Updated June 2026. The original version of this guide was built around the 2 August 2026 high-risk deadline. That date has since moved. Under the Digital Omnibus package — which reached a provisional political agreement on 7 May 2026 and a Council position on 13 May 2026 — the application of the high-risk obligations has been deferred. This guide now reflects the new, staggered timeline. For a deeper breakdown of the change, see Digital Omnibus explained: your new EU AI Act timeline.

The headline number most companies memorised — 2 August 2026 — is no longer the date that matters for high-risk AI systems. But “the deadline moved” is the wrong lesson to take from this. The obligations did not shrink; they were rescheduled, and several of them were already in force long before any 2026 date. This guide covers what actually applies now, who is affected, and the concrete steps to take while the runway is longer than it used to be.

The New Timeline at a Glance

The EU AI Act applies in phases. After the Digital Omnibus deferral, the phases that matter are:

  • Prohibited AI practices (Article 5)live since February 2025. This did not move. Unacceptable-risk uses (e.g. social scoring, most real-time biometric identification) are already banned.
  • General-purpose AI (GPAI) model obligationslive since August 2025. This did not move either. Providers of GPAI models already carry transparency and documentation duties.
  • High-risk AI systems under Annex III — now apply from 2 December 2027 (deferred from 2 August 2026). This is the category covering most enterprise AI in HR, finance, operations, and customer-facing functions.
  • High-risk AI systems embedded in regulated products (Annex I) — now apply from 2 August 2028.

So if you build or deploy a high-risk Annex III system, your effective compliance date is 2 December 2027, not August 2026. If your AI is embedded in a product already covered by EU product-safety law (Annex I), you have until 2 August 2028.

Why the Deferral Doesn’t Mean “Relax”

Three reasons the extra time is runway, not relief:

  1. The hard parts take the longest. Building an AI system inventory, classifying each system, and producing Annex IV technical documentation is months of work for most mid-market companies — not a task you start in the final quarter.
  2. The harmonised standards aren’t published yet. Much of the deferral exists because the standards bodies (CEN/CENELEC) have not finished the technical standards that make compliance concrete. When those land, the requirements get sharper and the work gets more specific — companies that already have their inventory and classifications done will simply map to the standards rather than start from zero.
  3. Buyers aren’t waiting for the regulator. Enterprise and public-sector procurement increasingly asks for AI Act readiness and ISO 42001 evidence today, regardless of the statutory date. Compliance has become a commercial gate, not just a legal one.

Which Companies Are Affected

The EU AI Act applies to any organization that:

  • Develops or deploys AI systems used in the EU, regardless of where the organization is headquartered
  • Imports or distributes AI systems that fall within the regulation’s scope
  • Uses AI in high-risk contexts, even when the underlying model is provided by a vendor

For mid-market companies (50–3,000 employees), the most common triggers are AI systems used in:

  • Human resources — recruitment screening tools, performance evaluation software, workforce analytics platforms
  • Customer creditworthiness or financial decisions — credit scoring, loan eligibility tools, insurance pricing models
  • Access to essential services — AI that determines eligibility for benefits, housing, or public utilities
  • Safety-critical operations — AI embedded in physical infrastructure, industrial equipment, or medical device software

If your company uses any third-party software with embedded AI for these purposes — including platforms like Workday, SAP SuccessFactors, Salesforce, or custom-built tools — the deployer obligations apply to you, not just to the vendor.

Importantly, the deadline is not just for AI developers. Deployers — companies using AI systems built by third parties — carry their own set of obligations, including conducting fundamental rights impact assessments, ensuring human oversight, and maintaining logs of system operation.

The Consequences of Non-Compliance

Fines under the EU AI Act are structured by violation severity:

  • Prohibited AI systems: up to €35 million or 7% of global annual turnover, whichever is higher
  • Other high-risk system violations: up to €15 million or 3% of global annual turnover
  • Providing incorrect information to authorities: up to €7.5 million or 1% of global annual turnover

For SMEs and start-ups, the Act applies the lower of the fixed cap or the percentage of turnover — so for smaller companies the headline “7% of global turnover” overstates real exposure. In practice, the bigger risk for mid-market firms is commercial: non-compliant systems can be ordered off the market, and increasingly you simply can’t close enterprise or public-sector deals without compliance evidence.

National competent authorities are already standing up their enforcement units. Germany’s Federal Network Agency, France’s CNIL, and the Netherlands’ Autoriteit Persoonsgegevens have all signaled active enforcement intentions.

What You Need to Have in Place

1. Complete an AI System Inventory

You cannot classify, document, or monitor what you have not identified. Start by cataloguing every AI system your organization uses or deploys — both internally built and third-party. For each system, record: its purpose, the vendor or developer, the data it processes, and the decisions it influences.

This inventory is not a one-time exercise. Systems change, vendors update their models, and new tools get adopted outside formal IT procurement. Establish a process for ongoing discovery.

2. Classify Each System by Risk Tier

Once you have an inventory, each system must be assessed against the EU AI Act’s risk classification framework. High-risk systems trigger the most significant compliance obligations. Understanding which of your systems fall into this category — and which common systems are misclassified as lower risk — is the essential second step.

3. Produce Technical Documentation for High-Risk Systems

High-risk AI systems require detailed technical documentation under Annex IV of the EU AI Act. This includes general system descriptions, data governance records, testing and validation methodology, human oversight provisions, and post-market monitoring plans. For a full breakdown, see our Annex IV documentation checklist.

Many companies underestimate the documentation burden. A single high-risk system can require 40–80 pages of structured documentation that must be kept current throughout the system’s lifecycle.

4. Implement Ongoing Compliance Monitoring

Static documentation is not enough. The EU AI Act requires deployers to monitor AI systems in operation, log interactions where required, report serious incidents to authorities, and update documentation when systems change. This means compliance is an operational function, not a project — and it’s also where the regulatory-monitoring engine earns its keep: when the Omnibus dates shift again, or the harmonised standards land, your documented systems are flagged automatically.

A 4-Step Action Plan

The phases are the same as they always were — you simply have more runway to do them properly rather than in a panic.

Phase 1: Discovery Conduct a full AI system inventory across all departments. Include systems embedded in SaaS tools. Assign ownership of each system to a named individual or team.

Phase 2: Classification Assess each identified system against the Annex III high-risk categories. Determine your obligations as provider, deployer, or both. Use a structured tool or take our risk quiz to get an initial read on your exposure.

Phase 3: Documentation For each high-risk system, begin producing Annex IV-compliant technical documentation. For systems where you are the deployer, request documentation from providers and conduct your fundamental rights impact assessment.

Phase 4: Operationalize Establish logging and monitoring for high-risk systems. Train relevant staff on human oversight requirements. Set up an incident reporting process. Assign ongoing documentation maintenance responsibilities.

Don’t Treat 2027 as a Reason to Wait

Regulatory deadlines in Europe consistently see a surge of last-minute compliance attempts — and those companies consistently face avoidable problems: incomplete documentation, rushed risk assessments, and missed obligations. The high-risk date moved to 2 December 2027, but the work didn’t get smaller, and prohibited-practice and GPAI rules are already live.

The companies that win here are the ones treating the deferral as breathing room to build a real, maintainable compliance program — and to use AI Act / ISO 42001 readiness as a sales asset — rather than an excuse to push it to 2027.


Not sure where your AI systems sit on the risk spectrum? Take the Aikraft Risk Quiz and get a preliminary classification of your AI systems in under 10 minutes — no signup required.