preloader

· ai compliance eu gdpr regulation europe enterprise risk

Seven Weeks to EU AI Act Compliance: What High-Risk AI Systems Must Deliver by 2 August

Source: Responsible AI Labs

On 2 August 2026, the EU Artificial Intelligence Act’s requirements for high-risk AI systems move from preparation to enforcement. Organisations that deploy or provide AI systems falling under Annex III of the Act, covering areas including employment, education, essential public services, law enforcement, and critical infrastructure, must have their compliance posture in place by that date. Penalties for non-compliance reach up to 35 million euros or 7 percent of global annual turnover, whichever is higher. That ceiling exceeds the GDPR, making the AI Act the most financially consequential EU digital regulation to date for organisations caught on the wrong side of it.

What Annex III covers

The AI Act categorises AI systems by risk level. The highest tier, which was already in effect, covers systems presenting unacceptable risk and bans them outright. The tier taking effect on 2 August covers high-risk AI systems, defined by their application domain rather than their technical architecture.

High-risk systems under Annex III include AI used in biometric identification, safety components in critical infrastructure, educational access and assessment decisions, employment and HR decisions, access to essential private and public services, law enforcement, migration and border control, and administration of justice. An AI system used to screen job applications, assess student performance, allocate credit, or determine eligibility for social benefits is a high-risk system under the Act. So is a model embedded in industrial equipment where its output influences safety-critical decisions.

Critically, the classification applies regardless of whether the organisation developed the AI system internally or purchased it from a third-party provider. Deployers carry obligations alongside providers.

What compliance requires

By 2 August, organisations operating high-risk AI systems must have implemented and documented several requirements.

A risk management system must be in place and maintained throughout the system’s lifecycle, identifying and analysing known and reasonably foreseeable risks and implementing risk management measures.

Data governance requirements apply to all training, validation, and testing datasets, including documentation of data collection processes, scope, known biases, and data quality measures.

Technical documentation must be maintained at a level of detail sufficient for a conformity assessment to be carried out. This documentation must be kept up to date.

Automatic logging of events throughout the system’s operation must be enabled, allowing authorities to review the system’s behaviour over a defined retention period.

Transparency and human oversight controls must ensure that the system is designed to be monitored and, where appropriate, overridden or shut down by human operators. The nature of the system must be disclosed to users.

Most high-risk systems must also undergo conformity assessment and be registered in the EU’s AI system database before deployment.

Why this is harder than GDPR compliance was

The GDPR imposed obligations on how organisations handle data. Most organisations had existing data handling processes that could be documented, audited, and adjusted. The AI Act imposes obligations on how AI systems are designed, trained, evaluated, monitored, and governed throughout their operational lifecycle. This requires technical documentation of systems that were often built without documentation requirements in mind, risk assessments of outputs rather than inputs, and logging architectures that many deployed systems do not currently support.

The Act also applies to AI systems already in production. Organisations cannot wait for the next development cycle. Existing high-risk deployments must be brought into compliance by the August deadline or taken out of service.

Third-party vendor dependencies add another layer of difficulty. Where an organisation uses a software vendor’s AI-powered product that falls under Annex III, the compliance responsibility is shared between provider and deployer, but the deployer cannot assume the vendor has handled it. The contractual and due diligence landscape for AI vendor relationships has changed significantly in the past seven weeks, and those conversations need to be happening now.

The GDPR comparison and what it tells us

May 2026 marked the tenth anniversary of the GDPR entering into force. The European Data Protection Board used the occasion to note that enforcement has strengthened considerably over the decade: 2,679 fines totalling over 6.7 billion euros had been issued as of the end of 2025. The early years of GDPR saw slow enforcement and a widespread assumption that regulators lacked the capacity or will to pursue large-scale action. That assumption proved wrong, and the organisations that delayed compliance paid for it later under more scrutiny and with less goodwill from regulators.

The AI Act enforcement bodies are building on a decade of GDPR precedent. They understand how to conduct cross-border investigations, how to assess technical claims, and how to translate statutory obligations into practical audit criteria. The early enforcement assumptions that protected many late-moving GDPR adopters are less likely to hold for the AI Act.

Seven weeks is not much time

Organisations that have not yet completed a high-risk AI system inventory should begin immediately. The inventory determines the compliance scope. Without it, the rest of the compliance programme has no foundation.

For systems identified as high-risk, a gap assessment against the Annex III requirements will reveal which technical and governance changes are needed. Some gaps are addressable quickly. Others, particularly retroactive technical documentation of training pipelines and the implementation of comprehensive logging, require meaningful engineering effort.

Seven weeks is enough time to make significant progress if the work starts now. It is not enough time to build compliance from a standing start on August 1.

If your organisation needs help identifying which AI systems in your infrastructure fall under the EU AI Act’s high-risk classification, conducting a gap assessment against the August compliance requirements, or building the technical documentation and governance structures the Act demands, contact Excello Digital. We help European organisations turn regulatory obligations into practical engineering work.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!