On August 2, 2026, the main body of the EU AI Act becomes applicable: obligations for high-risk AI systems listed in Annex III, transparency duties for chatbots and AI-generated content, deployer duties, registration, and national enforcement with fines. This checklist covers what to verify before that date.
EU AI Act August 2026 Deadline: What Applies and Compliance Checklist
What Happens on August 2, 2026
August 2, 2026 is the date on which Regulation (EU) 2024/1689 becomes applicable in general. The bans on prohibited practices and the AI literacy duty have already applied since February 2, 2025, and the rules for general-purpose AI models since August 2, 2025. What switches on in August 2026 is everything else that matters to most businesses: the full set of requirements for high-risk AI systems under Annex III, the transparency obligations of Article 50 for chatbots, deepfakes, and synthetic content, the deployer obligations of Article 26, the registration duty in the EU database, and, critically, enforcement. From this date, national market surveillance authorities must be in place and the penalty regime applies to the newly applicable obligations. The only major piece arriving later is the extended deadline of August 2, 2027 for high-risk AI that is a safety component of products covered by existing EU product legislation, such as medical devices and machinery.
Who Should Care About This Deadline
Three groups should treat August 2026 as a hard project deadline. Providers of high-risk AI systems, because conformity assessment, documentation, and registration take months to prepare. Deployers of high-risk AI, such as any employer using AI for recruitment, performance evaluation, or task allocation, because oversight and information duties begin then. And every business whose AI interacts with the public or generates content, because the transparency rules become enforceable. Businesses using only minimal-risk AI have little new to do beyond the literacy duty that already applies, but they should confirm that classification rather than assume it.
Checklist Part 1: Classification and Inventory
Work through these items first, because everything else depends on them.
| Item | What good looks like |
|---|---|
| AI inventory | A written list of every AI system developed, sold, or used, including AI features inside standard software |
| Role per system | Provider, deployer, importer, or distributor recorded for each entry |
| Risk classification | Each system mapped to prohibited, high-risk, limited-risk, or minimal-risk, with reasoning noted |
| Annex III check | Specific check against the high-risk use cases: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice |
| Prohibited practice check | Confirmation that nothing in use touches Article 5, completed and documented |
Checklist Part 2: Providers of High-Risk Systems
If you provide a high-risk system, verify each of the following before the deadline. A risk management system established and documented as a continuous process across the lifecycle. Training, validation, and testing data governed for quality, relevance, and bias. Technical documentation prepared in line with Annex IV before placing on the market. Automatic event logging built into the system. Instructions for use drafted so deployers can comply with their own duties. Human oversight measures designed into the system. Accuracy, robustness, and cybersecurity levels tested and declared. A quality management system in place. Conformity assessment completed, the EU declaration of conformity signed, and CE marking affixed. Registration in the EU database completed before placing on the market. Post-market monitoring and serious incident reporting procedures ready, with the fifteen-day reporting clock understood.
Checklist Part 3: Deployers of High-Risk Systems
Deployer duties are shorter but concrete. Assign human oversight to named, trained, supported individuals with authority to intervene. Use each system according to the provider's instructions for use. Ensure input data under your control is relevant and sufficiently representative for the intended purpose. Monitor operation and suspend use if you suspect a risk, informing the provider and authorities of serious incidents. Retain automatically generated logs for at least six months unless other law requires longer. Inform workers and their representatives before putting a high-risk workplace system into use. Where you make decisions about people, inform them that high-risk AI is involved, and apply the right to an explanation of individual decisions. Public bodies and certain private deployers, including those providing essential services and deployers of credit scoring and insurance pricing systems, must also complete a fundamental rights impact assessment before first use.
Checklist Part 4: Transparency and Everyone Else
Article 50 applies broadly from August 2026. Chatbots and other systems interacting with people must make clear, at the point of interaction, that the user is dealing with AI, unless it is obvious. Providers of systems generating synthetic audio, image, video, or text must mark outputs as artificially generated in a machine-readable way. Deployers publishing deepfakes must disclose the artificial origin, and deployers publishing AI-generated text to inform the public on matters of public interest must disclose generation unless there is human editorial review and responsibility. Also confirm organisation-wide items: the AI literacy programme is running, vendor contracts allocate AI Act responsibilities, and someone owns regulatory monitoring.
What Is Still Moving Before the Deadline
Some implementation pieces around the Act, such as harmonised standards and guidance documents, have been arriving gradually, and public debate has included calls to simplify or stagger parts of the framework. None of that changes the prudent planning assumption: the obligations described above apply from August 2, 2026, and businesses that wait for possible relief are gambling with their compliance posture. Track official announcements from the European Commission and your national authority, and adjust if and when the law itself changes, not before.
How to Use the Remaining Time
Count backwards from the deadline. Conformity assessment and documentation for providers typically need the most lead time, so they start first. Deployers can usually complete their duties in weeks rather than months, but vendor cooperation, gathering instructions for use, log access, and contract updates, often proves the slowest step, so request documents early. Whatever your role, the worst position in August 2026 is not imperfect compliance; it is having no inventory, no classification, and no paper trail showing you tried. Authorities distinguish between organisations that engaged with the law and organisations that ignored it.
Common Gaps Found in Readiness Reviews
Organisations that run pre-deadline reviews tend to find the same five gaps. First, shadow AI: tools adopted by individual teams that never reached the official inventory, especially AI features switched on inside existing SaaS products. Second, missing vendor documents: deployers who cannot produce instructions for use for the high-risk systems they operate, because nobody ever requested them. Third, oversight on paper only: a named human overseer who has had no training and no authority to halt the system, which fails the substance of the requirement. Fourth, logs that vanish: default retention settings shorter than six months, discovered only when someone checks. Fifth, transparency drift: chatbots that disclosed their nature at launch but lost the notice in a redesign. Each gap is cheap to fix when found early and awkward to explain when found by an authority, which is the entire argument for running your own review in advance.
A Suggested Countdown Plan
If you are starting close to the deadline, a compressed sequence still works. In the first two weeks, complete the inventory and classification and identify anything potentially prohibited or high-risk. In weeks three to six, deployers chase vendor documentation, set log retention, assign and train overseers, and draft worker and customer notices; providers triage documentation gaps and book conformity assessment capacity. In weeks seven to ten, run the fundamental rights impact assessment where required, finalise transparency wording on chatbots and generated content, and update contracts. In the final stretch, test the incident response path end to end, brief leadership on residual risks, and file evidence of everything in one place. Imperfect but documented progress before the deadline is a defensible position; a blank file is not.
Evidence to Have on File on Deadline Day
Think of August 2, 2026 as an audit snapshot and assemble the folder in advance. For every organisation: the AI inventory with risk classifications and reasoning, the AI literacy training records, and the vendor correspondence requesting compliance documents. For deployers of high-risk systems: the instructions for use received, the names and training records of oversight staff, the log retention configuration, copies of worker and individual notices, and any fundamental rights impact assessment. For providers: the technical documentation, the declaration of conformity, registration confirmation from the EU database, the quality management system description, and the post-market monitoring plan. None of these documents needs to be elaborate; all of them need to exist and carry dates before the deadline. A thin but genuine file beats a beautiful one created retroactively, and authorities are well practised at telling the difference. Store the folder where leadership can reach it, name an owner responsible for keeping it current, and add a recurring quarterly reminder to refresh the inventory, because the systems your teams use in August 2026 will not be the systems they use a year later, and a stale inventory fails almost as badly as a missing one.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.