EU AI Act: What AI applications in companies must comply with from August 2026

Just a few months to go. On August 2, 2026, the core obligations of the EU AI Act will become mandatory for high-risk AI applications. For IT and compliance managers, this means there is a lot of work to be done. And time is running out.

This article explains which AI applications are affected, what specific actions companies need to take, and what steps need to be taken next. It includes a clear timeline and seven actionable recommendations that can be implemented immediately.

The Schedule: What Applies When

The EU AI Act took effect in August 2024. It does not take effect overnight, but rather in phases. Here is an overview:

What this means for businesses: The bans on unacceptable risk have been in effect since February 2025. Any company still using social scoring or manipulative AI is already in violation of the regulation. The key deadline for the majority of affected businesses is August 2026.

Why many companies are unprepared

The EU AI Act is the world’s first comprehensive AI regulation. Its scope is broader than many realize. High-risk AI is already in use at many companies: in HR systems, credit checks, fraud detection, and recruiting tools.

According to a Deloitte study (2025), 58 percent of European companies have not yet conducted a full inventory of their AI applications. That is the first problem. Because ignorance is no defense against penalties.

The penalties are substantial. Violations of regulations for high-risk systems can cost up to 15 million euros or 3 percent of global annual revenue. Violations of the prohibitions can cost up to 35 million euros or 7 percent.

The four risk levels of the EU AI Act

The regulation classifies AI applications into four categories. The burden on businesses depends directly on the classification:

Key point: The AI product alone does not determine the risk level. What matters is how it is used. A generic chatbot can pose a high risk if it makes preliminary selection decisions during the hiring process. An AI tool for summarizing text generally poses minimal risk. IT and compliance must assess this difference together.

Which AI applications are high-risk?

Annex III of the Regulation lists the high-risk use cases. These areas are relevant to most companies:

• Human Resources and Employment: Candidate screening, performance evaluations, automated decisions regarding promotions or terminations
• Lending and Financial Services: Credit checks, credit scoring, risk models for insurance companies and banks
• Critical Infrastructure: AI systems in energy, water, transportation, or digital infrastructure
• Education and vocational training: automated exam grading, admissions decisions
• Biometric systems: categorization of individuals, emotion recognition in the workplace

For many small and medium-sized businesses, the first two areas are particularly relevant. Companies that use AI in HR processes or financial auditing are most likely in Category 2.

What high-risk AI applications must be capable of

Starting in August 2026, the following requirements will apply to systems listed in Annex III:

1. Risk management system: Structured, documented process for identifying, analyzing, and controlling risks throughout the entire lifecycle.
2. Data quality and governance: Training data must be representative and free from unacceptable biases. Origin and quality must be proven.
3. Technical documentation: Complete description of the system, its architecture, performance limits, and testing procedures. Must be available before deployment.
4. Logging and Monitoring: Automatic logging of security-relevant events. Logs must be traceable, immutable, and retained for a sufficient duration.
5. Transparency and user information: Users must know that they are interacting with an AI system and receive sufficient information to understand decisions.
6. Human oversight: Mechanisms that enable humans to monitor, stop, or correct the system. Fully automated decisions without human control are not permitted in high-risk areas.
7. Accuracy and robustness: Systems must be reliable and fault-tolerant. Deviations and errors must be logged and addressed.

7 Recommendations for IT and Compliance

1. Build AI inventory

Create a complete list of all AI applications in the company: internally developed systems, purchased software, and third-party APIs. Embedded AI functions in ERP, HR, or CRM systems must also be recorded. Without a complete inventory, no compliance statement is possible.

2. Check risk classification according to Annex III

For each system in the inventory list, check: Does the intended use fall under Annex III? The EU Commission provides a self-assessment tool. Important: The classification is based on the actual intended use, not the product name provided by the supplier. Keep the classifications in writing and date them.

3. Set up governance structure

Appoint a responsible person or role for AI compliance. In larger companies, an interdisciplinary AI board consisting of IT, Legal, HR, and Compliance is recommended. Without clear responsibilities, the process gets stuck and no one feels accountable when it gets serious.

4. Start technical documentation

The documentation requirements take time. Relevant questions: How was the system developed or selected? What data does it use? How was it validated? What are the performance limits? How are errors handled? Everything in writing, versioned, and auditable. Whoever starts now won’t be under pressure in August.

5. Review and adjust third-party contracts

Many high-risk AI applications come as a product from a provider. As operators, you also bear compliance obligations for purchased systems. Check: Does the provider deliver the necessary technical documentation? Are there logging functions? Are transparency obligations contractually regulated? Adjust contracts and SLAs accordingly.

6. Set up logging and monitoring

For high-risk systems, technical infrastructure is needed for traceable logging. Inputs, outputs, decision events, and errors must be logged. Ensure that logs are stored immutably and retained long enough to be robust in case of an audit.

7. Train employees

Compliance is not just an IT project. Everyone who works with high-risk AI systems or makes decisions based on their outputs needs basic knowledge: What can the system do? Where are its limits? How do I recognize mistakes? How do I escalate? Plan concrete training formats before August comes. Awareness campaigns are not enough.

Conclusion: Start with structure, don’t wait

The EU AI Act imposes specific obligations on companies. This is not a reason to panic, but a clear mandate: Build inventory, classify systems, define governance, document, review contracts, set up logging, train employees.

Whoever goes through this process properly not only gains legal certainty. Transparently documented AI systems are easier to maintain, more comprehensible for stakeholders, and more stable in operation. Compliance and quality go hand in hand here.

August 2026 is the goal. The starting point is now.