August 2, 2026 is 21 days away. On that date, the EU AI Act's high-risk AI obligations become enforceable: Articles 9 through 15, plus transparency requirements under Article 50.
As of April 2026, 78% of organizations have not taken meaningful steps toward compliance, according to data from Responsible AI Labs.
If you're an EU-facing company that has deployed AI in hiring, lending, healthcare, critical infrastructure, or customer-facing automated decisions, you're in the high-risk category. The fines go up to €35 million or 7% of global annual turnover, whichever is higher.
Here's the practical version. Not 60 pages of legal theory. Just what your team needs to do.
First: Do You Actually Have a High-Risk AI System?
The EU AI Act classifies AI systems into four risk tiers. Most enterprise AI does not fall into the high-risk category. But some does, and the distinction matters.
High-risk systems are those used in:
- Employment decisions (screening, evaluation, promotion)
- Credit and financial assessments
- Healthcare diagnosis or treatment recommendations
- Law enforcement, border control, or justice systems
- Critical infrastructure management
- Educational assessments that affect access to institutions
- Biometric identification in public spaces
Not high-risk by default: customer support chatbots, internal knowledge assistants, document summarization tools, code generation, most marketing AI, recommendation systems that don't make binding decisions.
Run this classification across every AI system you have in production. This one step determines everything else.
What August 2 Actually Requires
For high-risk AI systems, you need to demonstrate compliance with seven categories of obligations before the deadline. Here's each one in plain language.
Article 9: Risk Management System
You need a documented, ongoing process for identifying and mitigating risks throughout the AI system's lifecycle. "We tested it before launch" is not sufficient. Risk management must be continuous.
At minimum, this means a written risk assessment that identifies: what could go wrong, what the consequences are, and what controls are in place. It must be updated when the system changes.
Article 10: Data Governance
Document where your training, validation, and testing data came from. Establish quality criteria. Assess for bias, particularly any that could result in discriminatory outputs. Keep this documentation updated.
If you're using third-party models: document what data they were trained on, to the extent the provider discloses it, and note the gaps.
Article 11: Technical Documentation
Compile the Annex IV documentation package. This covers:
- System architecture and components
- Training methodologies
- Performance metrics and how they were measured
- Known limitations and failure modes
- Version history
This takes 3 to 6 months to prepare from scratch. If you haven't started, start this week.
Article 12: Logging and Record-Keeping
Your high-risk AI system must generate automatic, tamper-evident logs of relevant events. Deployers must retain these logs for at least 6 months. The logs need enough detail to trace inputs, outputs, and decisions.
This is a technical requirement. If your current system has no audit logging, this requires engineering work.
Article 13: Transparency to Deployers
If you're a provider selling AI to other companies, you must give them clear documentation of capabilities, limitations, and instructions for use. If you're a deployer buying AI, you must have received this from your provider, and you must follow it.
Article 14: Human Oversight
The system must be designed so that a human can monitor its behavior, detect problematic patterns, and intervene to override, suspend, or shut it down. Human oversight cannot be bolted on afterward. It needs to be designed in.
Practically: who in your organization is responsible for overseeing this AI system's behavior? Do they have the authority to stop it? Do they have the information they need to catch problems? Document the answer.
Article 15: Accuracy, Robustness, and Cybersecurity
Document your accuracy metrics. Define what accuracy means for your specific use case. Test against adversarial inputs. Establish cybersecurity controls specific to the AI system.
Beyond Articles 9–15
If you're a provider placing high-risk systems on the EU market, you also need:
- Quality Management System (Article 17): documented procedures for ensuring ongoing conformity
- Conformity Assessment (Article 43): self-assessment or third-party, depending on the risk category
- EU Declaration of Conformity (Article 47)
- CE Marking (Article 48): required before market placement
- EU AI Database Registration (Article 49): register each system before it goes live
- Post-Market Monitoring Plan (Article 72): define how you'll track performance in production
- Serious Incident Reporting (Article 73): protocol for notifying authorities within 15 days
Deployers (companies using third-party high-risk AI) have their own obligations under Article 26: you must operate the system according to provider instructions, assign trained personnel with authority to exercise oversight, and retain automated logs for 6 months.
Article 50: The Transparency Obligations Apply to Everyone
Even if you don't have a high-risk AI system, Article 50 transparency obligations are also effective August 2:
- If you have a chatbot that interacts with end users, you must disclose that they're interacting with an AI system: unless it's obvious from context
- AI-generated content (images, video, audio, text) must be machine-readable labeled as AI-generated
This applies broadly. If your customer service flow uses an AI bot, users must know it's AI.
What Happens If You Miss It
Enforcement powers are active from August 2. The AI Office has authority over general-purpose AI models. National market surveillance authorities handle product-level high-risk AI.
For non-compliance with high-risk obligations: fines up to €15 million or 3% of global annual turnover. For prohibited AI practices: fines up to €35 million or 7% of global annual turnover. For providing incorrect information to authorities: up to €7.5 million or 1% of global annual turnover.
The first enforcement actions will focus on organizations with documented, obvious non-compliance. But that's not a guarantee you won't be early.
The Practical Three-Week Plan
Week 1 (Now):
- Classify every AI system you have in production against the Annex III list
- For each high-risk system, assign an owner responsible for compliance
- Start the Annex IV technical documentation package
Week 2: 4. Implement or verify logging and audit trail capabilities on all high-risk systems 5. Define your human oversight structure: who monitors, what authority do they have, how are interventions logged 6. If you're a deployer, review the documentation and instructions from your AI providers
Week 3: 7. Complete risk management documentation 8. Register systems in the EU AI database (providers only) 9. Verify Article 50 transparency disclosures are in place across customer-facing products
How Xenqube Builds This In
Every system we deploy is built with the EU AI Act compliance architecture from day one. That means audit logging at the infrastructure level, human oversight controls built into the agent design, and documentation that covers the Annex IV requirements.
If you've already deployed a system that doesn't have these controls, we can help you retrofit them before August 2.
If you're starting a new deployment and want EU AI Act compliance built into the architecture rather than added afterward, talk to us.
The difference between a system that's compliant by design and one that has compliance bolted on is the difference between passing an audit and failing one.