EU AI Act compliance obligations for high-risk AI systems become fully enforceable on August 2, 2026.
Last night, trilogue negotiations between the European Parliament, Council, and Commission on the Digital Omnibus on AI — a package that would have delayed the EU AI Act’s high-risk AI compliance obligations until December 2027 — broke down after twelve hours of talks. A Cypriot official confirmed negotiations would resume next month. But here is the critical implication: until a formal agreement is reached and published in the Official Journal, the original EU AI Act compliance deadline remains in force. August 2, 2026 — fourteen weeks from today — is still the date on which the regulation’s high-risk AI system obligations become fully enforceable for systems classified under Annex III. Organizations that were waiting for the postponement to be confirmed before beginning their compliance programs are now in a materially more exposed position than they were a week ago.
The scale of that exposure is significant. According to industry analysis, 73 percent of European enterprises have not yet begun formal AI governance assessments. For organizations that deploy AI systems in credit scoring, fraud detection, insurance underwriting, recruitment, or law enforcement — all Annex III high-risk categories — the penalties for non-compliance under Article 99 reach €15 million or 3 percent of global annual turnover, whichever is higher. For a mid-tier bank, that is a material financial risk. For a fintech, it is existential.
Waiting for regulatory certainty is not a compliance strategy. This article sets out what the law currently requires, where most organizations sit, and what must happen between now and August.
What August 2 Actually Requires
The EU AI Act’s high-risk framework is not a light-touch disclosure regime. It is an operational compliance standard that requires documented evidence across five substantive pillars — each of which maps to a specific Article and each of which demands operational proof, not policy documentation.
Pillar |
Article |
What It Requires |
|---|---|---|
| 1 — Risk Management System | Article 9 | A continuous, documented risk management process running across the full AI lifecycle: development, deployment, monitoring, and decommissioning. The process must identify and document foreseeable risks to health, safety, and fundamental rights. One-off risk assessments do not satisfy the Article. The requirement is ongoing. |
| 2 — Data Governance | Article 10 | Training, validation, and testing data must be subject to documented governance practices covering data quality, relevance, representativeness, and bias examination. For organizations using third-party datasets or pre-trained models, the data governance obligation extends to understanding and documenting the provenance and properties of that data. |
| 3 — Technical Documentation | Article 11 | Before a high-risk AI system is placed on the market or put into service, providers must prepare and maintain comprehensive technical documentation demonstrating compliance. The documentation must be kept current throughout the system’s operational life and be made available to regulators on request. |
| 4 — Logging and Auditability | Article 12 | High-risk AI systems must generate logs sufficient to enable post-hoc review of their operation — capturing inputs, outputs, decisions, and system states at a level of granularity that allows the basis of any given AI-driven decision to be reconstructed. This is a technical requirement that must be built into the system architecture, not added retrospectively. |
| 5 — Human Oversight | Article 14 | High-risk AI systems must be designed and deployed with effective human oversight — mechanisms that allow human operators to understand, monitor, and intervene in the system’s outputs. For fully or largely automated decision systems, this typically requires documented escalation procedures, defined override mechanisms, and named individuals with oversight responsibility. |
The Regulatory Uncertainty Trap
The failed trilogue negotiations have created a situation that is genuinely difficult to navigate — and that some organizations are interpreting as permission to pause. That interpretation carries significant risk.
The Digital Omnibus proposal is not yet law. Until it is ratified and published, the original August 2 deadline remains the operative legal requirement. Regulators have not signaled any informal grace period for organizations that assumed the postponement would be confirmed. The IAPP reported that a key stumbling block — the treatment of high-risk AI systems embedded in regulated products — has left negotiations without a guaranteed resolution timeline. The resumed talks, expected in May 2026, could produce an agreement — or they could fail again.
An organization whose compliance program is contingent on the postponement being confirmed faces three possible outcomes: the postponement is confirmed and the program was delayed but not critically harmed; the postponement is confirmed but later than expected, creating a compressed timeline; or the postponement fails, and the organization faces the August 2 deadline having lost months of preparation time. Only one of those outcomes is favorable. The other two are not.
The organizations best positioned for this uncertainty are those that have treated August 2 as the operative deadline throughout — building compliance programs that will be ready regardless of what the trilogue produces.
A Fourteen-Week Action Plan for High-Risk AI Compliance
-
Establish Your AI System Inventory — This Week
The most common compliance failure identified across organizations assessed in Q1 2026 is the absence of a complete, current inventory of AI systems in operation. Without an inventory, it is impossible to determine which systems fall under the high-risk classification, which obligations apply, and where the most significant compliance gaps sit. The first practical question for any board is whether the organization has a documented inventory of every AI system that touches credit, fraud, or underwriting. If the answer is no, closing that gap is the first action.
- Conduct an immediate AI system inventory exercise across all business units, technology teams, and vendor relationships — identifying every system that processes inputs and produces outputs relevant to decisions affecting individuals, and classifying each against the Annex III high-risk categories.
- Assign a named owner for each system in the inventory, with defined accountability for compliance readiness and a reporting line to the designated AI compliance function or senior management.
- Where systems fall into borderline or ambiguous high-risk classifications, document the basis for the classification decision now — regulators will scrutinize classification methodology as well as compliance outcomes.
-
Conduct an Obligations Gap Assessment Against Articles 9 Through 15
For every system confirmed as high-risk, a structured gap assessment against each of the five core Articles is the essential next step. The assessment must be evidence-based — what documentation exists, what operational processes are in place, what technical capabilities are deployed — not a policy review. Many organizations have AI policies that appear comprehensive on paper but lack the operational evidence that Article compliance requires.
- Commission a high-risk AI compliance gap assessment using a structured methodology that maps current state against each Article obligation with explicit evidence requirements — not a survey, but an audit-grade review.
- Prioritize the gap assessment around your highest-volume, highest-stakes AI deployments: the systems making the most consequential decisions for the most individuals are both the highest regulatory risk and the highest business risk if compliance fails.
- Document the gap assessment outputs formally: the findings, the remediation actions required, the timeline for each, and the owner responsible. This documentation is itself compliance evidence.
-
Build the Technical Infrastructure for Logging and Human Oversight
Articles 12 and 14 have direct technical implications that cannot be addressed through policy or documentation alone. Logging requirements mean that system architectures may need to be modified or augmented to capture decision-relevant data at the required granularity. Human oversight requirements mean that workflow designs, escalation paths, and override mechanisms must be built into operational processes — not assumed to exist because a human is nominally present somewhere in the workflow.
- Engage your technology teams to assess the logging capability of each high-risk AI system: are inputs, outputs, decision parameters, and system states captured at a level that allows any individual decision to be reconstructed on request? Where gaps exist, define the technical remediation required and build it into the Q2 2026 development cycle.
- For each high-risk system, document the human oversight mechanism: who has oversight responsibility, how they monitor the system’s operation, and what override capability they have. Ensure that this is an operational reality, not a paper procedure.
- Where vendor-supplied AI systems are classified as high-risk, engage the vendor immediately on their Article 12 and 14 compliance posture — and obtain documented confirmation of their compliance status as part of your own compliance evidence.
-
Prepare Your Conformity Documentation Before You Need It
The EU AI Act’s technical documentation requirements under Article 11 are demanding and time-consuming to produce. Organizations that leave documentation to the final weeks before August 2 will find themselves unable to complete it to the required standard within the available time. Conformity documentation is not a summary of what the system does — it is a comprehensive technical record of how it was designed, what data it was trained on, how it was validated, what risks were identified and mitigated, and how it is monitored in operation.
- Begin technical documentation for each high-risk AI system immediately, using the European Commission’s published documentation template as the structural framework — and assign a dedicated resource to each system’s documentation project.
- For pre-existing systems placed on the market before August 2, 2026, assess whether grandfathering provisions under the Digital Omnibus (if ultimately agreed) would apply, but treat August 2 compliance as the target regardless.
- Establish a documentation governance process: who reviews, who approves, where documentation is stored, and how it will be updated when the system changes. Regulators may request documentation at any point after August 2 — it must be maintained, not archived.
-
Ensure Board-Level Governance of AI Act Compliance Is in Place
The EU AI Act places compliance obligations on providers and deployers — not on technical teams. Personal accountability for compliance failures will flow to senior management and, in serious cases, to boards. An organization whose board has not been formally briefed on its EU AI Act obligations, and whose compliance program lacks executive sponsorship and board reporting, is not just technically non-compliant — it is governance non-compliant.
- Present a structured EU AI Act compliance status briefing to your board before the end of May 2026, covering: which systems are classified as high-risk, where the most significant compliance gaps sit, what the remediation timeline looks like, and what the residual risk exposure is if compliance is not achieved before August 2.
- Designate a named senior executive as the accountable owner of EU AI Act compliance — with board-level reporting obligations and the authority to direct resources to remediation.
- Confirm that your legal, compliance, and technology functions are operating as an integrated team on AI Act readiness — and that regulatory developments, including the outcome of the Digital Omnibus negotiations, are being monitored and escalated to the board on a real-time basis.
The Cost of Waiting Is No Longer Theoretical
For the past eighteen months, EU AI Act compliance has been, for most organizations, a future problem — important, complex, but not yet urgent. The trilogue breakdown has changed that calculus. Until a formal postponement is agreed and published, the countdown is running. Fourteen weeks is not a long time to build and document a compliance program for a major operational AI system. For organizations with multiple high-risk systems, it is a very short time indeed.
The organizations that will navigate August 2, 2026, most effectively are not necessarily those with the most mature AI programs. They are those that, starting this week, have assigned accountability, initiated their system inventory, launched their gap assessment, and committed to treating August 2 as the operative deadline — regardless of what the Digital Omnibus ultimately produces.
The regulation is clear. The deadline is real. The window to act is now.
Close Your EU AI Act Compliance Gap Before August
Karysburg works with organizations across regulated industries to assess EU AI Act compliance readiness, conduct high-risk AI system gap assessments, and build the governance structures that Article compliance demands. With fourteen weeks to the August 2 deadline, now is the time to understand exactly where your organization stands — and what it needs to do.
Book an EU AI Act readiness assessment with our team today.