EU AI Act August 2026 Deadline: What Your Company Needs to Do Now

With four months until the EU AI Act’s full enforcement date of August 2, 2026, most European mid-market companies are behind on compliance — and few are fully aware of what that actually means for their operations. This guide covers what the deadline requires, who is affected, and the concrete steps you need to take right now.

What the August 2, 2026 Deadline Actually Means

The EU AI Act follows a phased enforcement timeline. The prohibition on unacceptable-risk AI systems took effect in February 2025. Rules for general-purpose AI models applied from August 2025. But August 2, 2026 is the critical date for high-risk AI systems — the category that covers a broad range of enterprise software used across HR, finance, operations, and customer-facing functions.

After this date, any organization placing a high-risk AI system on the EU market or putting it into service must demonstrate full compliance. Market surveillance authorities will have the power to inspect, audit, and penalize non-compliant systems. This is not a grace period — it is the end of one.

Importantly, the deadline is not just for AI developers. Deployers — companies using AI systems built by third parties — carry their own set of obligations, including conducting fundamental rights impact assessments, ensuring human oversight, and maintaining logs of system operation.

Which Companies Are Affected

The EU AI Act applies to any organization that:

• Develops or deploys AI systems used in the EU, regardless of where the organization is headquartered
• Imports or distributes AI systems that fall within the regulation’s scope
• Uses AI in high-risk contexts, even when the underlying model is provided by a vendor

For mid-market companies (50–3,000 employees), the most common triggers are AI systems used in:

• Human resources — recruitment screening tools, performance evaluation software, workforce analytics platforms
• Customer creditworthiness or financial decisions — credit scoring, loan eligibility tools, insurance pricing models
• Access to essential services — AI that determines eligibility for benefits, housing, or public utilities
• Safety-critical operations — AI embedded in physical infrastructure, industrial equipment, or medical device software

If your company uses any third-party software with embedded AI for these purposes — including platforms like Workday, SAP SuccessFactors, Salesforce, or custom-built tools — the deployer obligations apply to you, not just to the vendor.

The Consequences of Non-Compliance

Fines under the EU AI Act are structured by violation severity:

• Prohibited AI systems: up to €35 million or 7% of global annual turnover, whichever is higher
• Other high-risk system violations: up to €15 million or 3% of global annual turnover
• Providing incorrect information to authorities: up to €7.5 million or 1% of global annual turnover

Beyond financial penalties, non-compliant systems can be ordered off the market, which carries significant operational and reputational consequences. For mid-market companies, a 3% global turnover fine on €100M revenue is €3 million — not an abstract risk.

National competent authorities are already establishing their enforcement units. Germany’s Federal Network Agency, France’s CNIL, and the Netherlands’ Autoriteit Persoonsgegevens have all signaled active enforcement intentions.

What You Need to Have in Place by August 2

1. Complete an AI System Inventory

You cannot classify, document, or monitor what you have not identified. Start by cataloguing every AI system your organization uses or deploys — both internally built and third-party. For each system, record: its purpose, the vendor or developer, the data it processes, and the decisions it influences.

This inventory is not a one-time exercise. Systems change, vendors update their models, and new tools get adopted outside formal IT procurement. Establish a process for ongoing discovery.

2. Classify Each System by Risk Tier

Once you have an inventory, each system must be assessed against the EU AI Act’s risk classification framework. High-risk systems trigger the most significant compliance obligations. Understanding which of your systems fall into this category — and which common systems are misclassified as lower risk — is the essential second step.

3. Produce Technical Documentation for High-Risk Systems

High-risk AI systems require detailed technical documentation under Annex IV of the EU AI Act. This includes general system descriptions, data governance records, testing and validation methodology, human oversight provisions, and post-market monitoring plans. For a full breakdown, see our Annex IV documentation checklist.

Many companies underestimate the documentation burden. A single high-risk system can require 40–80 pages of structured documentation that must be kept current throughout the system’s lifecycle.

4. Implement Ongoing Compliance Monitoring

Static documentation is not enough. The EU AI Act requires deployers to monitor AI systems in operation, log interactions where required, report serious incidents to authorities, and update documentation when systems change. This means compliance is an operational function, not a project.

A 4-Step Action Plan for the Next 120 Days

Weeks 1–3: Discovery Conduct a full AI system inventory across all departments. Include systems embedded in SaaS tools. Assign ownership of each system to a named individual or team.

Weeks 4–6: Classification Assess each identified system against the Annex III high-risk categories. Determine your obligations as provider, deployer, or both. Use a structured tool or take our risk quiz to get an initial read on your exposure.

Weeks 7–12: Documentation For each high-risk system, begin producing Annex IV-compliant technical documentation. For systems where you are the deployer, request documentation from providers and conduct your fundamental rights impact assessment.

Weeks 13–16: Operationalize Establish logging and monitoring for high-risk systems. Train relevant staff on human oversight requirements. Set up an incident reporting process. Assign ongoing documentation maintenance responsibilities.

Don’t Wait Until July

Regulatory deadlines in Europe consistently see a surge of last-minute compliance attempts — and those companies consistently face avoidable problems: incomplete documentation, rushed risk assessments, and missed obligations. The August 2, 2026 deadline will not be extended.

The practical window for meaningful compliance work is now. Companies that begin their risk classification and documentation process in April and May will have enough time to address gaps before August. Companies that wait until June will be scrambling.

Not sure where your AI systems sit on the risk spectrum? Take the Aikraft Risk Quiz and get a preliminary classification of your AI systems in under 10 minutes — no signup required.