EU AI Act August 2026: What High-Risk AI Companies Must Have in Place
AI Law · Enforcement Deadline
EU AI Act August 2026: What High-Risk AI Companies Must Have in Place Before the Deadline
The Digital Omnibus delay has not passed into law. August 2, 2026 remains the operative enforcement date. Here is exactly what providers and deployers must demonstrate.
1
Provider vs deployer obligations
Articles 8–17 · Article 26 compared
2
Interactive readiness checklist
13 items · live score
3
76-day action plan
Week-by-week priorities
4
Book a readiness assessment
WCR Legal · AI Governance & Risk
5
Common questions
Digital Omnibus · FRIA · ISO 42001
!
Digital Omnibus warning
Not enacted · Do not plan around it
Section 1
Provider vs Deployer — Your Obligations Are Different
Your board asks: are we ready for August 2026? Legal cannot give a clean answer. The obligations under the EU AI Act for high-risk AI systems are substantial, split between providers and deployers, and require evidence — not intent. Our AI Governance & Risk practice runs readiness assessments for companies preparing for the August 2, 2026 enforcement date.
As of May 2026, 76 days remain to the operative deadline. The Digital Omnibus package that proposed delaying high-risk AI obligations to December 2027 has not been enacted into law. A political agreement was reached on 7 May 2026 — but the text must still complete the full legislative process before it binds anyone.
Digital Omnibus — Not Enacted
The Digital Omnibus package proposed delaying high-risk AI deadlines to December 2027. However, as of May 2026, this proposal has not been enacted into law. A political agreement was reached on 7 May 2026, but the text must still complete the legislative process including publication in the Official Journal. Planning around an unenacted delay is a material business risk. Treat August 2, 2026 as your operative deadline.
Provider
You develop and place the AI system on the market
Articles 8–17 · Article 43 · Article 71
Art. 9
Risk management system — documented, continuous, covering residual risks
Art. 10
Data governance — training, validation and testing data procedures documented
Art. 11
Technical documentation per Annex IV — complete before market placement
Art. 12
Automatic logging enabled — records retained by deployer minimum 6 months
Art. 13
Transparency and instructions for use — deployers must understand what they are deploying
Art. 14
Human oversight — system must be designed so a human can intervene, stop, or override
Art. 15
Accuracy, robustness and cybersecurity — tested and documented
Art. 17
Quality management system — policies, procedures, version control, post-market monitoring
Art. 71
EU AI database registration — mandatory before deployment in the EU
Enforcement deadline
2 August 2026
Deployer
You use the AI system in a professional context
Article 26
Art. 26(1)
Human oversight — implement the oversight measures designed by the provider into your operational processes
Art. 26(5)
Retain automatic logs generated by the system for at least 6 months
Art. 26(8)
Fundamental Rights Impact Assessment (FRIA) where required — public bodies and private entities deploying in listed contexts
Art. 26(7)
Inform and consult employee representatives before deploying AI systems that affect workers
Note
Deployers that modify a system’s purpose or retrain it take on provider obligations for those changes
Enforcement deadline
2 August 2026
Dual role — common in SaaS
Many SaaS companies are both providers AND deployers simultaneously — they develop a high-risk AI system and use it in their own operations. Each role carries separate, cumulative obligations. If you are unsure which role applies, see our EU AI Act high-risk SaaS classification guide before scoping your compliance programme.
Section 2
August 2026 Readiness Checklist — Click to Assess
Click each item to mark it complete. Your readiness score updates in real time. Use this as a gap analysis tool — anything unchecked is a gap that needs a plan before August 2.
August 2, 2026 compliance checklist
Click each item to mark it complete
0 / 13
Provider obligations — Articles 8–17, 43, 71 · 9 items
AI system inventory and Annex III risk classification completed
Foundation — nothing else can proceed without this
Risk management system (Article 9) implemented and documented
Continuous process — not a one-time document
Data governance procedures (Article 10) documented for training, validation and test data
Covers data provenance, bias testing, data quality measures
Technical documentation per Annex IV prepared and up to date
Must be kept current throughout the system lifecycle
Automatic logging and record-keeping configured (Article 12)
Logs must be retained by the deployer for at least 6 months
Human oversight mechanisms designed into the system (Article 14)
Human must be able to intervene, halt or override the system
Accuracy, robustness and cybersecurity testing completed (Article 15)
Results documented as part of technical documentation
Conformity assessment completed (Article 43)
Self-assessment for most Annex III systems — third-party for biometric + GPAI
EU AI database registration completed (Article 71)
Internal AI policy update required to reference registered systems
Deployer obligations — Article 26 · 4 items
Human oversight implemented in operational processes
Documented procedures — not just system-level design
Automatic logs retained for minimum 6 months
Log retention policy and technical implementation confirmed
Fundamental Rights Impact Assessment (FRIA) conducted where required
Public bodies and private entities in listed high-risk deployment contexts
Employee representatives informed and consulted before deployment
Applies where AI system affects workers — document the consultation
Need a structured gap analysis before August 2, 2026? WCR Legal runs readiness assessments that map your current position against all provider and deployer obligations — with a prioritised remediation plan.
Book a readiness assessment →
Section 3
76-Day Action Plan
76 days is enough time to complete a structured compliance sprint — if the work starts immediately. This plan is sequenced so each phase builds on the previous. Weeks 1 through 4 are triage and classification; weeks 5 through 10 are substantive compliance work; the final week is documentation and audit readiness.
7-phase sprint to August 2, 2026
Each phase is a prerequisite for the next — sequence matters
11 weeks
1
Weeks 1–2
AI system inventory + Annex III mapping
Identify every AI system in production or under development. Map each against the Annex III categories to determine whether high-risk classification applies. Document the mapping with evidence. Without a complete inventory, you cannot scope the compliance programme — this step cannot be skipped or abbreviated.
Output: written inventory with Annex III classification for each system, approved by legal and technical leads.
2
Weeks 3–4
Risk classification + Article 6(3) review
For each classified system, apply the Article 6(3) test: does the system pose a significant risk of harm to health, safety or fundamental rights? Confirm whether high-risk designation applies or whether an exemption is available. This review determines the scope of provider obligations for each system and should be done with legal counsel.
Output: legal memo per system confirming risk classification and applicable obligations.
3
Weeks 5–6
Risk management system + data governance documentation
Implement or formalise the Article 9 risk management system: document the risk identification process, mitigation measures, and residual risk acceptances. In parallel, document the Article 10 data governance procedures covering training data provenance, bias testing methodology, and data quality standards.
Output: risk management system documentation + data governance procedure documents, both approved and version-controlled.
4
Weeks 7–8
Technical documentation (Annex IV) + logging configuration
Prepare the Annex IV technical documentation for each high-risk system. This covers system description, design specifications, training data description, validation and testing procedures, and performance metrics. Simultaneously, configure and test automatic logging to confirm it captures the required data and that retention for at least 6 months is in place.
Output: Annex IV documentation package per system + logging configuration confirmation.
5
Weeks 9–10
Conformity assessment + human oversight implementation
Complete the Article 43 conformity assessment. For most Annex III systems this is a self-assessment against the requirements of Articles 8–15. Document the assessment outcome and any remediation steps taken. In parallel, confirm that Article 14 human oversight mechanisms are operationally implemented — not just designed — and that deployer-side processes are documented and trained.
Output: conformity assessment record + human oversight procedure documentation.
6
Weeks 10–11
EU database registration + internal AI policy update
Register high-risk systems in the EU AI database (Article 71) before deployment or, for already-deployed systems, by the deadline. Update your internal AI usage policy to reference registered systems, updated approved-tools lists, and any new human oversight procedures. Ensure contractor and vendor agreements are updated to require compliance.
Output: EU database registration confirmation + updated internal AI policy.
7
Week 11
Documentation audit — ready for regulatory scrutiny
Conduct a final documentation audit across all compliance outputs. The test is not whether work was done — it is whether you can demonstrate it to a regulator, notified body, or enterprise client on 48 hours’ notice. Confirm every required document exists, is current, is approved, is version-controlled, and is accessible to the right people.
Output: compliance evidence pack with index — the document you hand over if a market surveillance authority asks to see your compliance file.
This is not the full programme
The 76-day sprint covers the minimum required for Annex III compliance by August 2, 2026. An ongoing quality management system (Article 17), post-market monitoring, and incident reporting to national authorities are continuing obligations that extend beyond the deadline. For a full compliance programme covering these obligations, see our AI Governance & Risk services.
Book Your August 2026 Readiness Assessment
WCR Legal runs structured readiness assessments for high-risk AI providers and deployers. We map your current position against all obligations, identify critical gaps, and deliver a prioritised remediation plan with assigned ownership and deadlines.
Section 4
Common Questions on the August 2026 Deadline
Frequently asked questions
5 questions — what boards and legal teams ask most
5 questions
1
Has the Digital Omnibus delayed the August 2026 EU AI Act deadline?
+
Not yet. A political agreement on the Digital Omnibus was reached on 7 May 2026, which includes a proposal to delay high-risk AI obligations to December 2027 and August 2028. However, a political agreement is not enacted law — the text must complete the full legislative process including publication in the Official Journal. Until that happens, August 2, 2026 remains the operative enforcement date for high-risk AI systems under Annex III. Companies planning around an unenacted delay are taking a material regulatory risk.
2
What is the difference between a provider and a deployer under the EU AI Act?
+
A provider develops an AI system and places it on the market or puts it into service. A deployer uses an AI system under its own authority in a professional context. Providers carry the majority of obligations — including risk management, technical documentation, conformity assessment, and EU database registration. Deployers have lighter but still significant obligations: human oversight implementation, log retention for minimum 6 months, FRIAs where required, and informing employee representatives. Many SaaS companies are both simultaneously — they develop and deploy their own high-risk AI systems and carry both sets of obligations.
3
What happens if my AI system was already on the market before August 2026?
+
Systems placed on the market before August 2, 2026 are not automatically exempt. The AI Act applies to all high-risk AI systems in service on that date unless specific transitional provisions apply. For AI systems embedded in regulated products covered by Annex I (medical devices, machinery, vehicles), an extended transition applies until August 2028. For standalone Annex III systems — HR tools, credit scoring, education, access to essential services — August 2026 applies. See our EU AI Act high-risk SaaS classification guide for a full mapping.
4
What is a Fundamental Rights Impact Assessment (FRIA) and who needs one?
+
A FRIA is a structured assessment of how a high-risk AI system may affect fundamental rights — including privacy, non-discrimination, human dignity, and access to justice. Deployers must complete FRIAs when deploying high-risk AI systems in specific contexts: public bodies, private entities providing public services, and deployments involving biometric data or decisions affecting access to essential services, employment, or education. The FRIA documents affected groups, potential harms, oversight measures, and residual risks. See our AI Governance & Risk practice for FRIA support.
5
Can I use ISO 42001 to demonstrate EU AI Act compliance?
+
ISO 42001 can support your compliance programme — particularly for quality management (Article 17) and risk management (Article 9) obligations. However, it is not a direct substitute for EU AI Act conformity assessment. No harmonised standards under the AI Act have been published in the Official Journal as of May 2026, which means the presumption of conformity mechanism is not yet available. ISO 42001 certification demonstrates AI governance maturity and is a positive signal to regulators and enterprise clients — but it does not satisfy the Article 43 conformity assessment requirement on its own. See our NIST / ISO 42001 / EU AI Act services.
Post Comment