EU AI Act · deadline 2 August 2026
EU AI Act: the obligations that apply from 2 August 2026
20 days left until the deadline for high-risk AI systems.
On 2 August 2026 the core obligations of the EU AI Act (Regulation (EU) 2024/1689) for high-risk AI systems under Annex III become applicable. Anyone who provides or deploys such systems must, from that day, be able to evidence risk management, documentation, human oversight and more. This guide summarises exactly what applies.
What happens on 2 August 2026?
The EU AI Act applies in phases. 2 August 2026 is the most important date for most companies, because the obligations for high-risk applications take effect then:
- 2. Feb 2025Prohibited practices & AI literacy
Art. 5 (prohibited AI) and Art. 4 (staff literacy) apply. - 2. Aug 2025GPAI & governance
Obligations for general-purpose AI models and the national authorities. - 2. Aug 2026 deadlineHigh-risk AI under Annex III
Chap. III (Art. 8–27): risk management, documentation, oversight, conformity assessment. - 2. Aug 2027High-risk under Annex I
AI embedded in regulated products (e.g. medical devices, machinery).
Obligations for high-risk AI systems (Art. 8–15)
Risk management · Art. 9
A continuous, documented process to identify and mitigate risks across the whole lifecycle.
Data governance · Art. 10
Training, validation and test data must be relevant, representative and as error-free as possible.
Technical documentation · Art. 11
Complete documentation per Annex IV that demonstrates conformity — before placing on the market.
Record-keeping · Art. 12
Automatic logging of events to ensure traceability of the system's operation.
Transparency · Art. 13
Deployers must be able to understand and correctly use the system — including instructions for use.
Human oversight · Art. 14
Humans must be able to effectively oversee the system and intervene (stop, override).
Accuracy & robustness · Art. 15
Appropriate accuracy, robustness and cybersecurity throughout the lifecycle.
Obligations for providers and deployers (Art. 16–27)
Beyond the requirements on the system itself, providers and deployers have organisational duties:
- Quality management system (Art. 17) — documented processes at the provider.
- Conformity assessment (Art. 43) and EU declaration of conformity (Art. 47) before market entry.
- CE marking (Art. 48) and registration in the EU database (Art. 49).
- Deployer duties (Art. 26): use as intended, oversight, log retention.
- Fundamental-rights impact assessment (Art. 27, “FRIA”) for certain public-sector deployers.
Fines: what does a breach cost?
up to €35M / 7%
Breach of prohibited practices (Art. 5) — the highest tier (Art. 99).
up to €15M / 3%
Breach of the high-risk obligations and other requirements.
up to €7.5M / 1%
Incorrect or incomplete information provided to authorities.
The higher of the fixed amount or the percentage of worldwide annual turnover applies.
EU AI Act, GDPR and DORA together
If your AI system processes personal data, the AI Act obligations apply on top of the GDPR (legal basis, DPIA under Art. 35 where relevant, automated decisions under Art. 22). For financial entities, DORA adds digital operational resilience. KomplAI checks all three frameworks in one run.
Frequently asked questions
Does the EU AI Act apply to small companies too?
What is a high-risk AI system?
What happens if I miss 2 August 2026?
Do I need to act already?
This guide is a factual orientation and does not replace legal advice. Citations refer to Regulation (EU) 2024/1689.