Skip to content
All insights

The EU AI Act becomes fully applicable on 2 August 2026

4 min readAI ComplianceEU AI ActGovernance
Timeline of the EU AI Act with the 2 August 2026 milestone highlighted: entry into force 2024, prohibited practices 2025, GPAI, high-risk and penalties 2026, Annex I 2027

The EU AI Act has been in force since August 2024, but until now most of its obligations were still in the future. On 2 August 2026 that changes: the bulk of the text applies (everything except Article 6(1)), with the high-risk obligations, the transparency rules and the penalty regime now enforceable. It stops being a date on a slide and becomes something an authority can check.

The earlier milestones on the calendar have already passed. In February 2025 the prohibited practices kicked in (social scoring, manipulation, certain uses of biometrics) along with the AI literacy obligation for staff. In August 2025 came the obligations for general-purpose AI models and the governance framework. What lands in 2026 is the part that touches most companies deploying AI, not just those training models.

What becomes enforceable on 2 August 2026

Three blocks, in order of impact.

High-risk systems (Annex III). If your AI system is used to screen CVs, decide on credit, manage workers, support decisions in health or education, or in several other Annex III contexts, it falls into the high-risk category. That means documented risk management, data governance, event logging, human oversight, transparency toward the user and a conformity assessment before it goes to market. It is not a checkbox; it is a management system someone on your team has to keep alive.

Transparency (Article 50). Even if your system is not high-risk, when a user talks to a chatbot they must know it is an AI, and generated or manipulated content (deepfakes included) must be labelled. This affects marketing, customer support and any agent that interacts with people.

Penalties. From this date, non-compliance has a price. And it is not symbolic.

The three penalty tiers of the EU AI Act: 7% or EUR 35M, 3% or EUR 15M, 1% or EUR 7.5M

The figure that applies is the higher of the percentage of global annual turnover and the fixed amount, so for a large company the percentage rules and for an SME the fixed amount does. Either way, it is a number a board looks at twice.

Does it apply to you?

The question is not "do we have AI?", but "which category does each system fall into?". The Act distinguishes four levels (prohibited, high-risk, limited risk with transparency obligations, and minimal), and a single product can have parts in different levels. Most companies find they have less high-risk than they feared and more transparency obligations than they thought.

To avoid classifying by eye, we built an EU AI Act calculator: answer a few questions and it returns the category, the applicable articles and the timeline that applies to you. Free, no email. A CV-screening tool, operated by the deployer, comes back like this:

System: CV screening · role: deployer
Tier:        HIGH-RISK
Legal basis: Art. 6(2) · Annex III, point 4 · Art. 113 §3
Deadline:    2 August 2026
Obligations: risk management (Art. 9) · data governance (Art. 10) ·
             documentation and logging (Art. 11-12) · human oversight (Art. 14) ·
             accuracy, robustness and cybersecurity (Art. 15) ·
             conformity assessment and CE marking (Art. 43, 48)

That system lands exactly on 2 August 2026, and the obligations above are what your team needs documented by then.

Where to start now

Less than a year is left, and a high-risk conformity assessment is not something you improvise in August. The sensible thing is to start with the map:

  1. Inventory the AI systems you have in production or about to launch, including the ones you bought from a third party. The deployer's responsibility is yours even if the model is someone else's.
  2. Classify each one by risk level. This is where most teams need help, because Annex III has nuance.
  3. Gap-analyze the distance between what your category requires and what you have documented today.
  4. Prioritize by date and exposure: high-risk and in production first.

There is one point that often goes unnoticed: cybersecurity is no longer optional in compliance. The Act requires high-risk systems to be secure by design, and ENISA reads that as robustness against adversarial attacks. For an AI system that includes things like prompt injection or RAG poisoning, which slip past traditional security controls. Compliance and security overlap more than they seem, and it pays to plan them together.

At KAIX LAB we classify, document and audit AI systems so they reach August 2026 in order, and we do it alongside the security side, not in silos. If you want a quick read on where you stand, start with the calculator; if you would rather talk it through, book a diagnosis.

This article is informational and does not constitute legal advice. Dates and obligations are based on Regulation (EU) 2024/1689 and the official application timeline.