Every week I get a call that starts the same way. "We need to be EU AI Act compliant by August. What do we do." I spend the first ten minutes asking the caller to tell me what they think August 2 actually is. Nine times out of ten, it is one blob of "the thing happens."
It is not one thing. It is five separate obligations landing in the same seven-day window, and they apply to different people at different cost scales. If you are thinking about this as a single deadline, you will miss three of the five.
What actually lands on August 2, 2026.
For the record, here is the Commission's own timeline:
| Date | What applies |
|---|---|
| Aug 1, 2024 | Act enters into force. Countdown starts. |
| Feb 2, 2025 | Prohibited AI practices (Article 5) + AI literacy obligations (Article 4). |
| Aug 2, 2025 | General-purpose AI rules, governance structure, member-state penalties framework. |
| Aug 2, 2026 | The rest of the Act. Annex III high-risk systems. National competent authorities. Regulatory sandboxes. |
| Aug 2, 2027 | High-risk systems embedded in products listed under Annex I (medical devices, toys, machinery, etc.). |
August 2, 2026 is the big bucket. Not because it is the final deadline (2027 is for embedded product AI), but because it is the one most non-embedded SMBs end up in without realizing it.
The five obligations stacked in that week.
If you operate, deploy, or provide an AI system in the EU market, here is what the same date means for you.
1. Annex III high-risk classification becomes enforceable.
This is the one everyone talks about. The eight domains are biometrics, critical infrastructure, education and vocational training, employment and HR, essential private and public services (credit scoring, insurance pricing, benefits eligibility), law enforcement, migration and border, and administration of justice. If your product touches any of these, you need a risk management system, data governance records, technical documentation, logging, transparency, human oversight, and post-market monitoring. Not aspirationally. Evidentially.
2. AI governance at the member-state level goes live.
Each EU country must have a notified body, a market surveillance authority, and a national competent authority designated by that date. This matters because complaints and audits now have a desk to land on. Before August 2, 2026, the regulator is an abstraction. After, it has an address and an email.
3. Penalty scaffolding is now fully in force.
The Act defines three fine tiers, and they scale with turnover, not revenue. For SMEs the caps are the lower of the two amounts; for larger firms, the higher.
| Violation type | Upper cap |
|---|---|
| Prohibited practices (Article 5) | €35M or 7% of global annual turnover |
| Non-compliance with most obligations (high-risk, transparency, GPAI) | €15M or 3% |
| Supplying incorrect, incomplete, or misleading info to authorities | €7.5M or 1% |
The math that matters: for a $2M ARR company, 3% of global turnover is $60K. That is a fine for the paperwork being wrong, not for the AI being wrong. The cost of not having a decision log is larger than most SMB AI consulting budgets.
4. Regulatory sandboxes become accessible.
Each member state must have at least one AI regulatory sandbox operational. This is the good news. Startups can test high-risk systems under supervision, with temporary derogations, and get iterative feedback before going to market. If your product is borderline high-risk, the sandbox is the move, not the lawyer.
5. Documentation retention clocks start.
Providers of high-risk systems must retain technical documentation and automatically generated logs for at least 10 years after the system is placed on the market. Ten. The retention clock starts the day you ship, and it runs regardless of whether the feature is still shipping. This is the one that quietly kills teams later, nobody has 10-year log retention on an internal tool.
The one most SMBs are going to miss.
It is not Annex III. Most SMBs already know they are in one of the eight domains, a recruiter using AI screening, a clinic using decision-support software, a fintech doing credit scoring, an insurer pricing premiums. They see themselves in the list.
The miss is the 10-year log retention clock. The Annex III obligation is visible. The retention obligation is a footnote inside it, and it has the longest tail of any requirement in the entire Act. Every team I audit has 30-day log retention on their observability stack because that is what Datadog, Sentry, and Vercel charge for. Nobody has budgeted to keep model inputs, model outputs, and decision rationales for a decade.
This is why I push the decision-log concept at every engagement. Not because it is a product pitch. Because it is the one artifact that, if you start producing it in April, will still be discoverable in the April audits of 2036. Call logs won't be. They will be long since archived, rotated, and lost.
What to do before August.
There are exactly three things worth doing in the next 100 days, in order.
- Classify. Does your product touch an Annex III domain? Yes or no. If yes, you are in the regime regardless of how small you are. The only SMB carveout is fine sizing, not exemption.
- Decide your retention architecture. Where will you keep model inputs, model outputs, and decision rationale for ten years? Not "eventually." Now. Every day you ship without this is a day you will have to reconstruct later.
- Book the sandbox slot. If you are borderline or first-to-market in a regulated vertical, the sandbox is free regulatory iteration. It is not a consolation prize. It is the fastest way to ship something defensible.
Notice none of these require a $40K compliance platform. They require decisions. Nobody has to sell you a tool for this. Somebody has to make you sit down and answer three questions.
The closing line I give to every caller.
August 2, 2026 is not when the EU AI Act becomes real. It became real on August 1, 2024. What August 2026 does is make it enforceable. The two-year grace period was always meant for you to build the paper trail. If you have not started, starting this week is the cheapest it will ever be. Starting in August will be the most expensive.
Most of this is just writing things down. The regulator is not asking for philosophy. It is asking for records. You either have them, or you don't, and the only thing standing between the two outcomes right now is a decision to write a four-field log every time your system makes a material choice.
Math isn't optional. The dates aren't negotiable. The retention clock starts regardless of whether you are ready for it. Start the paper trail.