EU AI Act: High-Risk Systems Compliance Deadline — 2 August 2026
The EU AI Act (Regulation 2024/1689) reaches its key milestone on 2 August 2026: full obligations for high-risk AI systems. Practical guide for providers and deployers in Belgium, Germany, Romania and across the EU.
The EU AI Act reaches a decisive milestone on 2 August 2026
The Regulation (EU) 2024/1689 — commonly known as the "AI Act" — entered into force on 1 August 2024 and applies in stages. The next major deadline, on 2 August 2026, triggers full obligations for high-risk AI systems listed in Annex III. This guide explains what changes, who is affected, and what practical steps you should take before the summer.
Why this deadline matters across the EU
The AI Act is a regulation, not a directive. It is directly applicable in all 27 Member States — Belgium, Germany, Romania, Ireland, the Netherlands, Spain and the others — without any national transposition. From 2 August 2026, an AI provider placing a high-risk system on the Belgian, German or Romanian market will face the exact same obligations.
The Act applies extraterritorially (Article 2): if your system is used within the EU, or its output is used in the EU, you are covered even if you are established outside the Union.
The AI Act phased application timeline (Article 113)
- 2 February 2025: prohibited practices (Art. 5) and AI literacy obligations (Art. 4).
- 2 August 2025: governance structure, obligations on general-purpose AI models (GPAI), penalties regime.
- 2 August 2026: full obligations for Annex III high-risk systems — the focus of this article.
- 2 August 2027: high-risk systems embedded in products already covered by EU product legislation (Annex II — e.g. medical devices, machinery, toys).
What is a "high-risk" system under Annex III?
Annex III identifies eight areas where AI is considered high-risk:
- Biometrics: remote identification, biometric categorisation, emotion recognition outside medical/safety use.
- Critical infrastructure: road traffic management, water/gas/electricity supply.
- Education and vocational training: admission, scoring of exams, exam fraud detection.
- Employment and workforce management: CV screening, performance evaluation, task allocation.
- Access to essential private and public services: credit scoring, health and life insurance pricing, emergency triage, eligibility for public benefits.
- Law enforcement: risk assessment, profiling, evidence evaluation.
- Migration, asylum and border control.
- Administration of justice and democratic processes.
Key obligations for providers (Articles 8 to 22)
- Risk management system across the full lifecycle (Art. 9).
- Data governance: quality, representativity, bias mitigation (Art. 10).
- Technical documentation and automatic logging (Art. 11 and 12).
- Transparency and clear instructions for use (Art. 13).
- Effective human oversight (Art. 14).
- Accuracy, robustness and cybersecurity (Art. 15).
- Conformity assessment and CE marking before placing on the market.
- Registration in the EU database of high-risk AI systems.
Key obligations for deployers (Article 26)
If your organisation uses a high-risk AI system supplied by a third party — for example, an HR tool for CV shortlisting, or a credit-scoring engine — you are a deployer. Your obligations include:
- Use the system in accordance with the instructions for use provided by the provider.
- Ensure human oversight by competent, trained staff.
- Monitor the input data you control for relevance and representativity.
- Keep automatically generated logs for at least 6 months.
- Inform affected natural persons when they are subject to decisions based on the system.
- Where applicable, conduct a Fundamental Rights Impact Assessment (FRIA) under Article 27 — mandatory for public bodies and for deployers in banking and insurance covering creditworthiness and risk pricing.
Penalties (Article 99)
- Up to EUR 35 million or 7 % of total worldwide annual turnover for violations of prohibited practices (Art. 5).
- Up to EUR 15 million or 3 % for other infringements (high-risk, GPAI, transparency).
- Up to EUR 7.5 million or 1 % for supplying incorrect information to authorities.
Small and medium enterprises (SMEs) and start-ups benefit from the lower of the two amounts, per Article 99(6).
National supervisory authorities: who enforces the AI Act locally?
Each Member State must designate a market-surveillance authority and, where biometric, law-enforcement, migration or justice systems are involved, a notified authority for fundamental rights. The designation deadline was 2 August 2025. In practice:
- Belgium: a coordinated structure under the BIPT and the SPF Economy, with involvement of the APD/GBA (Data Protection Authority) for systems processing personal data.
- Germany: federal/state split expected, with BNetzA as central coordinator and BfDI plus Länder DPAs for data protection aspects.
- Romania: authority designated by government ordinance, coordinated with ANSPDCP for personal data.
- France: national coordination announced with the CNIL playing a key role on biometrics and personal data.
At EU level, the AI Office (Commission, DG CONNECT) supervises general-purpose AI model providers.
Focus: France's "Darcos bill" — what it signals for the EU
On 8 April 2026, a bill was tabled in the French Senate by Senator Laurent Darcos. It aims to strengthen protection of copyright and neighbouring rights against generative AI, in addition to what the AI Act already requires. The proposed measures reportedly include:
- Enhanced transparency about training datasets.
- A technical standard for the opt-out mechanism foreseen by Article 4 of Directive (EU) 2019/790.
- Remuneration for authors and performers whose works were used to train generative AI.
Although the bill is specific to France, its direction matters for deployers in Belgium, Germany and Romania: it complements Article 53 of the AI Act, which already obliges providers of general-purpose AI models to publish a sufficiently detailed summary of the content used for training and to implement a policy to comply with EU copyright law. Similar national initiatives are under discussion in other Member States.
Practical roadmap before 2 August 2026
If you are a provider of AI systems
- Map your products against Annex III.
- Build or finalise your risk management system, technical documentation, logging and data governance.
- Plan the conformity assessment route (internal control under Art. 43 or third-party assessment where required).
- Prepare the instructions for use and the EU declaration of conformity.
If you are a deployer
- Audit AI tools already in use (HR, scoring, fraud detection, customer support chatbots if consequential).
- Request from each provider their EU declaration of conformity, CE marking, instructions for use and, for certain sectors, information needed for your FRIA (Art. 27).
- Combine the FRIA with your GDPR DPIA (Art. 35 GDPR) wherever both are required.
- Train your staff: "AI literacy" is already mandatory since 2 February 2025 (Art. 4).
If you are a content creator or rights holder
- Exercise your opt-out of text-and-data mining (Art. 4 of Directive 2019/790) using available technical signals (robots.txt, metadata, ai.txt).
- Document your catalogue and publication channels.
- Monitor national initiatives in your jurisdiction (France's Darcos bill, upcoming proposals in Germany and Belgium) for additional remuneration rights.
How DroitAI can help
DroitAI covers EU law (Regulation 2024/1689, Directive 2019/790, GDPR) and the implementing national frameworks in France, Belgium, Germany and Romania. You can:
- Check whether a specific system falls under Annex III.
- Analyse an AI-provider contract clause by clause.
- Draft an opt-out notice or a cease-and-desist letter for unauthorised training use.
AI regulation is moving fast. The window between now and 2 August 2026 is your opportunity to turn broad principles into concrete compliance artefacts.