EU AI Act 2026: Companies must comply with these requirements by August 2026

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive law on artificial intelligence. At its core is a risk-based approach: it is not the technology itself that is regulated, but rather the specific use case and the risk it poses. This results in four tiers, ranging from prohibited practices to high-risk AI and systems subject to transparency requirements, all the way down to applications with minimal risk. The higher the risk, the stricter the obligations.

The key factor in practice is the role a company plays. The regulation primarily distinguishes between providers who develop AI systems or market them under their own name, and operators (referred to in the law as “deployers”) who use AI under their own responsibility. A small or medium-sized business that purchases and uses an AI-based applicant tracking system is a deployer. However, the line is not always drawn where one might expect: Anyone who distributes a purchased AI system under their own name or brand—the classic white-labeling, where only their own logo is added to an existing solution—or who significantly modifies an existing system becomes a provider in legal terms and assumes the provider’s significantly more extensive obligations. What matters, therefore, is not the size of the company, but its specific role and whether AI is made available or used on the EU market.

The AI Act took effect on August 1, 2024, but its provisions are being phased in gradually. This phased approach is what makes it a useful planning tool, as it spreads the obligations over several years.

• February 2025: Prohibited AI practices (Article 5) take effect, such as social scoring or manipulative systems. At the same time, the requirement for AI literacy (Article 4) applies to everyone who uses AI within the company.
• August 2025: The rules governing general-purpose AI (GPAI) models, the governance structures of supervisory authorities, and the sanctions framework will take effect.
• August 2026: The transparency requirements under Article 50 will take effect, including the labeling of chatbots, AI-generated content, and deepfakes. This is the key deadline that most companies need to focus on now.

This is where the Digital Omnibus comes into play. Originally, the extensive obligations for high-risk AI were also set to take effect on August 2, 2026. Following difficult negotiations, the Council and Parliament reached a provisional political agreement in early May 2026 that postpones these deadlines: Autonomous high-risk systems under Annex III are not expected to become mandatory until December 2, 2027, while AI embedded in regulated products under Annex I will not take effect until August 2, 2028.

Important for legal classification: This postponement is not yet final at this time. Formal adoption by the Parliament and the Council, as well as publication in the Official Journal, are expected in the weeks leading up to August 2, 2026. Only then will the new deadlines become legally binding. However, the political direction is clear, and the transparency requirements for August 2026 remain unaffected.

This is a question many compliance and technology leaders are currently asking themselves. The answer depends on the systems in use, but it can be broken down into five interrelated areas of responsibility.

One of the most commonly overlooked requirements has been in effect since February 2025. Article 4 requires that all individuals who operate AI systems on behalf of a provider or operator possess a sufficient level of AI competence. This applies not only to development teams but also to employees in marketing, HR, or sales who use tools such as ChatGPT or Copilot. Companies should set up training programs and document participation in a verifiable manner.

The key deadline in August 2026 concerns the transparency requirements under Article 50. These are based on four pillars. First, users must be able to recognize that they are interacting with a chatbot or AI system and not with a human. Second, providers of generative AI must label their synthetic content—that is, text, images, audio, and video—in a machine-readable format. Third, operators of emotion recognition and biometric categorization systems must inform the individuals concerned. Fourth, deepfakes (AI-generated or manipulated images, audio, or video content) as well as AI-generated text on topics of public interest must be labeled as artificially generated.

One specific provision of the Omnibus Directive concerns the machine-readable labeling of synthetic content: The transition period for providers has been shortened and set for December 2, 2026. All other transparency requirements, including those for operators, remain unchanged and take effect on August 2, 2026. Anyone using chatbots, image generators, or text automation should therefore prepare the necessary disclosures in the frontend now.

High-risk AI refers to systems that could significantly compromise safety, health, or fundamental rights. Annex III lists specific areas: biometric identification, critical infrastructure, education, employment and personnel selection, access to essential services such as lending, law enforcement, migration, and the justice system. Small and medium-sized enterprises, in particular, are affected more quickly than they realize through recruitment or credit checks.

These systems are subject to the most comprehensive set of requirements: a risk management system covering the entire lifecycle, strict requirements for data quality and data governance, technical documentation, automatic logging, transparency toward operators, effective human oversight, as well as accuracy, robustness, and cybersecurity. In addition, there is a conformity assessment, CE marking, and registration in an EU database. Operators must use the systems as intended, monitor them, retain records, and inform data subjects.

Even though these requirements are not expected to take effect until the end of 2027, the delay is no reason to wait and see. Establishing a risk management system, demonstrating data quality, and making processes audit-ready takes months. Added to this is an often-underestimated factor: It has been proven that establishing such regulatory practices retroactively is significantly more time-consuming than incorporating them from the start. Reactive compliance teams spend a disproportionately high amount of their time on documentation sprints, retroactive evidence collection, and audit preparation. That is time that is then lacking for the actual reduction of future risks. Those who use this buffer now, rather than letting it slip away, avoid costly rework under time pressure.

AI compliance rarely fails due to a lack of good will, but rather because of unclear responsibilities. It makes sense to establish a clear division of roles, including a designated AI compliance owner, the involvement of the data protection officer, and integration with IT security or the ISMS. A simple responsibility matrix (RACI) specifies who classifies, approves, monitors, and documents an AI system. Regular reviews ensure that new systems are not introduced without going through the governance process.

Very few companies develop their AI entirely in-house. This shifts the focus to the supply chain. Contracts with AI providers should include assurances of compliance with the AI Act, the provision of technical evidence and documentation, as well as recourse mechanisms in the event of non-compliance. In the future, the procurement and legal departments should review AI procurements just as they do security- or data protection-related services, as responsibility cannot be fully delegated to the supplier.

The penalty framework set forth in Article 99 has been in effect since August 2025 and is applied on a sliding scale. The use of prohibited AI practices is punishable by fines of up to 35 million euros or 7 percent of global annual turnover, whichever is higher. Violations of other obligations, such as those related to high-risk activities or transparency, can be penalized with fines of up to 15 million euros or 3 percent. Providing false or misleading information to authorities can result in fines of up to 7.5 million euros or 1 percent.

There is no blanket exemption for small and medium-sized enterprises or startups, but the regulation requires that fines be proportionate and take their interests into account. In addition to the financial risk, there is the risk of reputational damage: An AI system publicly deemed non-compliant with regulations can cause lasting damage to the trust of customers and partners.

The following checklist breaks down these obligations into specific tasks. It serves as a starting point for creating your own roadmap. The information in parentheses provides guidance on who is responsible and the timeframe.

• Take stock of the AI landscape: Create a comprehensive inventory of all AI systems in use, including their purpose, provider, data sources, and user base. (Responsibility: AI Compliance Owner; start immediately.)

• Conduct risk classification: Assign each system to a risk class and, in particular, verify whether a use case qualifies as high-risk AI under Annex III. (Responsibility: Compliance and the relevant department; Q3 2026.)

• Build AI expertise: Train all employees who use AI and document their qualifications. This requirement is already in effect. (Responsibility: HR and line departments; in progress.)

• Implement transparency and labeling: Clearly label chatbots, AI-generated content, and deepfakes on the front end. (Responsibility: Product and Development; by August 2, 2026.)

• Define governance and roles: Appoint responsible parties, incorporate data protection and IT security, and establish regular reviews. (Responsibility: Management; Q3 2026.)

• Prepare for high-risk requirements: Establish risk management, data governance, and human oversight for affected systems, even though the deadline has been extended. (Responsibility: Development and Compliance; starting in 2026, to be completed by December 2027.)

• Update supplier and contract management: Incorporate AI-Act commitments, disclosure requirements, and recourse mechanisms into contracts. (Responsibility: Procurement and Legal; ongoing.)

• Establish documentation and record-keeping procedures: Keep technical documentation, model and version information, and audit-ready reports readily available. (Responsibility: Development; ongoing.)

• Establish incident management and human oversight: Define processes for malfunctions, bias reports, and corrective actions, and ensure effective human oversight. (Responsibility: Operations and Compliance; Q4 2026.)

• Integrate into existing frameworks: Align AI-Act processes with GDPR, ISMS, and NIS2 rather than creating parallel structures. (Responsibility: Compliance and IT Security; ongoing.)

Many of these requirements will be familiar to companies, and that’s the good news. Organizations that already operate an information security management system (ISMS), comply with the GDPR, or are preparing for NIS2 have already established a large part of the necessary infrastructure: risk assessment, documentation, roles, and audits. The AI Act can be integrated into these existing frameworks rather than creating an additional compliance silo. This saves effort and avoids duplicate checks.

Based on our project experience at BAYOOTEC, this integrated approach pays off. We have been developing software in highly regulated environments for over 25 years and use AI ourselves within a framework of responsible governance, for example for code reviews and automated testing. Artificial intelligence can also help reduce compliance efforts, for example, in system inventory, risk analysis, or reviewing documentation. It is crucial that these tools are embedded in clear, transparent processes.

The EU AI Act is changing how AI is developed and used in Europe. As of August 2, 2026, the main focus will be on transparency requirements, while the extensive high-risk requirements under the Digital Omnibus are expected to be postponed until late 2027 and 2028. This additional time is valuable but tight for systems whose compliance cannot be achieved overnight.

The next steps are clear: create an AI inventory, classify systems, build AI expertise, meet the transparency requirements by August 2026, and start preparing for high-risk scenarios now. Those who view the 2026 AI Regulation as part of their existing compliance framework—rather than as an isolated special project—can turn a regulatory requirement into a trust advantage with customers and partners.