The EU AI Act's high-risk AI obligations apply from 2 August 2026. The European Commission proposed pushing that to December 2027 via the Digital Omnibus but the April 2026 trilogue ended without agreement. Until formal adoption occurs, the original deadline stands.
Organisations that paused their compliance programmes are now behind those that didn't. Don't plan around the deferral. Prepare for August.
THE DEADLINE TIMELINE
| Date | What applies |
|---|---|
| Feb 2025 | Prohibited AI practices banned - already enforced |
| Aug 2025 | GPAI transparency obligations - already enforced |
| 2 Aug 2026 | High-risk AI system obligations - the live deadline |
| Aug 2027 | Legacy systems must be compliant - transition period closes |
| Dec 2027 | Digital Omnibus deferral date - contingent on agreement |
THE FIVE RISKS YOU'RE PROBABLY UNDERESTIMATING
1. You don't have a complete AI inventory
Without an auditable register that maps each system to the Annex III risk categories and distinguishes your role as provider or deployer, you can't know what the Act requires of you.
Coltech's AI System Classification service builds that register, before the regulator asks for it. Get in touch with one of our experts now to discuss further.
2. Your documentation is retrospective
Article 11 requires technical documentation developed alongside the system, not assembled before an audit. Regulators can tell the difference, and enforcement outcomes reflect it.
3. Human oversight is nominal, not real
Article 14 requires genuine override capability, not a dashboard tick-box. If the override mechanism feeds back into the same model, it doesn't qualify.
4. Third-party AI tools are your problem too
Deployers retain obligations regardless of who built the model. If your AI provider can't supply the documentation you need for Annex III compliance, the liability stays with you.
5. Your AI contracts haven't caught up
Procurement processes are still signing AI tools into the business without legal or engineering review of the compliance obligations they create. Post-signature remediation is expensive.
THE PENALTY STRUCTURE
| Violation | Maximum penalty |
|---|---|
| Prohibited AI practices | €35M or 7% global turnover |
| High-risk system failures | €15M or 3% global turnover |
| Misleading information to regulators | €7.5M or 1.5% global turnover |
GDPR and AI Act violations can stack. The same system can attract separate fines under both regimes for different failures. UK organisations are not exempt. the Act applies wherever your AI affects EU users.
WHAT THE ACT ACTUALLY REQUIRES TECHNICALLY
Articles 9 to 15 impose six real engineering obligations for high-risk systems: a continuous risk management process embedded in your SDLC, documented data governance for training, validation, and test sets, contemporaneous technical documentation, automatic operational logging, genuine human oversight with override capability, and defined accuracy and robustness thresholds with cybersecurity controls.
These are architecture decisions, not policy documents.
Coltech's Technical Compliance Engineering practice embeds these requirements directly into your development lifecycle. Find out how by reaching out to a Coltech representative.
YOUR PRIORITIES FOR THE REMAINING TIMEFRAME
Complete your AI system inventory and classify everything against Annex III
Audit third-party AI providers for documentation gaps
Start technical documentation now. Contemporaneous records are the only kind that count
Test override mechanisms at the technical layer, not just on paper
Align your GDPR and AI Act data governance into a single programme
Time is of the essence. Let's use it well.
We work with engineering and technology leadership to close the gap between your current AI estate and August 2026 compliance obligations with technical rigour, not just policy templates.
*This article is for informational purposes only and does not constitute any form of technical or legal advice.
