EU AI Act High-Risk Deadline: 47 Days and Counting

The European Union’s AI Act is no longer a future obligation. With 47 days remaining until 2 August 2026, the high-risk enforcement deadline under Annex III is imminent, and companies operating AI systems across employment, credit, healthcare, law enforcement, and critical infrastructure must be ready — or face penalties exceeding those imposed under GDPR.

The Act has followed a deliberate, phased timeline. Prohibited practices under Article 5 — covering social scoring, subliminal manipulation, and mass biometric surveillance in public spaces — became enforceable on 2 February 2025. Six months later, general-purpose AI obligations activated, with 26 major providers, including Microsoft, Google, Amazon, OpenAI, and Anthropic, signing the Code of Practice. Meta refused, placing itself under enhanced regulatory scrutiny from the EU AI Office — a decision that continues to attract attention from national competent authorities.

The August 2026 deadline is structurally different in scale and consequence. High-risk AI systems — those determining employment outcomes, assessing creditworthiness, managing border controls, informing judicial decisions, or operating within critical infrastructure — must achieve full conformity. This means completed conformity assessments, CE marking, mandatory registration in the EU AI database, technical documentation packages, functioning human oversight mechanisms, and post-market monitoring systems. Penalties for non-compliance reach up to €35 million or seven per cent of global annual turnover, surpassing GDPR’s ceiling in relative severity.

Compliance experts are unambiguous about the nature of the task. “This is structural compliance, not paperwork,” one Brussels-based AI governance adviser told this publication. Organisations that approached the AI Act as a documentation exercise are now confronting the reality that conformity assessments require substantive technical and organisational change, not simply the production of additional reports.

The G7 summit at Evian, which concluded on 17 June, offered a parallel but ultimately divergent signal. Leaders updated the Hiroshima AI Process voluntary code of conduct, aligning member states rhetorically around safety principles consistent with the EU framework. However, the absence of binding commitments from the United States confirmed what Brussels has maintained throughout: the EU will enforce its own rules unilaterally, regardless of whether international partners adopt equivalent obligations. Evian strengthened the EU’s position by contrast rather than by convergence.

The enforcement architecture is now operational. Finland became the first designated national enforcer in December 2025. The EU AI Office is fully functional, and national competent authorities in France, Germany, Italy, Spain, and the Netherlands are actively supervising their respective markets. The infrastructure for enforcement exists; what remains uncertain is the pace at which it will act on non-compliant operators post-August.

A parliamentary effort to delay enforcement failed. MEPs voted within the Digital Omnibus process to push the high-risk deadline to December 2027, but the Commission rejected any blanket postponement. The 2 August 2026 date stands, and companies that relied on the possibility of legislative relief must now abandon that assumption entirely.

The sharpest vulnerability lies with small and medium-sized enterprises. Many EU SMEs have not completed even preliminary risk classification of their AI systems, let alone conformity assessments. The compliance gap has created an entirely new market segment: AI auditing firms, legal advisory practices specialising in the Act, and compliance platform startups are all reporting explosive demand as the deadline compresses. For SMEs without dedicated legal or technical teams, 47 days represents a serious challenge.

The final deadline in this legislative sequence arrives on 2 August 2027, when legacy systems governed by Annex I must also comply. But that date is secondary to the immediate question facing every organisation deploying AI in high-risk contexts today: the clock has nearly run out.