The EU AI Act: What Becomes Mandatory on 2 August 2026 for a Business
By Anis Hammouche·May 31, 2026·10 min read
If your business uses an AI tool to screen CVs, score credit applications, or assess employee performance, one date belongs in your calendar: 2 August 2026. That is the day most of the European AI regulation becomes applicable. With it comes a block of obligations aimed at exactly those uses. A partial delay is under discussion in Brussels, but it has not been adopted, and betting on it would be risky.
What exactly triggers on 2 August 2026
The AI Act does not land all at once. The regulation entered into force on 1 August 2024 and applies in waves. Some obligations have been active for more than a year already.
Three deadlines have already passed:
- Since February 2025, prohibited practices (Article 5) are penalized: subliminal manipulation, exploitation of vulnerabilities, social scoring.
- Since February 2025, the AI literacy obligation (Article 4) requires that staff using AI be trained on how it works and where it falls short.
- Since August 2025, providers of general-purpose AI models (GPAI) carry documentation and copyright obligations.
2 August 2026 opens the wave that directly concerns businesses using AI: the obligations on high-risk systems under Annex III come into application. This is the part of the text that touches the most companies, because it targets everyday uses, not research labs.
Are you concerned: the high-risk question
The regulation does not treat every AI use the same way. It sorts them by risk level. The category that triggers the most obligations is the high-risk systems defined in Annex III. Eight domains are listed. Three come up constantly in businesses:
- Human resources: candidate screening tools, shortlisting, performance evaluation, support for promotion decisions.
- Access to essential services: creditworthiness scoring, eligibility assessment for a loan or insurance.
- Biometrics: identification or categorisation of people, emotion recognition.
Remember this: classification does not depend on your size or your sector, but on what your AI system is used for. A CV-screening tool used by a 30-person company falls in the same category as one used by a large group. It is not the software that gets labeled, it is what it decides.
| AI use in the business | Likely classification |
|---|---|
| Customer information chatbot | Limited risk (transparency) |
| Marketing content generation | Minimal risk |
| Automated candidate screening | High risk (Annex III) |
| Credit application scoring | High risk (Annex III) |
| Employee performance evaluation | High risk (Annex III) |
Provider or deployer: your obligations differ
The regulation separates two roles, and most businesses are deployers, not providers. The provider designs the system and places it on the market. The deployer uses it in its operations. If you buy a CV-screening tool from a vendor and run it on your candidates, you are a deployer.
The provider's obligations are the heaviest: a risk management system across the whole lifecycle, full technical documentation, a conformity assessment, registration in the European database, post-market monitoring. That is your vendor's job.
Your deployer obligations are concrete and fall on you directly:
- Inform the people subject to a decision made or assisted by the high-risk AI system.
- Ensure genuine human oversight, not a rubber-stamp validation.
- Keep the logs generated by the system for at least six months.
- Carry out, where required, a fundamental rights impact assessment before putting the system into service.
These obligations cannot be handed back to the vendor. Even if the tool is compliant on the provider side, how you use it remains your responsibility. This extends directly from our article on the auditability of AI systems: without traceability organised upfront, these obligations become impossible to meet on the day of an inspection.
The delay under discussion: why you should not wait for it
One element complicates the calendar. On 7 May 2026, the European Council and Parliament reached a political agreement on a text called the Digital Omnibus. That text proposes to push the application of the Annex III high-risk obligations to 2 December 2027, sixteen extra months.
Three reasons not to rely on it:
- A political agreement is not a law. Until the revised text is formally adopted and published in the Official Journal of the European Union, the binding deadline stays 2 August 2026.
- Prohibited practices, AI literacy and GPAI obligations are not affected by this delay. They already apply.
- Reaching compliance takes months. A business that waits for the delay to be confirmed before acting will face, if the text stalls, having to do everything in a few weeks.
Do not bet on the delay. Reach compliance as if the August 2026 deadline held. If the delay goes through, you will have gained time, not an exemption.
What a leader should have prepared before summer
The obligations are technical, but the groundwork is a leadership matter, not the IT team's alone. Four concrete actions:
- Inventory your AI systems. List every tool using AI across your processes, including those embedded in software you had not flagged as such (a scoring module inside your CRM, for instance).
- Classify each use. For each one, decide whether it falls under Annex III. When in doubt on an HR, credit or biometric use, assume it is concerned until proven otherwise.
- Question your vendors. Ask each provider for the compliance documentation, the declaration of conformity, and the registration in the European database. A vendor unable to answer is a risk you are carrying on their behalf.
- Document your use. Put human oversight, log retention and information of affected people in place. That documentation is what an inspection will ask for.
How SolidScale builds compliance into the S3 method
AI Act compliance is not a layer you add at the end of a project. In the Scan, Solve, Scale method, it is set from the framing stage.
Scan: the free 30-minute audit includes a read of your AI uses through the Annex III lens. The question "is this system high-risk, and who is its deployer" is asked before the technical brief. Framing an HR or credit project without that question means building a compliance debt that costs more at inspection time.
Solve: for high-risk use cases, we design the architecture with traceability and human oversight built in, not bolted on afterward. Logs, information of affected people, and human checkpoints are part of the deliverable, not a later patch.
Scale: continuous monitoring includes watching how the regulatory calendar evolves. If the Digital Omnibus delay is published, or if one of your uses changes classification, you know before it becomes an operational problem.
Key takeaways
2 August 2026 brings the AI Act obligations on high-risk systems into application, and those uses are more common than people assume.
- 2 August 2026 triggers the high-risk obligations of Annex III: HR, credit, scoring, biometrics.
- As a deployer, you have your own obligations: information, human oversight, log retention, impact assessment.
- The delay to 2 December 2027 is an unpublished political agreement, not something to wait for.
- Penalties reach 35 million euros or 7 percent of global turnover.
The concrete action fits in one sentence: inventory your AI uses, classify those touching HR, credit or biometrics, and require compliance documentation from your vendors before summer.
Frequently asked questions
Is my business concerned even if it is small?
Yes. Classification depends on the use of the AI system, not on turnover or headcount. A candidate-screening tool used by a small company falls in the same high-risk category as one used by a large group. Obligations vary by role (provider or deployer) and risk level, not by size.
Does the delay to December 2027 excuse me from preparing now?
No. The delay is only a political agreement from 7 May 2026, not yet adopted or published in the Official Journal. Until it is, the legal deadline stays 2 August 2026. Reaching compliance takes months: waiting for the delay to be confirmed risks having to do everything in a rush if the text stalls.
What is the difference between a provider and a deployer of an AI system?
The provider designs the system and places it on the market. The deployer uses it in its operations. Most businesses are deployers: they buy a tool and apply it to their candidates or customers. The heaviest obligations sit with the provider, but the deployer has its own obligations (information, oversight, logs) that cannot be delegated.
What does my business risk if it is not compliant?
AI Act penalties can reach 35 million euros or 7 percent of annual global turnover, depending on the nature of the breach. Beyond the fine, a non-compliant high-risk system may have to be withdrawn, with the disruption to business processes that implies.
Sources
- Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act), Annex III and implementation timeline, artificialintelligenceact.eu/implementation-timeline
- AI Act Service Desk (European Commission), Timeline for the Implementation of the EU AI Act, ai-act-service-desk.ec.europa.eu
- Holland & Knight, U.S. Companies Face EU AI Act's Possible August 2026 Compliance Deadline, April 2026, hklaw.com
- Cloud Security Alliance, EU AI Act High-Risk Compliance Deadline, labs.cloudsecurityalliance.org
S3 Framework · Scan · Solve · Scale
Ready to take action?
A free 30-minute audit to identify your first AI opportunities. Diagnosis delivered within 48h. No commitment.