On 2 August 2026, the EU AI Act (Regulation (EU) 2024/1689) becomes fully applicable for the vast majority of organisations that build or deploy AI systems in the EU. If you haven't started your compliance work, you're already behind.
The Regulation entered into force on 1 August 2024. But "in force" and "applicable" are not the same thing, a distinction that has tripped up a lot of compliance teams. The Act has a phased rollout, and the main wave hits in less than two months.
Two provisions have been live for some time.
The prohibition on unacceptable-risk AI practices (Article 5) has been enforceable since 2 February 2025. This covers things like real-time remote biometric identification in public spaces (with narrow exceptions), AI that manipulates people using subliminal techniques, and social scoring by public authorities. If any of your AI systems fall into these categories, you are already operating outside the law.
Obligations for providers of general-purpose AI (GPAI) models, foundation models like the large language models underpinning many products, have applied since 2 August 2025. Member States' penalty frameworks also came into effect on that date.
This is the big one. From this date, the full framework for high-risk AI systems kicks in. That means:
If you are a provider (you develop and place an AI system on the market, or put it into service under your own name), you must have completed conformity assessments, drawn up technical documentation, registered your system in the EU AI database, implemented a quality management system, and affixed CE marking where required.
If you are a deployer (you use a third-party AI system in a professional context), your obligations under Article 26 also apply. You must use the system in accordance with its instructions, implement human oversight measures, monitor performance, and report serious incidents to the provider and relevant authorities. Being a deployer does not get you off the hook.
The Act defines "deployer" broadly. If your procurement team has plugged a SaaS AI tool into your HR, credit, or safety workflows, you are a deployer.
Two separate transitional provisions are worth knowing. First, all AI systems that are safety components of products under EU harmonisation legislation, such as medical devices, machinery, and aviation equipment, have until 2 August 2027 to comply, regardless of whether they are new or already on the market (Article 113(c)). Second, a broader provision covers existing high-risk AI of any kind: if your system was already placed on the market before 2 August 2026 and undergoes no significant changes in design, the obligations do not yet apply to it (Article 111(2)). Public authority systems get even longer until 2 August 2030. Neither provision is a general grace period, and neither covers systems that are modified or launched after the main deadline.
Non-compliance with the high-risk AI obligations (Articles 16 and 26, among others) can attract fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. Violations of the prohibited practices under Article 5 are more severe: up to €35 million or 7% of global turnover. These are maximum actual fines that depend on gravity, duration, and cooperation, but the trajectory from GDPR enforcement tells you these numbers are not hypothetical.
At eight weeks out, there is no time for a full programme. Triage is the priority. Work through these questions:
Do you build or sell AI systems? Map everything against the high-risk categories in Annex III and Article 6. Document your reasoning. Article 6(4) requires providers who conclude a system is not high-risk to record that assessment.
Do you buy and use AI tools from third parties? Review your vendor contracts. Do you have the technical documentation and instructions for use you need to meet your Article 26 obligations? If not, you need them from your vendor , and you need them now.
Is any AI you use covered by Article 5 prohibitions? If the answer is "possibly", get legal input this week, not next quarter.
For high-risk systems: is your conformity assessment done? Is your technical documentation complete? Is the system registered? These are not small administrative tasks.
The bottom line: 2 August 2026 is a hard date. The Act does not provide for a further general grace period. Regulators in several Member States have signalled they intend to enforce from day one. If you are not ready, the time to fix that is now.