed into a shorter window. The obligations under Articles 9-15 require systems and processes that take months to build.

    Third, partial preparation has standalone value. An AI system inventory, a risk classification exercise, and a documentation framework are useful regardless of the exact enforcement date. Organizations that start now will be better positioned whether the deadline holds or shifts.

    Regulatory uncertainty callout: This section reflects the legislative status as of March 24, 2026. If the Digital Omnibus advances through trilogues, we will update this article. Check the “Last reviewed” date above for currency.


    What Is Already in Effect

    Two categories of obligations are already enforceable. If you have not addressed these, start here before turning to the August 2026 deadline.

    Prohibited AI Practices (since February 2, 2025)

    Art. 5 bans AI systems that pose unacceptable risks. Penalties are the highest in the regulation: up to EUR 35 million or 7% of global annual turnover (EU AI Act Art. 99(3)). The banned practices include:

  • Social scoring by public authorities or on their behalf
  • Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions for missing children, imminent threats, and serious crime suspects)
  • Subliminal, manipulative, or deceptive techniques that materially distort behavior and cause significant harm
  • Exploitation of vulnerabilities (age, disability, socio-economic situation) to distort behavior
  • Emotion recognition in the workplace and educational institutions (with medical and safety exceptions)
  • Untargeted facial image scraping from the internet or CCTV to build facial recognition databases
  • Biometric categorisation to infer sensitive attributes (race, political opinions, trade union membership, religious beliefs, sexual orientation)
  • Predictive policing based solely on profiling or personality traits
  • Quick compliance check: Review your AI inventory. Does any system fall into these categories? If yes, stop using it. The Commission published guidelines on prohibited practices in February 2025.

    AI Literacy (since February 2, 2025)

    Art. 4 requires providers and deployers of AI systems to ensure that their staff and anyone else dealing with the operation and use of AI systems on their behalf have a “sufficient level of AI literacy.” This applies to all AI systems, not just high-risk. The obligation is proportionate to context, but it is enforceable now.

    Quick compliance check: Have you provided AI literacy training to staff who work with AI systems? Can you document it?

    GPAI Model Obligations (since August 2, 2025)

    Chapter V obligations for general-purpose AI model providers are enforceable (EU AI Act Art. 53-55). Providers must maintain technical documentation, provide information to downstream providers, comply with copyright law, and publish a sufficiently detailed summary of training data. Models with systemic risk (the threshold is 10^25 FLOPs) face additional obligations including adversarial testing and serious incident reporting.

    The GPAI Code of Practice, finalized July 10, 2025, provides the compliance framework. Full AI Office enforcement powers activate August 2, 2026.


    Your Compliance Countdown: Month-by-Month Action Plan

    131 days is not generous. It is enough if you start now and focus on what is achievable. Below is a month-by-month plan that separates what you can do today from what requires further Commission action.

    March 2026: Inventory and Classify

    Objective: Know what AI systems you have and which ones are high-risk.

    1. Build your AI system inventory. Document every AI system your organization provides or deploys. Include vendor-provided systems. Include systems in development. Include systems you use internally for HR, finance, and operations.

    2. Classify each system against Annex III. For each system, determine whether it falls into one of the 8 Annex III categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, or democratic processes. Our Annex III classification guide walks through each category with real-world examples and a decision tree.

    3. Document your Art. 6(3) reasoning. If you believe a system listed in Annex III qualifies for the exception because it does not pose a “significant risk of harm,” document that reasoning in writing. Commission guidelines on this exception are overdue since February 2026. We recommend treating systems as high-risk until guidance clarifies. Record your reasoning either way (EU AI Act Art. 6(4)).

    4. Assign an internal owner for each high-risk AI system. Someone needs to be accountable for each system’s compliance journey.

    April 2026: Risk Management and Data Governance

    Objective: Build the risk management system required by Art. 9 and assess your data practices.

    1. Establish your risk management system. Art. 9 requires a “continuous iterative process” running throughout the AI system’s lifecycle. Start by identifying known risks, estimating their severity and probability, and documenting existing mitigation measures.

    2. Audit your training data. Art. 10 requires that training, validation, and testing datasets be relevant, representative, free of errors, and complete. Assess whether your datasets meet these requirements. If you use vendor-provided AI, request documentation from your vendor about their data governance practices.

    3. Begin technical documentation. Art. 11 and Annex IV specify what technical documentation must contain. Starting now gives you time to fill gaps. Do not aim for perfection; aim for a working draft you can refine.

    4. Map your vendor obligations. If you deploy AI systems from third-party providers, identify which obligations fall on you as deployer and which fall on the provider. The AI Act distributes obligations across the value chain (EU AI Act Art. 25-27).

    May 2026: FRIA, Human Oversight, and Transparency

    Objective: Complete your Fundamental Rights Impact Assessment and design human oversight processes.

    1. Conduct your FRIA if you are a covered deployer (public bodies, public-service providers, credit scoring and insurance pricing deployers). Use our FRIA template guide as a working framework until the AI Office publishes the official template. Art. 27 requires this assessment to be completed before first use of the system.

    2. Design human oversight mechanisms. Art. 14 requires that high-risk AI systems be designed so that natural persons can effectively oversee them during use. Define who oversees each system, what decision authority they have, and how they can override or reverse outputs.

    3. Prepare transparency documentation. Art. 13 requires instructions for use that enable deployers to interpret outputs and use the system appropriately. If you are a provider, draft these instructions. If you are a deployer, request them from your provider.

    June 2026: Conformity Assessment and QMS

    Objective: Complete or substantially advance your conformity assessment and quality management system.

    1. Determine your conformity assessment path. Most Annex III systems use internal self-assessment (EU AI Act Art. 43(2)). Biometric identification systems used by law enforcement require third-party assessment by a notified body (EU AI Act Art. 43(1)). Note: no notified bodies have been formally designated under the AI Act as of March 2026.

    2. Document your quality management system. Art. 17 requires a QMS covering your entire AI lifecycle. If you already have ISO/IEC 42001 certification, it provides a useful starting point, though it does not grant presumption of conformity under the AI Act.

    3. Prepare your EU declaration of conformity. Art. 47 and Annex V specify the template. Have a draft ready for each high-risk system.

    July 2026: Testing, Registration, and Final Checks

    Objective: Test your systems, attempt EU database registration, and close compliance gaps.

    1. Conduct accuracy, robustness, and cybersecurity testing. Art. 15 requires appropriate levels of all three. Document your testing methodology, results, and any limitations identified.

    2. Register in the EU database. Art. 49 requires registration before market placement. The database is not yet publicly accessible as of March 2026, but monitor the AI Office website for launch announcements.

    3. Establish your post-market monitoring system. Art. 72 requires documented monitoring of AI system performance after deployment. Define what you will monitor, how often, and what triggers a corrective action.

    4. Run an internal audit. Walk through each Article 9-15 obligation against your documentation. Identify remaining gaps and assign owners with deadlines.

    5. Brief your leadership. The compliance deadline is real. Ensure senior management understands the state of readiness and any residual risks.

    August 2026: Enforcement Begins

    On August 2, 2026, market surveillance authorities gain the power to inspect, request information, and impose corrective measures on high-risk AI systems. This does not mean enforcement actions begin on day one. Authorities will need time to build capacity, and early enforcement will likely focus on the most visible violations. But the legal liability exists from this date.

    If you have followed the steps above, you will have: a documented AI system inventory, risk classifications with reasoning, a risk management system, data governance documentation, technical documentation drafts, human oversight procedures, a FRIA (if required), a conformity assessment, a QMS, and a post-market monitoring plan. Not all of these will be perfect. The goal is documented, good-faith progress.


    Missing Pieces: Guidelines the Commission Has Not Published

    Organizations face a structural problem: the deadline is fixed, but several tools needed for compliance are not available. This section tracks what is missing and what to do in the meantime.

    Art. 6(2) Classification Guidelines — OVERDUE

    What they are: Commission guidelines explaining when a high-risk classification does *not* apply to an Annex III system because it does not pose a “significant risk of harm” to health, safety, or fundamental rights.

    When they were due: February 2, 2026 (EU AI Act Art. 6(5)).

    Current status: Not published as of March 24, 2026.

    What to do now: Treat your Annex III systems as high-risk unless you have strong, documented reasons to believe the exception applies. Record your reasoning per Art. 6(4). When guidelines are published, review and adjust your classification. Civil society organizations including AccessNow and AlgorithmWatch have argued the exception should be interpreted narrowly; industry groups favor a broader reading. Until the Commission speaks, this remains an open question. See the Art. 6(3) section in our Annex III classification guide for the full debate.

    FRIA Template — NOT PUBLISHED

    What it is: The mandatory questionnaire format for Fundamental Rights Impact Assessments.

    Legal basis: The AI Office must develop this with the EU Fundamental Rights Agency (EU AI Act Art. 27(5)).

    Current status: In development. Not published as of March 24, 2026.

    What to do now: Use our FRIA template guide, which follows the Art. 27(1)(a)-(f) structure and draws on the FRA’s 2025 guidance report. When the official template is published, map your existing assessment to its format.

    Harmonised Standards — BEHIND SCHEDULE

    For the full picture of the EU AI Act standards crisis, see our dedicated standards analysis.

    What they are: Technical standards that, once referenced in the Official Journal, give providers a “presumption of conformity” with the corresponding AI Act obligations (EU AI Act Art. 40).

    Current status: The Commission’s standardisation request (C(2025)3871 / M/613) covers 10 key areas. CEN-CENELEC adopted exceptional acceleration measures in October 2025. The first standard, prEN 18286 (AI quality management systems), entered public enquiry on October 30, 2025, but failed its Enquiry vote in February 2026 after receiving 1,288 comments. It failed both the national member count and weighted population criteria. The scope was amended in March 2026 and a re-vote is pending, but realistic timelines now point to 2027 at earliest. No harmonised standard has been published as of April 2026.

    What to do now: Comply with the regulation text directly. Organizations are using ISO/IEC 42001 (AI management systems) and ISO/IEC 23894 (AI risk management) as interim frameworks. These do not grant presumption of conformity, but they provide structured approaches that align with the AI Act’s requirements. If harmonised standards are not ready by August 2, 2026, the Commission has the power to issue common specifications as a fallback under Art. 41. None have been issued so far.

    Additional Guidelines Not Yet Published

    Several additional sets of Commission guidelines are due before August 2, 2026 but have not appeared:

  • Practical application of high-risk requirements and value chain responsibilities (Art. 96(1)(a))
  • Substantial modification definition and practical application (Art. 96(1)(c))
  • Transparency obligations practical implementation (Art. 96(1)(d))
  • Copyright Directive compliance for GPAI training data (Art. 96(1)(e))
  • EDPB guidelines on GDPR-AI Act interplay (in preparation with AI Office)
  • The Commission has published 4 of approximately 50 required secondary measures. That is 8%. This is the structural gap behind the compliance uncertainty.


    Penalties for Non-Compliance

    The EU AI Act uses a three-tier penalty structure. All tiers apply from their respective enforcement dates.

    Violation Maximum Fine Article
    Prohibited AI practices (Art. 5) EUR 35 million or 7% of global annual turnover (whichever is higher) Art. 99(3)
    High-risk obligations (Art. 6-49) and GPAI obligations (Art. 51-55) EUR 15 million or 3% of global annual turnover Art. 99(4)
    Incorrect information to authorities EUR 7.5 million or 1% of global annual turnover Art. 99(5)

    For SMEs and startups, the regulation specifies that the lower of the two amounts applies (the fixed amount or the turnover percentage), rather than the higher (EU AI Act Art. 99(6)). This is a meaningful difference for smaller organizations.

    Enforcement will be split. National market surveillance authorities handle high-risk AI system compliance. The AI Office handles GPAI model enforcement at EU level. The practical question is how aggressively authorities will enforce in the early months. GDPR enforcement history suggests a ramp-up period, but that is not guaranteed.


    What to Do Next

    If you have read this far, here are the immediate next steps. (For a comparison with how Asia-Pacific jurisdictions are approaching AI regulation, see our Vietnam AI Law guide and South Korea AI Basic Act guide.), ordered by priority:

    1. Classify your AI systems. Read our Annex III classification guide and determine which of your AI systems are high-risk. This is the single most important step because everything else depends on it.

    2. Start your FRIA if required. If you are a public body, public-service provider, or use AI for credit scoring or insurance pricing, use our FRIA template guide to begin your Fundamental Rights Impact Assessment.

    3. Begin documentation. Even without harmonised standards, you can start building technical documentation per Annex IV. Incomplete documentation that you improve over time is better than no documentation on August 2.

    4. Monitor the Digital Omnibus. Watch for trilogue developments. If the deadline shifts, you will have a head start. If it does not, you will be ready.

    5. Bookmark this page. We update it monthly. As Commission guidelines are published, standards progress, and the Digital Omnibus moves through the legislative process, this page will reflect the current state.

    Future articles in this series will cover conformity assessment procedures, a compliance checklist for high-risk AI providers, and sector-specific guidance. We will link them here as they publish.


    *Disclaimer: This content is for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel for jurisdiction-specific compliance guidance.*

    *Last verified: 2026-04-09*


    Sources

    Official Sources

  • EU AI Act — Regulation (EU) 2024/1689, full text — Last accessed: 2026-03-24
  • European Commission, AI Act standardisation and implementation page — Updated: 2026-03-11
  • European Commission, Digital Omnibus proposal — Published: 2025-11-19
  • European Commission, Guidelines on AI system definition — C(2025) 924, updated as C(2025) 5053 — Published: February 2025, updated July 2025
  • European Commission, Guidelines on prohibited AI practices — Published: February 2025
  • European Commission, GPAI Guidelines — Published: July 18, 2025
  • GPAI Code of Practice, final text — Published: July 10, 2025
  • Directive (EU) 2024/2853 on Product Liability — Transposition deadline: December 9, 2026
  • CEN-CENELEC AI standardisation acceleration measures — Adopted: October 2025
  • Analysis & Commentary

  • EU Fundamental Rights Agency, “Assessing High-risk AI” (2025) — FRIA methodology and baseline findings
  • EDPB letter to AI Office on GDPR-AI Act interplay — Joint guidance in preparation
  • AccessNow, consultation response on Art. 6 high-risk classification — Narrow interpretation position
  • artificialintelligenceact.eu — Article-by-article analysis — Ongoing reference
  • Data Sources

  • European Commission, AI Act implementation scorecard: 4 of ~50 secondary measures published as of March 2026 — Source: cross-reference of implementing acts tracker
  • CEN-CENELEC standardisation request C(2025)3871 / M/613: 10 technical areas, 1 standard in enquiry — Source: digital-strategy.ec.europa.eu
  • Disclaimer

    This content is for informational and educational purposes only. It does not constitute legal advice. AI regulation varies by jurisdiction and changes frequently. Consult qualified legal counsel for advice specific to your organization’s circumstances and jurisdiction. Reg Intel is not a law firm and does not provide legal services.


    The Weekly Brief

    5 AI regulation developments that matter. Every Tuesday.

    Reg Intel
    Published: March 24, 2026 · Updated: April 9, 2026 · Jurisdictions: European Union
    Source: https://reg-intel.com/august-2026-deadline/