EU AI Act 2026: What You Need to Know Before August

The Clock Is Ticking: August 2026 Is Closer Than You Think

The EU Artificial Intelligence Act (Regulation 2024/1689) entered into force on 1 August 2024, but its most consequential provisions — the rules governing high-risk AI systems — apply from 2 August 2026. That deadline is now less than six months away, and most organizations are not ready.

This article breaks down everything you need to know: which provisions are already in force, what takes effect in August 2026, who is affected, and — critically — what you should be doing right now. If you deploy, develop, or distribute AI systems in the European Union, this is the most important regulatory development since GDPR.

A Brief History: How We Got Here

The European Commission first proposed the AI Act in April 2021. After extensive negotiations between the European Parliament and the Council of the EU, political agreement was reached in December 2023. The regulation was formally adopted in June 2024 and published in the Official Journal on 12 July 2024. It entered into force twenty days later, on 1 August 2024.

Unlike a directive, the AI Act is a regulation — it applies directly in all 27 EU Member States without the need for national implementing legislation. However, Member States must designate national competent authorities and market surveillance authorities by 2 August 2025, which creates the enforcement infrastructure.

The EU AI Act Timeline: Four Phases

The AI Act follows a phased implementation approach, with different provisions becoming applicable at different times:

Phase 1: February 2025 — Prohibited Practices

As of 2 February 2025, the provisions on prohibited AI practices (Article 5) are already in force. This means the following AI applications are already banned in the EU:

• AI systems that use subliminal, manipulative, or deceptive techniques to distort behavior
• AI systems that exploit vulnerabilities of specific groups (age, disability, social or economic situation)
• Social scoring systems by public authorities
• Real-time remote biometric identification in publicly accessible spaces for law enforcement (with narrow exceptions)
• Untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases
• Emotion recognition in the workplace and educational institutions (with narrow exceptions)
• Biometric categorization systems that infer sensitive attributes (race, political opinions, religious beliefs, sexual orientation)

If your organization operates any AI system that falls into these categories, you are already in breach. Use our free risk assessment tool to check immediately.

Phase 2: August 2025 — Governance and General-Purpose AI

By 2 August 2025, the following provisions apply:

• Member States must designate national competent authorities
• The AI Office within the European Commission becomes fully operational
• Obligations for providers of general-purpose AI models (GPAI) take effect (Chapter V)
• AI literacy requirements (Article 4) become applicable
• Penalties framework comes into force

Article 4 is particularly noteworthy: it requires that all providers and deployers of AI systems ensure their staff have sufficient AI literacy. This is a broad obligation that applies regardless of your AI system's risk level.

Phase 3: August 2026 — High-Risk AI Systems (The Big One)

This is the deadline that matters most for the majority of organizations. On 2 August 2026, the full obligations for high-risk AI systems become applicable. These include:

• Risk management systems (Article 9)
• Data and data governance requirements (Article 10)
• Technical documentation — Annex IV (Article 11)
• Record-keeping and automatic logging (Article 12)
• Transparency and provision of information to deployers (Article 13)
• Human oversight requirements (Article 14)
• Accuracy, robustness, and cybersecurity standards (Article 15)
• Quality management systems (Article 17)
• Conformity assessments (Article 43)
• EU database registration (Article 49)
• Fundamental Rights Impact Assessments for deployers (Article 27)
• Post-market monitoring obligations (Article 72)
• Transparency obligations for limited-risk systems (Article 50)

The scope is enormous. Any organization deploying AI in areas listed in Annex III — including healthcare, employment, education, law enforcement, critical infrastructure, and financial services — must have all these systems in place by this date.

Phase 4: August 2027 — Existing Systems and Safety Components

By 2 August 2027, the obligations extend to high-risk AI systems that are safety components of products already covered by EU harmonized legislation (such as medical devices, machinery, and automotive systems). This gives manufacturers of these products an additional year to bring existing systems into compliance.

Who Is Affected?

The AI Act uses four key roles to assign obligations:

• Providers: Organizations that develop an AI system or have it developed, and place it on the market or put it into service under their own name or trademark. Providers bear the heaviest obligations.
• Deployers: Organizations that use an AI system under their authority. If you purchase or license AI software and deploy it in your operations, you are a deployer.
• Importers: Organizations that place an AI system from a third country on the EU market.
• Distributors: Organizations that make an AI system available on the EU market without being a provider or importer.

Crucially, the AI Act has extraterritorial reach. If your AI system's output is used in the EU, you may be subject to the regulation even if your organization is based outside Europe — similar to GDPR's extraterritorial scope.

What Are the Penalties?

Non-compliance carries significant financial consequences:

• Prohibited practices: Up to €35 million or 7% of annual global turnover (whichever is higher)
• High-risk obligations: Up to €15 million or 3% of annual global turnover
• Incorrect information to authorities: Up to €7.5 million or 1% of annual global turnover

For SMEs and startups, proportionate caps apply, but the penalties are still substantial relative to revenue.

What You Should Be Doing Right Now

With less than six months until the August 2026 deadline, here is a prioritized action plan:

1. Inventory Your AI Systems

You cannot comply with what you have not identified. Create a comprehensive registry of all AI systems your organization develops, deploys, or distributes. Include third-party AI tools and embedded AI components.

2. Classify Each System's Risk Level

Run each AI system through a risk classification process based on Articles 5, 6, and Annex III. Our free risk classification tool can do this in minutes.

3. Prioritize High-Risk Systems

Focus your compliance efforts on systems classified as high-risk. These have the most extensive obligations and the steepest penalties for non-compliance.

4. Start Documentation Now

Annex IV technical documentation is extensive and cannot be produced overnight. Start generating the required documentation now. Our document generator can auto-populate much of this from your system registry data.

5. Ensure AI Literacy

Article 4 AI literacy requirements are already applicable (since August 2025). If you haven't addressed this yet, implement training programs immediately.

6. Engage Legal and Compliance Teams

If you haven't already, ensure your legal, compliance, and data protection teams are fully briefed on the AI Act's requirements and their role in the compliance process.

How Haffa.ai Helps

We built Haffa.ai specifically to help organizations navigate the EU AI Act efficiently. Our platform provides guided risk classification, automated documentation generation, compliance dashboards, and access to certified expert consultants — everything you need to meet the August 2026 deadline with confidence.

See our plans or start with a free risk assessment to understand your obligations today.