August 2, 2026 is six weeks from today. On that date, the EU AI Act’s binding obligations for high-risk AI systems become enforceable. A November 2025 proposal from the European Commission to delay enforcement to late 2027 was not enacted. The deadline stands.
Most US mid-market companies with EU operations or EU customers have not started their conformity assessments. That matters, because the conformity assessment is not a form — it is a documentation and testing process that takes weeks to execute properly when an AI system is genuinely in scope.
flowchart TD
Q{EU operations or<br/>EU-based customers?}
Q -->|No| OUT[Outside current scope<br/>Monitor for updates]
Q -->|Yes| R{AI system in a<br/>high-risk category?}
R -->|No| LOW[Document prohibited-use<br/>compliance only]
R -->|Yes| AUDIT[Start conformity assessment now]
AUDIT --> DOC[Technical documentation<br/>and risk management system]
DOC --> LOG[Logging and human<br/>oversight mechanisms]
LOG --> REG[EU database registration<br/>before August 2]
REG --> PASS[Defensible compliance<br/>at enforcement date]
class OUT warn
class LOW accent
class AUDIT bad
class PASS good
classDef good fill:#163a26,stroke:#44cc77,color:#d7ffe6;
classDef bad fill:#3a1620,stroke:#ff5555,color:#ffd9d9;
classDef warn fill:#3a2e16,stroke:#ffaa33,color:#ffe9c7;
classDef accent fill:#15233b,stroke:#4488ff,color:#dce9ff;
The Rundown
The EU AI Act passed in 2024 as the world’s first comprehensive regulatory framework for artificial intelligence. It uses a risk-tiered structure: prohibited practices became enforceable in February 2025, high-risk system obligations are the subject of the August 2, 2026 deadline, and general-purpose AI provisions follow later that year.
The enforcement date was not a surprise — it was published with the original Act. What generated confusion in late 2025 was a European Commission internal proposal to delay the high-risk provisions to late 2027. That proposal received significant coverage and led some companies to adopt a wait-and-see posture. The proposal did not become law. August 2 is the operative deadline.
The geographic scope is broader than most US companies initially assume. EU market access does not exempt you from the Act. If your AI systems affect EU users — EU-based employees, EU customers, EU operations — the high-risk provisions apply to those systems. Source: Holland & Knight, Cloud Security Alliance.
For Engineers: What the Conformity Process Actually Requires
The conformity assessment has four concrete deliverables most engineering teams don’t have ready today.
First, a complete technical documentation package: system architecture, data flow diagrams, training data sources, accuracy and performance metrics, and a description of the system’s intended purpose and known limitations. Second, evidence of a human oversight mechanism — a documented process by which a human with appropriate authority can review, override, or halt AI decisions on high-risk outcomes. Third, logging and audit trails sufficient to reconstruct any individual AI decision after the fact. Fourth, a risk management system: a documented record of what risks were identified, how they were evaluated, and what mitigations were implemented.
The most common gaps are the second and third. Teams build AI systems that perform well on average and treat that as compliance evidence. It is not. The EU AI Act requires that you demonstrate, with logs and process documentation, that the system’s behavior is monitored, that errors are surfaced, and that intervention is possible. A model that achieves 95% accuracy on your test set but has no oversight mechanism and no audit trail is not a compliant system.
Start with the inventory. List every AI system in production that might touch EU users. Classify each against the high-risk category list. For in-scope systems, the engineering work is almost always documentation and governance infrastructure — not model replacement. The AI itself rarely needs to change. The surrounding accountability layer is almost always the gap.
For Business Owners: Which Companies Are Exposed
The high-risk categories under the EU AI Act include biometric identification, critical infrastructure management, employment and HR tools (AI resume screening and interview scoring are explicitly included), credit and creditworthiness assessment, access to essential services, law enforcement, and healthcare AI. If your company uses AI in any of these areas and it touches EU users, you are almost certainly in-scope.
The enforcement mechanism is complaint-driven in its early phase, which has led some companies to calculate that the risk of a complaint is low enough to delay. That calculation has a flaw. The fines are calibrated to global annual turnover, not EU-specific revenue. For a US mid-market company at $50 million revenue, a 3% fine on a high-risk violation is $1.5 million. The compliance work typically costs a fraction of that.
Forrester’s 2026 research shows 60% of Fortune 100 companies are appointing dedicated AI governance leads this year. Mid-market companies don’t have that headcount option, but the compliance obligation is not smaller — the implementation approach differs. The six-week path: start with a scope assessment (a focused review of deployed AI systems and which EU users they affect — one to two days of focused work), classify each in-scope system against the high-risk category list, and prioritize conformity assessment effort by compliance gap size. The goal by August 2 is not perfection. It is a documented record of good-faith compliance activity.
My Take
At HBSGI, I architected an EDI claims-submission system from scratch, built to HIPAA ANSI standards — 837, 835, and 997 transaction sets. The specification governing that work ran over 800 pages. We tested against it procedurally and documented every gap as we closed it. The delivery followed PMI-standard project management throughout. That engagement taught me something that applies directly to the EU AI Act situation: regulatory compliance in technology is a requirements discipline.
The specification exists. Your job is to map your system against it, test where the gaps are, and document what you find — including the gaps and how you are closing them. Teams that approach compliance documentation the same way they approach requirements documentation — as an artifact that reflects reality — build systems that hold up under regulatory scrutiny. Teams that treat compliance as a performance for auditors scramble when scrutiny arrives.
The question the EU AI Act’s conformity assessment is designed to answer is: what does this AI system do, to whom, with what data, under what oversight, and what happens when it gets something wrong? Every engineering team with a deployed AI system that affects EU users should already be able to answer that question. If they can’t, August 2 will arrive before the answer is ready.
Six weeks is not enough time to build compliance infrastructure from scratch for a complex in-scope AI system. It is enough time to complete a scope assessment, classify your systems, produce the technical documentation for your highest-risk deployment, and establish a documented human oversight process. That is the minimum defensible position for August 2 — and it is achievable if the work starts this week.