The EU AI Act's high-risk obligations hit in August 2026. Only 14% of companies are prepared. Here's what developers building with AI need to know — risk tiers, technical requirements, GPAI rules, and a practical compliance checklist.
Get new posts delivered to your inbox. No spam, unsubscribe anytime.
On February 2, 2025, the EU quietly flipped a switch. Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act — began enforcing its first prohibitions. Social scoring systems, manipulative AI, emotion recognition in workplaces and schools, and untargeted facial recognition scraping became illegal across the European Union overnight. No grace period. No warnings. Just banned.
Most companies didn't notice. Most companies still haven't noticed.
In August 2026, the rest of the regulation hits. Every high-risk AI system — resume screeners, credit scoring models, biometric identification, AI-powered exam proctoring, predictive maintenance for critical infrastructure — must comply with a set of technical requirements that most engineering teams have never heard of. Risk management systems. Mandatory logging. Bias audits. Human oversight mechanisms. Technical documentation that makes SOC 2 look like a README file.
The Cisco AI Readiness Index found that only 14% of companies globally were fully prepared for AI governance requirements. ISACA's State of Digital Trust report found that roughly 10% of organizations had a comprehensive AI policy in place. Multiple industry surveys from EY, Deloitte, and PwC consistently show 75-80% of companies have not started structured compliance programs.
The EU AI Act is the most significant piece of technology regulation since GDPR. And just like GDPR, the industry is sleepwalking into the deadline.
The AI Act entered into force on August 1, 2024, after the European Parliament approved it with 523 votes in favor against just 46. Implementation is phased:
| Date | What Happens |
|---|---|
| August 1, 2024 | AI Act enters into force |
| February 2, 2025 | Prohibited AI practices enforceable (social scoring, manipulative AI, workplace emotion recognition, untargeted facial scraping) |
| August 2, 2025 | GPAI model obligations apply (foundation model providers must comply). EU AI Office and governance structures operational |
| August 2, 2026 | High-risk AI system obligations enforceable (Annex III systems: biometrics, employment AI, credit scoring, law enforcement, education, critical infrastructure) |
| August 2, 2027 | High-risk obligations for AI embedded in regulated products (medical devices, vehicles, aviation, machinery) |
August 2026 is the date that matters for most developers. That's when the bulk of the regulation's teeth take effect. If you're building anything that touches hiring, lending, education, biometrics, or critical infrastructure — your compliance clock is already ticking.
The AI Act classifies all AI systems into four tiers. Your obligations depend entirely on where your system lands.
These are already illegal as of February 2025:
If you're building any of these, stop. The fines are up to €35 million or 7% of global annual revenue, whichever is higher.
This is where most developer impact lies. Annex III lists the specific domains:
| Domain | Examples |
|---|---|
| Biometrics | Remote identification, biometric categorization, emotion recognition (non-banned contexts) |
| Critical infrastructure | AI managing electricity grids, gas, water, heating, digital infrastructure, traffic |
| Education | Admissions decisions, exam scoring, learning outcome evaluation, cheating detection |
| Employment | Resume screening, job ad targeting, interview evaluation, performance monitoring, promotion/termination decisions |
| Essential services | Credit scoring, insurance pricing, public benefits eligibility, emergency dispatch prioritization |
| Law enforcement | Risk assessment, evidence evaluation, profiling in criminal investigations |
| Migration | Visa/residence applications, document authenticity checks, border security |
| Justice | AI assisting judicial authorities in legal research and fact interpretation |
The practical test: If your AI system makes or materially influences decisions about whether someone gets a job, a loan, an education, or access to essential services — it's almost certainly high-risk.
There's an important escape valve in Article 6(3): a system in an Annex III domain is NOT high-risk if it performs only a narrow procedural task, improves a previously completed human activity, detects patterns without replacing human judgment, or performs a preparatory task. But this exception explicitly does NOT apply to profiling.
Spam filters, recommendation engines for entertainment, video game AI, basic inventory management. Use freely.
If your system is classified as high-risk, here's what you must implement by August 2026. These aren't suggestions. They're legal requirements with audit trails.
You need a documented, continuously updated risk management process that:
This isn't a one-time assessment. It's a living process that spans the system's entire lifecycle.
Your training, validation, and testing datasets must have:
If you're training a credit scoring model on data that underrepresents certain demographics, Article 10 says that's a compliance failure, not just a fairness concern.
Before deployment, you must produce documentation covering:
Think of it as a comprehensive system card, but legally mandated and subject to audit.
Your system must automatically record events throughout its lifetime. Logs must enable:
Minimum retention: 6 months (or longer if required by other laws). This isn't optional logging — it's a regulatory requirement.
You must provide deployers with instructions covering:
The system must enable humans to:
For biometric identification specifically: at least two natural persons must verify results before any action is taken.
The AI Act has specific rules for General-Purpose AI models — the foundation models from OpenAI, Anthropic, Google, and Meta. Here's how the responsibility splits:
All GPAI providers must:
GPAI models trained with more than 10^25 FLOPs (or designated by the Commission) carry additional obligations:
This threshold likely covers GPT-4, Gemini Ultra, Claude 3 Opus, and Llama 3 405B.
This is the part most developers miss. If you use the OpenAI API to build a resume-screening tool:
The GPAI provider's compliance does not cascade to your application. You still need risk management, data governance, logging, human oversight, conformity assessment, and registration in the EU database. OpenAI gives you the model; you own the compliance.
Models released under open-source licenses (weights, architecture, and usage info publicly available) are exempt from most GPAI obligations. They still must:
But: this exemption vanishes if the model exceeds the 10^25 FLOP systemic risk threshold. A large open-source model like Llama 3 405B may not qualify.
Fine-tuning matters: If you fine-tune an open-source model and deploy it in a closed manner, you become a GPAI provider. The base model's open-source exemption doesn't transfer to your closed derivative.
| Violation | Maximum Fine |
|---|---|
| Prohibited AI practices (Article 5) | €35 million or 7% of global annual revenue |
| High-risk non-compliance, GPAI violations | €15 million or 3% of global annual revenue |
| Providing misleading information to authorities | €7.5 million or 1% of global annual revenue |
For context: 7% of Google's $307 billion revenue is $21.5 billion. That's not a rounding error. That's an existential fine.
SMEs and startups get some relief — the fine is the lower of the absolute amount or the percentage, rather than the higher.
Market surveillance authorities can request access to AI systems, demand documentation, conduct inspections, order corrective actions, and order withdrawal of non-compliant systems from the market.
The responses range from genuine compliance efforts to PR exercises:
Microsoft has published a Responsible AI Standard and mapped it to EU AI Act requirements. Azure customers get compliance tooling, content filtering, and transparency notes. They're taking this seriously.
Google implemented SynthID watermarking for AI-generated images and text, published model cards for Gemini, and actively participated in GPAI Code of Practice discussions.
Meta released Llama as open-source, potentially qualifying for the exemption. But Llama 3 405B may exceed the 10^25 FLOP threshold, which would negate the exemption entirely. Meta also paused using EU user data for AI training in June 2024 after regulatory pressure.
Apple delayed Apple Intelligence features in the EU partly due to AI Act and Digital Markets Act compliance concerns.
Over 100 companies joined the EU AI Pact — a voluntary initiative to implement obligations before the deadlines. Whether voluntary commitments translate to actual compliance remains to be seen.
The EU AI Act is being called the "GDPR of AI," and the parallel is more than a headline:
| Dimension | GDPR | EU AI Act |
|---|---|---|
| Scope | Anyone processing EU personal data | Anyone providing/deploying AI in the EU market |
| Extraterritorial | Yes | Yes |
| Risk-based | DPIAs for high-risk processing | Conformity assessments for high-risk AI |
| Fines | Up to 4% global revenue | Up to 7% global revenue |
| Documentation | Records of processing, DPIAs | Technical documentation, conformity declarations |
| Industry reaction before deadline | "It won't really be enforced" | "It won't really be enforced" |
| Industry reaction after deadline | Panic, cookie banners everywhere | TBD |
Remember how companies handled GDPR? Most scrambled in the final months. Many are still not fully compliant six years later. The AI Act is more technically complex than GDPR — it requires engineering changes, not just legal documents — and the deadline is months away.
United States: No comprehensive federal AI regulation. The Biden Executive Order 14110 required safety reporting for large models but was rescinded by the Trump administration in January 2025. Colorado passed an AI Act effective 2026. California's SB 1047 was vetoed. The US approach remains a patchwork of sector-specific rules and state laws.
China: Multiple targeted regulations — algorithmic recommendations (2022), deepfakes (2023), generative AI (2023). Requires algorithmic filing with the Cyberspace Administration of China and mandates AI content reflect "core socialist values." More targeted than the EU's horizontal approach.
United Kingdom: No comprehensive AI law. Relies on existing sector regulators (FCA, ICO, Ofcom) applying AI-specific guidance. Established the AI Safety Institute at Bletchley Park. Deliberately positioned as a lighter-touch alternative to the EU.
The EU is the only jurisdiction with a comprehensive, binding, horizontal AI regulation. If you serve EU customers, the AI Act applies to you regardless of where you're based. That's the extraterritorial reach that made GDPR inescapable — and it applies here too.
Here's what you actually need to do, organized by timeline:
Classify your AI systems. Go through Annex III and determine if any of your systems fall into high-risk categories. Resume screening, credit decisions, exam proctoring, biometric verification — check each one.
Check for prohibited practices. If any of your systems involve social scoring, manipulative AI, workplace emotion recognition, or untargeted facial scraping — these are already illegal. Shut them down.
Audit your GPAI usage. If you use foundation model APIs (OpenAI, Anthropic, Google), document what models you use, what data you send, and what decisions the outputs influence. You need this for Article 13 transparency.
Implement logging. Article 12 requires automatic event recording. Every high-risk AI decision needs a log trail — inputs, outputs, confidence scores, model version, timestamp. Build this into your pipeline now.
Build human oversight mechanisms. Article 14 requires humans to be able to understand, monitor, override, and stop your AI system. Design the UX for human-in-the-loop review. Add a kill switch.
Document everything. Article 11 requires technical documentation before deployment. System architecture, training process, data sources, known limitations, performance metrics by demographic group. Start writing now.
Conduct bias audits. Article 10 requires examination for biases in training data. Test your model's performance across demographic groups. Document gaps and remediation plans.
Implement transparency. Article 13 requires instructions for deployers covering capabilities, limitations, and performance metrics. Article 50 requires disclosure to end users when they interact with AI.
Perform risk assessment. Article 9 requires a documented risk management system. Identify risks from intended use and foreseeable misuse. Define mitigation measures.
Plan for conformity assessment. Most Annex III systems can self-assess. Biometric identification systems require third-party assessment. Prepare your documentation for either path.
For developers, these are the engineering tasks:
□ Add AI disclosure to all user-facing AI interfaces
□ Implement comprehensive request/response logging for AI decisions
□ Build human override mechanism (approve/reject/modify AI outputs)
□ Create model card / system card documentation
□ Add demographic performance testing to CI/CD pipeline
□ Implement content watermarking for AI-generated media (C2PA metadata)
□ Build audit trail for training data provenance
□ Add kill switch / circuit breaker for AI systems
□ Document input data specifications and system limitations
□ Set up 6-month minimum log retention
The EU AI Act is messy, bureaucratic, and imperfect. The risk classification is overly broad in some places (does every chatbot really need a transparency label?) and oddly specific in others. The 10^25 FLOP threshold for systemic risk is already being outpaced by hardware improvements. The open-source exemption creates perverse incentives — you're penalized for building openly if your model is too capable.
But here's what the critics miss: the alternative is nothing. The US approach — sector-specific rules, voluntary frameworks, and an AI executive order that got rescinded — isn't working. China's approach ties AI regulation to political control. The UK's "let existing regulators figure it out" approach means no regulator is really accountable.
The EU is doing what it did with GDPR: establishing global standards by being the first to regulate comprehensively. You can argue about the details, but the direction is right. AI systems that decide who gets hired, who gets a loan, who gets surveilled, and who gets parole should meet minimum standards for accuracy, fairness, transparency, and human oversight. That shouldn't be controversial.
The enforcement question is real. GDPR enforcement has been uneven — Ireland's DPC has been notoriously slow, while other authorities have been aggressive. The AI Act's enforcement will likely be similarly patchy. But "enforcement might be inconsistent" is not a reason to ignore compliance. Ask any company that received a GDPR fine whether they wish they'd prepared earlier.
For developers specifically, here's my practical take: the documentation and logging requirements are the hardest part. Not because they're technically complex, but because most teams don't build these capabilities from the start. If you're designing an AI system today, build the compliance infrastructure (logging, human oversight, bias testing, documentation) into your architecture from day one. Retrofitting it later is 10x harder and 10x more expensive.
The companies that treat the EU AI Act as a checkbox exercise — minimum viable compliance, maximum legal creativity — will end up like the companies that treated GDPR as a cookie banner problem. The ones that use it as a forcing function to build genuinely transparent, accountable AI systems will build better products and earn more user trust.
August 2026 is four months away. If you haven't started, start today. The regulation isn't going away, the deadline isn't moving, and the fines are designed to hurt.