The clock is ticking. On August 2, 2026, the majority of the EU AI Act‘s rules come into force — including requirements for high-risk AI systems, transparency mandates, and a full enforcement framework with penalties reaching up to 7% of global annual turnover. Here’s what companies need to know to prepare.
What’s Already in Effect
The AI Act has been rolling out in phases since it entered into force on August 1, 2024:
- February 2, 2025: Prohibited AI practices banned (social scoring, real-time biometric surveillance, manipulative AI) and AI literacy obligations took effect
- August 2, 2025: Governance rules and obligations for general-purpose AI (GPAI) models became applicable
What Changes on August 2, 2026
The August 2026 milestone is the most significant yet. The following obligations become enforceable:
High-Risk AI Systems (Annex III)
Full requirements take effect for AI systems classified as high-risk, including those used in employment, credit scoring, law enforcement, migration, and critical infrastructure. Companies must implement:
- Risk management systems with continuous monitoring
- Data governance requirements for training datasets
- Technical documentation and record-keeping
- Transparency and human oversight mechanisms
- Accuracy, robustness, and cybersecurity standards
- Conformity assessments before market deployment
- Post-market monitoring and incident reporting
Transparency Rules (Article 50)
- AI chatbots must disclose their artificial nature to users
- Emotion recognition systems require explicit user notification
- Deepfake content must carry machine-readable watermarks
- Biometric categorization systems face mandatory disclosure
Penalties for Non-Compliance
The fines are structured to be meaningful even for the largest companies — and they exceed GDPR penalty levels:
- 7% of global annual turnover (or €35 million) for using prohibited AI practices
- 3% of global turnover for non-compliance with data governance or transparency rules
- 1% of global turnover for providing incorrect information to regulators
The Governance Framework
Enforcement is managed through a multi-layered structure: the European AI Office at the EU level, national market surveillance authorities in each member state, and three advisory bodies — the European Artificial Intelligence Board, the Scientific Panel, and the Advisory Forum.
Finland became the first EU member state with fully operational AI Act enforcement powers on January 1, 2026. Other member states are expected to follow throughout Q1 2026, though as of late 2025, only about a third had met the August 2025 deadline for designating national authorities.
The Digital Omnibus Wrinkle
In November 2025, the European Commission published proposals that could extend the high-risk AI deadline to December 2027. The “Digital Omnibus” and “AI Omnibus” packages signal a political pivot toward competitiveness, proposing to postpone certain requirements, expand SME exemptions, and increase reliance on standards and regulatory sandboxes. EU lawmakers will negotiate these amendments throughout 2026.
However, companies should not rely on delays. The transparency obligations under Article 50 are unlikely to be postponed, and the prohibited practices rules are already in force. The prudent approach is to prepare for August 2026 compliance while monitoring the omnibus negotiations.
What Companies Should Do Now
- Audit your AI systems: Classify every AI deployment by risk level under the Act’s framework
- Implement documentation: Start building technical documentation and data governance records
- Establish oversight: Designate human oversight roles and incident reporting procedures
- Monitor national laws: Track country-specific implementations (e.g., Italy’s additional protections for minors)
- Prepare for transparency: Ensure all AI-facing interactions disclose their AI nature
The EU AI Act applies to any company operating in or serving users in the EU, regardless of where the company is incorporated. With fines reaching 7% of global revenue, non-compliance is not an option — it’s an existential risk.