On August 2, 2026, the EU AI Act's high-risk system obligations become enforceable. Here's exactly what's required, of whom, and how it stacks up against the sectoral, principles-based, and registration-driven approaches in the US, UK, and China.
On August 2, 2026, the compliance obligations for "high-risk" AI systems under the EU AI Act become enforceable. This isn't a new headline — the regulation has been law since August 2024 — but it's the date the Act stops being a thing legal teams track and starts being a thing engineering teams have to build against. If you're shipping an AI-powered hiring tool, credit-scoring model, or education-assessment product into the EU market, this is the deadline that determines whether your product can keep shipping there.
Most coverage of the AI Act treats it as a monolith: "the EU regulated AI." It didn't. It built a risk-tiered system with different obligations, different deadlines, and different enforcement mechanisms depending on what your system does and who it affects. This piece is about the mechanics — what's actually required, of whom, by when — not the politics of whether the Act is a good idea.
The Act didn't take effect all at once. It's been rolling out in stages since it entered into force, and understanding where August 2026 sits in that sequence matters for scoping what's actually new.
| Date | What applies | Scope |
|---|---|---|
| Aug 1, 2024 | Regulation enters into force | Clock starts on all subsequent deadlines |
| Feb 2, 2025 | Prohibited practices (Art. 5) | Social scoring, manipulative/subliminal techniques, untargeted facial-recognition scraping, emotion inference in workplaces/schools, real-time biometric ID in public (with narrow law-enforcement exceptions) — all banned outright, no tier |
| Aug 2, 2025 | GPAI model obligations (Ch. V) | General-purpose AI model providers: technical documentation, downstream transparency, copyright policy, training-data summary; systemic-risk models (≈10^25 FLOPs training compute) get additional model evaluation, adversarial testing, and incident-reporting duties |
| Aug 2, 2026 | High-risk AI system obligations (Annex III) | Providers and deployers of AI used in employment, credit, education, law enforcement, migration, essential services, etc. |
| Aug 2, 2027 | High-risk obligations for regulated products (Annex I) | AI as a safety component in medical devices, machinery, toys, and other CE-marked product categories already regulated under existing EU product law |
So August 2026 is specifically about Annex III — the list of standalone AI use cases the Act deems high-risk because of their effect on people's rights, not because they're embedded in a regulated physical product. That second category (Annex I) gets another year, mostly because it has to interoperate with existing sectoral conformity regimes for medical devices and machinery.
The Act doesn't define high-risk by technology (it's not "any system using a neural network"). It defines it by use case. Annex III lists eight categories, and if your system falls into one of them, the high-risk obligations attach regardless of how sophisticated or simple the underlying model is:
A practical filter: if your AI feature makes or materially informs a decision about a person's job, credit, education, legal status, or access to a public service, assume it's in scope until a lawyer tells you otherwise. This catches a lot of "boring" B2B SaaS — applicant tracking systems, underwriting tools, proctoring software — that doesn't feel like frontier AI but sits squarely in Annex III.
"Provider" means whoever develops the system or has it developed and places it on the market under their name. If that's you, Article 8 through 17 require:
That last item is the one people underestimate the lead time on. Conformity assessment and documentation aren't things you retrofit in the two weeks before a deadline — Annex IV technical documentation alone is a substantial artifact, and building the underlying risk-management and data-governance processes it documents takes real engineering time.
The Act distinguishes providers from deployers (the organizations that use a high-risk system in their own operations, e.g., an HR department using a third-party screening tool). Deployer obligations under Article 26 are narrower but not nothing:
That last obligation is the one most likely to surprise product teams at fintechs and insurers specifically — it applies even if you bought the underlying model from someone else and did none of the training yourselves.
| Violation | Maximum fine |
|---|---|
| Prohibited practice (Art. 5) | €35M or 7% of global annual turnover, whichever is higher |
| Non-compliance with high-risk obligations, GPAI obligations, or other substantive requirements | €15M or 3% of global annual turnover |
| Supplying incorrect, incomplete, or misleading information to authorities | €7.5M or 1% of global annual turnover |
The percentages track global turnover, not EU revenue — the same structure GDPR uses, and deliberately so.
The EU is the only major jurisdiction that has legislated a comprehensive, cross-sectoral, binding AI-specific regime. Everyone else is either sectoral, principles-based, or still assembling the pieces.
| Jurisdiction | Approach | Mechanism | Binding? |
|---|---|---|---|
| EU | Comprehensive, risk-tiered horizontal law | AI Act — prohibitions, GPAI rules, high-risk conformity regime | Yes, directly applicable across member states |
| US | Sectoral + state patchwork, no federal AI-specific statute | Existing agency authority (FTC unfairness/deception, EEOC on algorithmic hiring bias) plus state laws (e.g., Colorado's consequential-decision AI law requiring impact assessments and reasonable-care duties, California disclosure statutes on training data and synthetic content) | Yes at state/sectoral level, no unified federal floor |
| UK | Principles-based, regulator-led, deliberately not a single AI Act | Five cross-sectoral principles (safety, transparency, fairness, accountability, contestability) applied by existing regulators (ICO, FCA, CMA, etc.); AI Security Institute focused on frontier model evaluation | Principles are guidance; enforcement rides on regulators' existing statutory powers |
| China | Registration and content-control focused | CAC algorithm registration, generative-AI service measures requiring security assessment and content labeling before public deployment | Yes, but scoped narrowly to specific service types rather than all AI use cases |
The practical consequence: a product that's compliant for the US market (reasonable-care documentation, some state-level impact assessments) is not automatically compliant for the EU, because the EU regime requires conformity assessment and CE marking as a market-access gate, not just a liability-defense posture. Teams building for both markets end up maintaining two different compliance artifacts even when the underlying risk controls overlap substantially.
If your product touches hiring, credit, insurance, education assessment, or public-service eligibility and you have or want EU users, the practical checklist as of this deadline is:
The Act's authors built in a two-year runway specifically so this wouldn't be a surprise. Whether that runway was long enough is a fair question — but as of August 2, 2026, it's no longer a hypothetical one.