Analysis AI Compliance

EU AI Act: the August 2026 deadline is two months away. What your organisation needs to do now

The EU AI Act applies to your organisation right now, whether or not you build AI. Any business that uses AI to make or support decisions about people carries legal obligations under the Act. If you use AI in hiring, performance management, credit assessment, biometric identification, or critical infrastructure, your compliance window closes in August 2026.

CE
Cyvra Editorial Team
AI & Compliance Practice
22 June 2026
8 min read
Key takeaways
  • August 2026 is the enforcement deadline for high-risk AI systems under Annex III, two months away
  • High-risk categories include hiring, credit scoring, biometrics, critical infrastructure, education, and law enforcement
  • Organisations that use AI (deployers) carry distinct legal obligations, separate from those of their AI vendors (providers)
  • Fines reach up to 35 million euros or 7% of global turnover for the most serious violations
  • A structured four-week sprint can bring most organisations into a defensible compliance position

Where the enforcement timeline stands

The EU AI Act entered into force on 1 August 2024. Since then, enforcement has rolled out in three distinct waves. The first wave, which took effect in February 2025, banned a defined set of AI practices outright: social scoring systems operated by public authorities, real-time biometric surveillance in public spaces (with narrow exceptions), AI designed to exploit psychological vulnerabilities, and systems that scrape facial images from the internet to build recognition databases.

The second wave landed in August 2025. Providers of general-purpose AI models such as OpenAI's GPT-4, Anthropic's Claude, and Google's Gemini became subject to new transparency and copyright compliance requirements. These obligations sit on the model developers themselves, not on the businesses that access those models via API.

The third wave, arriving in August 2026, is the one that affects most commercial organisations. This is the deadline for high-risk AI systems under Annex III of the Act. Annex III covers the AI tools with the greatest potential to affect people's lives: who gets hired, who receives credit, who is identified by biometrics, who receives social benefits, and how critical infrastructure operates.

August 2024
AI Act enters into force
Regulation published and binding. Two-year transition period begins.
February 2025
Prohibited AI systems banned
Social scoring, real-time biometric surveillance in public spaces, and manipulation-based AI become illegal.
August 2025
GPAI model obligations apply
Providers of general-purpose AI models must comply with transparency and copyright rules.
August 2026: DEADLINE
High-risk AI (Annex III) must comply
All high-risk AI systems must meet full conformity requirements. This is the deadline that affects most commercial organisations.
2027 onwards
Remaining provisions
Additional obligations for certain embedded AI systems and product safety integrations come into effect.
€35M
maximum fine for prohibited AI violations, or 7% of global annual turnover
Aug 2026
Annex III high-risk AI compliance deadline
8
Annex III risk categories covering AI used in hiring, credit, biometrics, and more

Is your AI use high-risk? What Annex III covers

Annex III of the EU AI Act lists eight categories of high-risk AI use. The list is broader than most organisations expect. You do not need to build machine learning models to fall under it. A third-party software tool that automates or materially influences a decision in any of these categories places you in scope as a deployer.

The eight categories are:

  • Biometric identification and categorisation of natural persons, including remote identification systems and emotion recognition tools
  • Critical infrastructure management, including AI used in electricity, water, gas, transport, and digital infrastructure operations
  • Education and vocational training, including AI that determines access to educational institutions or assesses students (automated exam scoring, admission ranking)
  • Employment, worker management, and access to self-employment, including CV screening, recruitment ranking, performance monitoring, and promotion or dismissal decisions supported by AI
  • Essential private services, including AI used in credit scoring, insurance risk assessment, life and health insurance underwriting
  • Law enforcement, including AI used for risk assessment of individuals, profiling, evidence evaluation, and crime analytics
  • Migration, asylum, and border control management, including risk assessment of visa applicants and detection of document authenticity
  • Administration of justice and democratic processes, including AI that assists courts in researching or applying the law

The employment and essential services categories catch more commercial organisations than any other. If your HR platform ranks job applicants, if your CRM scores customers for credit risk, or if your performance management software assigns productivity ratings to workers, you are operating a high-risk AI system under Annex III.

The Act is largely directed at organisations that use AI to make consequential decisions about people, not at the companies that build it. Most affected organisations are buyers and users of third-party AI tools.

What high-risk AI systems must have in place by August 2026

High-risk AI systems must do more than produce accurate outputs. Each one must operate within a documented, auditable framework. The Act specifies eight mandatory requirements.

Providers (those who develop and market the systems) bear primary responsibility for building these requirements into the system. Deployers (organisations that use the systems) must operate within those constraints and meet their own obligations around deployment and monitoring.

The eight technical and governance requirements are:

  1. Risk management system. A continuous, documented process for identifying and mitigating risks throughout the AI system's lifecycle. This is not a one-time assessment; it must be maintained and updated as the system evolves.
  2. Data governance. Documentation of the training, validation, and testing data used to build the system. Data must be relevant, representative, and free from errors that could lead to discriminatory outputs.
  3. Technical documentation. A detailed technical file describing the system's design, development, and capabilities. This documentation must be available to national supervisory authorities on request.
  4. Automatic logging. The system must generate audit logs that record each decision or output, enabling retrospective review of how specific outcomes were reached.
  5. Transparency and information to deployers. Providers must supply deployers with documentation that enables them to understand the system, use it correctly, and comply with their own obligations.
  6. Human oversight. High-risk AI systems must be designed to allow human review and override. A human must be able to intervene, correct, or halt the system. Fully automated decisions without human oversight are not compliant for most high-risk categories.
  7. Accuracy, robustness, and cybersecurity. Systems must meet defined levels of accuracy. They must be resilient against attempts to manipulate outputs (adversarial attacks) and must protect the data they process.
  8. EU declaration of conformity and CE marking equivalent. Providers must issue a formal declaration that the system meets Act requirements. Systems must be registered in the EU AI database before deployment.
Key point

The EU database for high-risk AI systems is a public registry. Before any high-risk AI system can be deployed in the EU, its provider must register it. Deployers should confirm with their vendors that all tools they use are registered and have valid conformity declarations before August 2026.

Your duties as a deployer versus what your AI vendor must handle

The Act draws a clear line between providers and deployers. Knowing where that line sits prevents both duplicated effort and dangerous gaps in your compliance position.

Providers are responsible for: building risk management and data governance into the system itself, creating and maintaining technical documentation, ensuring the system logs its decisions, issuing the EU declaration of conformity, registering the system in the EU AI database, and providing deployers with clear instructions for use.

Deployers are responsible for: using the system in accordance with the provider's instructions and the Act's requirements, conducting their own risk assessment for how the system is used in their specific context, implementing the human oversight measures the provider specifies, informing employees when AI systems are used to monitor or assess their performance, carrying out fundamental rights impact assessments where relevant, and keeping records of their use of the system for at least 10 years.

Many AI tools on the market were not built with EU AI Act compliance in mind. If your vendor cannot provide a valid EU declaration of conformity and a complete technical documentation package by August 2026, you have two options: work with the vendor to obtain compliance documentation, or stop using the tool for regulated purposes until compliance is demonstrated.

Important

Do not assume your AI vendor is handling compliance. Many vendors, including those based outside the EU, have not begun their conformity process. Ask for evidence now. A vendor's assurance that they are "working on compliance" is not a defensible position once enforcement begins.

The fine structure

The EU AI Act uses the same tiered penalty model as GDPR: maximum fines are the higher of a fixed euro amount or a percentage of global annual turnover. Executives who authorise non-compliant deployments face personal accountability alongside the corporate fine.

  • Prohibited AI violations (Article 5): up to 35 million euros or 7% of global annual turnover, whichever is higher
  • High-risk AI non-compliance (Annex III obligations not met): up to 15 million euros or 3% of global annual turnover, whichever is higher
  • Incorrect information to authorities: up to 7.5 million euros or 1.5% of global annual turnover, whichever is higher

For a company with one billion euros in global revenue, a high-risk compliance failure carries a maximum fine of 30 million euros. National supervisory authorities in each EU member state enforce the Act. The GDPR precedent suggests that the largest fines will target systematic failures or cases where individuals were harmed, but early enforcement decisions will determine how hard authorities push.

A four-week sprint to get ready

Two months is not enough time to build a mature AI governance programme from scratch. It is enough time to reach a defensible compliance position for the tools that matter most. This sprint assumes wholesale redesign of AI systems is no longer feasible and focuses on the actions that cut regulatory risk fastest.

Week 1: Build your AI inventory

Ask every business unit one question: what software do we use that makes or recommends decisions about people? Include HR platforms, recruitment tools, CRM systems with lead or credit scoring, workforce management software, fraud detection tools, and customer service routing systems. For each tool, record the vendor, the specific use case, and which Annex III category it falls into.

Week 2: Classify and prioritise

For each AI system in your inventory, determine whether it meets the Annex III definition of high-risk. Not every automated tool qualifies. A chatbot that routes customer queries does not qualify. A system that ranks job applicants or scores customers for loan eligibility does. Prioritise the high-risk systems for immediate action. Bring in your legal or compliance team to confirm classifications where doubt remains.

Week 3: Engage vendors and review documentation

Contact each vendor of a high-risk AI system and request three documents: the EU declaration of conformity, the technical documentation package for deployers, and confirmation that the system is registered in the EU AI database. Log all vendor communications in writing. If a vendor cannot produce these documents, escalate internally and decide whether continued use of that tool is acceptable given your risk appetite.

Week 4: Document human oversight and start logging decisions

For each high-risk AI system in use, write down the human oversight process: who reviews AI outputs, how they can override the system, and how those override decisions are recorded. Notify affected employees in writing where any system monitors or evaluates their performance. Start logging AI-assisted decisions in a retrievable format. Assign a named owner for each system's ongoing compliance.

Where to focus before August

The August 2026 deadline is fixed, and the obligations are not optional. Compliance does not mean abandoning the AI tools that generate value. It means operating them with documentation, oversight, and accountability that most organisations have not yet formalised.

Inaction creates two distinct risks. Regulators can fine you once enforcement begins. And if an AI-supported decision harms an individual and you cannot show appropriate safeguards were in place, you face civil liability on top of regulatory penalties.

Two months is enough to reach a defensible position: an AI inventory classified against Annex III, vendor conformity documentation confirmed, human oversight procedures written down, and key decisions logged. A mature AI governance framework takes longer, but it starts from exactly that foundation.

  • Complete an AI inventory across all business functions before the end of July
  • Classify each AI use against Annex III and confirm scope with legal or compliance counsel
  • Request EU conformity documentation from every vendor of a high-risk AI system in writing
  • Document human oversight procedures for every high-risk AI tool currently in use
  • Notify employees in writing where AI systems assess or monitor their performance
  • Begin logging AI-assisted decisions with sufficient detail to reconstruct the basis for each outcome
  • Assign a named owner for each high-risk AI system and schedule a review date for ongoing compliance

How Cyvra helps with EU AI Act compliance

Cyvra helps deployers (organisations using AI in their operations) identify which systems fall under Annex III, build the documentation package those systems require, and establish the human oversight processes the regulation demands. Our focus is your obligations, not your AI vendor's.

  • AI system inventory: catalogue every AI tool in use across your organisation, including embedded AI features in software your IT team approved for other purposes
  • Annex III classification: assess each system against the eight high-risk categories and document the reasoning in a format regulators can audit
  • Vendor documentation review: confirm your AI providers have supplied the required technical documentation and conformity declarations, and identify where they have not
  • Human oversight design: build the processes and controls that high-risk AI deployments must have in place before August 2026
  • ISO 42001 alignment: map your AI Act compliance work to the ISO 42001 AI management system standard, producing a single audit-ready framework rather than two parallel compliance exercises

Talk to our AI practice or compliance team about what the August 2026 deadline means for your specific AI use cases.

Frequently asked questions

Does the EU AI Act apply to my organisation if we are not an AI company?

Yes. If your organisation uses AI systems in any of the Annex III categories such as HR, hiring, credit scoring, biometrics, or critical infrastructure, you are a deployer under the Act and have legal obligations. You do not need to build or sell AI to be in scope. The majority of affected organisations are users of third-party AI tools, not AI developers.

What is the difference between a provider and a deployer under the EU AI Act?

A provider develops and places an AI system on the market. A deployer is any organisation or person that uses an AI system under their own authority in a professional context. If you buy a CV screening tool from a vendor and use it in your HR process, your vendor is the provider and you are the deployer. Both carry obligations, but they differ. Providers must build in conformity requirements; deployers must conduct risk assessments, implement human oversight, and inform employees when AI monitors their performance.

What are the fines for breaching the EU AI Act?

Fines depend on the type of violation. Using prohibited AI systems can result in fines of up to 35 million euros or 7% of global annual turnover, whichever is higher. Non-compliance with high-risk AI obligations under Annex III carries fines of up to 15 million euros or 3% of turnover. Providing incorrect or misleading information to supervisory authorities can result in fines of up to 7.5 million euros or 1.5% of turnover.

Does using ChatGPT or Claude via API make us subject to the GPAI provisions?

If you access a general-purpose AI model via API for your own internal use, you are a deployer rather than a GPAI provider. GPAI obligations fall on the model developers such as OpenAI, Anthropic, and Google. However, if you integrate a GPAI model into a product or system that others use, your obligations may increase. Deployers who build on top of GPAI models need to assess whether the resulting system constitutes a high-risk AI system under Annex III.

Talk to Cyvra

Two months to the August deadline. Start with your AI inventory.

Our AI and compliance practice helps you build your inventory, classify Annex III exposure, and confirm vendor documentation before enforcement begins.

Get in Touch Compliance Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content. Readers should seek independent legal advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.