Table of Contents
⏱ TL;DR — Read This First:
- The August 2, 2026 enforcement deadline for high-risk AI systems under Annex III is now months away — not years.
- Most organizations are significantly behind on documentation, risk management, and human oversight requirements.
- This checklist gives you a concrete, week-by-week action plan to reach compliance before the deadline hits.
Let me be direct with you: if you’re reading this in early 2026 and you haven’t started your EU AI Act compliance programme yet, you’re behind. Not dangerously behind — not yet — but the window to get this right without a last-minute scramble is closing fast.
I’ve spent the last two years helping product teams, legal departments, and CTOs navigate EU AI regulation. The single biggest mistake I see? Treating August 2026 like a distant future event. It isn’t. It’s a six-month operational sprint that starts today.
This post gives you the practical, phase-by-phase checklist your team needs — not the theoretical overview you’ll find in a whitepaper, but the actual tasks, owners, and sequencing that make compliance achievable. For a full understanding of the law’s structure, read our Ultimate Guide to EU AI Act Compliance (2026 Edition).
Why August 2, 2026 Is the Date That Matters
The EU AI Act (Regulation 2024/1689) entered into force on August 1, 2024. It operates on a phased timeline, and August 2, 2026 is the most consequential date for most commercial AI operators — the point at which obligations for high-risk AI systems under Annex III become fully enforceable.
After that date, market surveillance authorities across EU member states have the legal mandate to audit your systems, demand documentation, and issue corrective orders. Fines for non-compliance reach €35 million or 7% of global annual turnover, whichever is higher. For a mid-sized SaaS company, that’s an existential number.
The official EU AI Act text is available on EUR-Lex if you want to read the source regulation directly. The European AI Office also publishes ongoing guidance at the European Commission’s AI policy hub.
Step 1 — Are You Even in Scope? (Weeks 1–2)
Before you build a compliance programme, confirm you actually need one at this tier. The EU AI Act creates different obligations depending on whether you’re a Provider (you build or substantially modify the AI system) or a Deployer (you integrate someone else’s AI into your operations). For a detailed breakdown, read our post on Provider vs. Deployer: Which EU AI Act Obligations Apply to You?
Your first task is scope confirmation:
- Identify every AI system your organisation builds, operates, or purchases. If you don’t have a centralised inventory, start one now. Our post on why you need a centralised AI system inventory explains how to build this from scratch.
- Map each system against Annex III. High-risk categories include AI used in recruitment, credit scoring, biometric identification, safety-critical infrastructure, education, and law enforcement assistance.
- Assess GPAI exposure. If you use a general-purpose AI model (like GPT-4, Claude, or Gemini) as a core component of a product, you have deployer obligations even if you didn’t build the underlying model.
- Document your conclusions. A scope determination memo — even a two-page internal document — is evidence of good-faith assessment if you’re ever audited.
Step 2 — The Compliance Gap Analysis (Weeks 3–5)
Once you’ve confirmed scope, you need an honest gap analysis. This is where most organisations discover they’re further behind than they thought. A gap analysis compares your current state against the legal requirements and produces a prioritised remediation list.
What Does a High-Risk AI Compliance Programme Actually Require?
Under Articles 8 through 15 of the EU AI Act, high-risk AI system providers must have all of the following in place before August 2026:
| Requirement | Governing Article | Typical Gap Found | Effort to Close |
|---|---|---|---|
| Risk Management System | Article 9 | No documented residual risk log | Medium (3–6 weeks) |
| Technical Documentation (Annex IV) | Article 11 | Fragmented or missing entirely | High (6–10 weeks) |
| Data Governance Records | Article 10 | Training data provenance undocumented | High (4–8 weeks) |
| Human Oversight Mechanisms | Article 14 | Override controls not documented | Medium (2–4 weeks) |
| Accuracy, Robustness & Cybersecurity | Article 15 | No formal performance benchmarks recorded | Medium (3–5 weeks) |
| EU Declaration of Conformity | Article 47 | Not drafted | Low (1–2 weeks once docs are ready) |
| Post-Market Monitoring Plan | Article 72 | No systematic monitoring in place | Medium (3–4 weeks) |
| AI Literacy Training for Staff | Article 4 | Zero formal training programmes | Low–Medium (2–3 weeks) |
Run this table as a literal checklist in your first team meeting. Assign an owner and a due date to every row. That’s your compliance roadmap.
Step 3 — Technical Documentation Sprint (Weeks 5–12)
Article 11 and Annex IV of the EU AI Act define exactly what your Technical File must contain. This is the single most time-consuming element of compliance for most engineering teams — and the one that catches people out most often during audits.
Your Technical File must include:
- A general description of the AI system, its purpose, and intended use cases
- A description of the elements and development process (architecture, training approach, datasets used)
- Detailed information on monitoring, functioning, and control mechanisms
- Risk management documentation (Article 9 outputs)
- Data governance practices and dataset characteristics
- Validation and testing results — including bias assessments
- Cybersecurity measures and resilience documentation
For engineering teams building this from scratch, our guide to automating Article 11 technical documentation shows you exactly how to structure this without writing 200-page PDFs by hand. Unorma’s Document Generator (F06) can auto-populate the majority of Annex IV fields directly from your system’s metadata.
Step 4 — Register in the EU AI Database (Weeks 10–14)
Article 71 requires providers of high-risk AI systems to register in the EU’s public AI database before placing their product on the market. This is a non-negotiable administrative step that many teams forget until the last minute.
Registration requires your Technical File to be substantially complete — you cannot register without core system information. Build this step into your timeline at Week 10 to 14, once your documentation sprint is well underway.
Step 5 — Human Oversight and Training (Weeks 12–18)
Article 14 mandates that high-risk AI systems are designed and deployed in ways that allow human operators to meaningfully oversee, intervene in, and if necessary override the system’s outputs. This isn’t just a policy statement — it requires demonstrable technical controls.
Simultaneously, Article 4 introduces mandatory AI literacy requirements. Every staff member who works with or is affected by your AI system must receive appropriate training. Read our dedicated post on meeting mandatory AI literacy training requirements to understand what “appropriate training” actually looks like in practice.
For the governance framework that ties all of this together — from ethics committees to insurance considerations — see our AI Governance Framework pillar guide.
Step 6 — Mock Audit Before the Real One (Weeks 18–22)
Four to six weeks before your target compliance date, run a structured internal simulation. This is the step that separates organisations that pass conformity assessments from those that scramble to fix gaps under regulatory pressure.
A mock audit should test:
- Whether your Technical File is complete and internally consistent
- Whether your risk management documentation is current and signed off
- Whether human oversight controls are operational and documented
- Whether post-market monitoring is actively running
- Whether your EU Declaration of Conformity is accurate and dated
Unorma’s Audit Simulation tool (F08) runs exactly this kind of structured gap check — surfacing missing fields, outdated records, and logical inconsistencies in your documentation before a real auditor does. Our post on what a mock audit actually involves covers the methodology in detail.
The Complete 6-Month Phase Summary
| Phase | Weeks | Key Deliverable | Owner |
|---|---|---|---|
| Scope & Inventory | 1–2 | AI system inventory + scope memo | Legal / Product |
| Gap Analysis | 3–5 | Remediation roadmap with owners | Compliance Lead |
| Technical Documentation | 5–12 | Complete Annex IV Technical File | Engineering / Product |
| EU Database Registration | 10–14 | Registration confirmed | Legal |
| Oversight & Training | 12–18 | Controls live + staff trained | Product / HR |
| Mock Audit | 18–22 | Audit simulation report + fixes | Compliance Lead |
Don’t Let Perfect Be the Enemy of Compliant
One more thing I tell every client at the start of a compliance sprint: you don’t need a perfect system by August 2026. You need a documented, defensible, continuously improving system. Regulators distinguish between organisations that are genuinely working toward compliance and those that have done nothing. Your paper trail matters as much as your technical implementation.
Start now. Document as you go. Use tools that reduce the manual overhead so your team can focus on substance, not formatting. And when you’re ready to test how close you actually are, run a free audit simulation on Unorma to get a compliance score across every Article 9–15 requirement.
Frequently Asked Questions
What is the exact deadline for EU AI Act compliance in 2026?
August 2, 2026 is the date by which providers and deployers of high-risk AI systems under Annex III must have their full compliance programme operational. Prohibited AI practices were banned from February 2, 2025. GPAI model obligations applied from August 2, 2025. The August 2026 date covers the largest and most commercially significant category of obligations.
Does the EU AI Act apply to companies outside the EU?
Yes. The Act has explicit extraterritorial reach under Article 2. If you’re a non-EU company whose AI system produces outputs used within the EU — or if your system affects EU-based individuals — you are subject to the regulation. This mirrors how GDPR applies globally.
What counts as a “high-risk” AI system under the Act?
High-risk AI is defined in Annex III and includes systems used in: biometric identification, management of critical infrastructure, education and training, employment and worker management, access to essential services (credit, insurance, social benefits), law enforcement, migration, and the administration of justice. See our dedicated post on Annex III classifications for worked examples.
Can I self-certify, or do I need a Notified Body?
Most Annex III high-risk AI systems can undergo a conformity assessment through an internal procedure (self-certification), provided no harmonised EU technical standard covers the system. However, certain categories — particularly biometric identification systems — require a third-party Notified Body assessment. Check Article 43 and Annex VII to determine which route applies to your system.
What if I can’t complete full compliance by August 2026?
Document everything you’ve done and establish a clear, time-bound remediation plan. Regulators across Europe have indicated they will consider the maturity of a compliance programme — including evidence of good-faith effort — when assessing enforcement priorities. An organisation with a documented gap analysis and active remediation programme is in a categorically different position from one that has done nothing at all.
How long do I need to keep compliance records?
Under Article 12, the automatic logging systems of high-risk AI must retain logs for at least six months, unless EU or national law specifies otherwise. Technical documentation and Declaration of Conformity records must be retained for ten years after the system is placed on the market or put into service (Article 18). Build record retention into your compliance architecture from day one.
Ready to find out where you actually stand?
Run Unorma’s free Audit Simulation and get a compliance score across every Article 9–15 requirement in under 10 minutes .Run Your Free Audit Simulation →
Jasper Claes is a Compliance Manager and consultant specializing in AI governance for high-scale technology companies operating in regulated markets. He advises product and legal teams on implementing practical compliance frameworks aligned with evolving regulations such as the EU AI Act. Through his writing, Jasper focuses on translating complex regulatory requirements into clear, actionable guidance for teams building and deploying AI systems.