EU AI Act Compliance Timeline: What's Due by August 2026

The EU AI Act doesn't arrive all at once. It's being enforced in phases, with different requirements activating at different dates. If you're responsible for AI systems that serve EU markets, here's exactly what's already live, what's coming, and what you need to have ready.

The Phased Rollout

Already in Effect

August 1, 2024 — Entry into force The Act officially became law. No enforcement yet, but the clock started.

February 2, 2025 — Prohibited AI practices The first enforcement milestone. AI systems that fall into the "unacceptable risk" category became illegal:

Social scoring by governments
Real-time remote biometric identification in public spaces (with limited exceptions)
Manipulation techniques that exploit vulnerabilities
Emotion recognition in workplaces and educational institutions (with exceptions)

If your AI system does any of these, you should have already stopped.

August 2, 2025 — General-purpose AI models Requirements for providers of general-purpose AI (GPAI) models took effect:

Transparency obligations (model cards, training data summaries)
Copyright compliance requirements
Systemic risk assessments for the most powerful models
This primarily affects foundation model providers (OpenAI, Anthropic, Google, Meta), not most enterprise deployers

Coming Up

August 2, 2026 — High-risk AI systems (FULL ENFORCEMENT) This is the deadline that matters for most enterprises. Full enforcement of:

Article 10: Data and data governance requirements
Article 30: Technical documentation obligations
Article 9: Risk management systems
Article 13: Transparency and information to deployers
Article 14: Human oversight requirements
Article 15: Accuracy, robustness, and cybersecurity
Article 61: Post-market monitoring

August 2, 2027 — Certain high-risk AI systems in Annex I Extended deadline for AI systems that are safety components of products covered by existing EU harmonized legislation (medical devices, machinery, vehicles, etc.). These get an extra year because they're already subject to sector-specific regulations.

What "August 2026" Means in Practice

Five months from today. Here's what your organization needs to have in place:

Training Data Documentation

Complete data governance policies covering collection, preparation, and labeling
Documented bias examination with methodology and results
Statistical profiles of all training datasets
Quality metrics and error analysis
Full data lineage from source to training-ready format

Technical Documentation Package

System description, intended purpose, and deployment context
Training data documentation (see above)
Algorithm and model architecture description
Validation and testing results
Risk assessment and mitigation measures

Risk Management System

Identification and analysis of known and foreseeable risks
Risk mitigation measures implemented
Residual risk assessment
Testing procedures for risk identification

Human Oversight Mechanisms

Tools and procedures for human oversight of the AI system
Documentation of how humans can intervene, override, or shut down the system
Training for human overseers

Post-Market Monitoring Plan

How you'll monitor system performance after deployment
How you'll detect and address issues
Incident reporting procedures

Penalties for Non-Compliance

The penalties are graduated based on severity:

Violation	Maximum Fine
Prohibited AI practices	€35M or 7% of global annual turnover
High-risk system requirements (incl. training data)	€15M or 3% of global annual turnover
Incorrect information to authorities	€7.5M or 1.5% of global annual turnover

For SMEs and startups, the Act provides proportionally lower caps, but the penalties are still significant.

What to Prioritize with Five Months Left

If you're starting from scratch, here's a triage order:

Month 1: Audit

Inventory all AI systems and classify their risk level
Assess current documentation against Article 30 requirements
Identify the biggest gaps — usually data lineage and bias documentation

Month 2-3: Build

Implement or upgrade data pipeline with built-in audit logging
Document data governance policies and labeling procedures
Conduct and document bias examinations
Establish human oversight procedures

Month 4: Test

Generate complete technical documentation packages
Review documentation for completeness against Annex IV checklist
Conduct internal compliance review
Test incident reporting procedures

Month 5: Validate

External legal review of documentation
Final gap analysis
Team training on ongoing compliance obligations
Post-market monitoring plan activation

The Cost of Waiting

Retroactive compliance is always more expensive than building it in. If your data pipeline doesn't currently log transformations, attribute actions to operators, or maintain data lineage, adding these capabilities after the fact requires reconstructing history that may not be recoverable.

Platforms designed for regulated AI data preparation — like Ertas Data Suite — generate EU AI Act-compliant documentation as a natural output of the pipeline. Every transformation is logged, every operator attributed, every lineage chain maintained. If you're evaluating tools for a new pipeline, compliance documentation should be a core selection criterion, not an afterthought.

The August 2026 deadline isn't a suggestion. Start now.