EU AI Act August 2026 Deadline: What You Actually Need to Do
A practical compliance checklist for founders of high-risk AI startups. What must be ready before 2 August 2026 — and what can wait.
The EU AI Act's main compliance deadline is 2 August 2026. For providers of high-risk AI systems listed in Annex III — which covers HR tools, credit scoring, biometrics, education, healthcare admin, and more — this is the date by which the full compliance framework must be in place.
This post covers what actually needs to be ready by that date. Not a theoretical overview of what the Act says — a working checklist.
First: Are You Actually High-Risk?
Before spending significant time and money on compliance, confirm whether Annex III applies to your specific product. The eight categories are:
- Biometric identification and categorisation
- Critical infrastructure management
- Education and vocational training
- Employment, HR, and access to self-employment
- Access to essential services (credit, insurance, emergency services)
- Law enforcement
- Migration and border control
- Administration of justice and democratic processes
If your product is in categories 6, 7, or 8, it is almost certainly not a commercial startup product. The categories most commonly affecting startup founders are 4 (HR tech), 5 (fintech and healthtech), and 3 (edtech).
If your product falls in these categories, read on. If not, Article 50 transparency obligations may still apply — see below.
The August 2026 Checklist
Article 9 — Risk Management System
- [ ] Documented risk identification methodology
- [ ] Full list of identified risks with probability and severity assessment
- [ ] Mitigation measures adopted for each identified risk
- [ ] Explicit residual risk evaluation and acceptability judgment
- [ ] Version history showing at least one review cycle since initial documentation
- [ ] Procedure for updating the risk assessment when the system changes
The most common failure here is producing a static risk assessment at launch and treating it as complete. Article 9 requires a continuous and iterative process. Your documentation should show it is maintained, not just created.
Article 10 — Data Governance
- [ ] Training data sources documented
- [ ] Training data composition documented (size, demographic coverage, collection methodology)
- [ ] Validation and test datasets documented
- [ ] Examination of training data for known biases — documented with findings
- [ ] Steps taken to address identified biases documented
- [ ] Data quality criteria defined and applied
This is the article most commonly underestimated. If your training data consists of historical human decisions — hiring records, credit outcomes, grades — those decisions likely encode historical patterns. Documenting that you checked is not sufficient. What you found and what you did about it must also be documented.
Article 11 — Technical Documentation (Annex IV)
All 9 Annex IV categories must be complete before market placement:
- [ ] Category 1: General system description — intended purpose, version, hardware/software, deployment form
- [ ] Category 2: Development process — architecture, training methodology, data, design choices and trade-offs
- [ ] Category 3: Monitoring and control — performance characteristics, failure modes, human oversight measures
- [ ] Category 4: Performance metrics — justified metrics, benchmark results, demographic breakdowns
- [ ] Category 5: Risk management system (cross-reference to Article 9 documentation)
- [ ] Category 6: Change log — record of all material changes since initial documentation
- [ ] Category 7: Standards applied — harmonised standards or technical solutions used
- [ ] Category 8: EU Declaration of Conformity
- [ ] Category 9: Post-market monitoring plan
Categories 1 and 2 take the most time to write well. Start with them. Category 6 should be maintained continuously from first deployment.
Article 12 — Record-Keeping
- [ ] Automatic logging implemented for high-risk system operations
- [ ] Logs cover the period from the system's first deployment
- [ ] Log retention policy documented and aligned with Article 18 (10 years)
For most SaaS AI systems, this means structured logging of inference requests, outputs, and any human override events. If you do not have this in production today, implement it before August 2026 — retroactive logging is not possible.
Article 13 — Transparency and Instructions of Use
- [ ] Instructions of use document prepared for deployers
- [ ] Document covers: intended purpose, performance limitations, known risks, required human oversight measures
- [ ] Document covers: input data requirements, conditions for use
- [ ] Version of instructions matches version of deployed system
If you sell to enterprise customers, they will start requiring this document in procurement processes before August 2026. Early preparation avoids a last-minute crunch.
Article 14 — Human Oversight
- [ ] Human oversight mechanism designed into the system — not just documented as a process
- [ ] Deployers can access information needed to review AI outputs
- [ ] Deployers can intervene, modify, or override AI outputs
- [ ] Oversight mechanism tested to verify it functions under realistic conditions
The most common gap here is a system where human review is technically possible but operationally infeasible — because volume is too high, reasoning is not surfaced, or override requires significant workflow friction. The design must support genuine oversight.
Article 15 — Accuracy, Robustness, Cybersecurity
- [ ] Performance metrics on defined test sets documented
- [ ] Performance tested under reasonably foreseeable adverse conditions
- [ ] Resilience against attempts to alter outputs or exploit system vulnerabilities documented
- [ ] Error handling behaviour documented
EU Database Registration
- [ ] High-risk AI system registered in the EU database for high-risk AI systems before market placement
This is a procedural step often overlooked in compliance programmes. The EU database is operated by the European AI Office. Registration must happen before you place the system on the EU market — it is not a post-market step.
EU Declaration of Conformity
- [ ] Declaration signed by authorised company representative
- [ ] Declaration includes system identifier and version
- [ ] Declaration references the conformity assessment procedure applied
- [ ] Copy included in Annex IV technical documentation (Category 8)
What Can Wait Until Later
Article 50 (transparency obligations): If your product is not high-risk, Article 50 still applies to chatbot interfaces and AI-generated content — but the compliance effort is smaller. Implement chatbot disclosure and AI content labelling before any public launch, not just before August 2026.
Harmonised standards: As of mid-2026, harmonised standards for the EU AI Act are still in development. When they are published in the Official Journal, you will need to assess whether they affect your documentation. This is not a blocker for August 2026 — Category 7 of Annex IV allows you to describe technical solutions adopted in lieu of harmonised standards.
Authorised EU representative (non-EU companies only): If your company is based outside the EU, you must appoint an authorised representative established in the EU under Article 22. This requires a formal contract and takes time — do not leave it until July 2026.
The Honest Estimate
For a typical AI startup building a high-risk system with one product, completing the full compliance documentation from scratch takes — realistically — six to twelve weeks of focused effort across technical, product, and legal functions. It cannot be delegated entirely to a lawyer (who won't know the system architecture) or to an engineer (who won't know the regulatory requirements).
Starting now gives you time to do it properly. Starting in June 2026 means retrofitting compliance onto a system that was not designed with documentation in mind, and the result will show in the documentation quality.