Mark August 2, 2026 on your calendar. That's when the EU AI Act's most significant enforcement provisions take effect — and if your company deploys AI that affects EU users, your compliance window is now measured in weeks, not months. The penalties for non-compliance reach €35 million or 7% of global annual turnover for prohibited practices, and €15 million or 3% for high-risk AI violations. This is not a future problem. It is a now problem.
What August 2, 2026 Actually Means
The EU AI Act has been implemented in phases since February 2025. The first phase banned specific AI practices outright — social scoring systems, real-time biometric surveillance in public spaces, manipulation techniques exploiting psychological vulnerabilities. August 2, 2026 marks the enforcement date for Annex III: requirements for high-risk AI systems across sectors including biometric identification, critical infrastructure, education, employment, credit scoring, insurance, law enforcement, and the administration of justice.
According to Holland & Knight's April 2026 analysis, the scope for US companies is broader than most legal teams have assumed. Any AI system used within the EU — including software deployed from US servers but accessed by EU residents — falls under the regulation if it meets the high-risk classification. A US-based HR platform using AI to screen job applications for EU-based roles qualifies. A US financial services firm using AI to determine creditworthiness for EU customers qualifies. The regulation reaches across the Atlantic wherever the AI's outputs affect EU persons.
The 7 Compliance Steps and Why Most Companies Are Behind
Baker McKenzie's EU AI Act compliance guide identifies the concrete requirements due by August 2: completed conformity assessments, finalized technical documentation, CE marking affixed to applicable systems, EU database registration for high-risk systems, human oversight mechanisms in place, transparency obligations fulfilled, and data governance frameworks established for training data used in high-risk systems.
The before/after contrast for most US enterprises is stark. Before the EU AI Act, deploying an AI system to EU users required only standard data privacy compliance (GDPR). After August 2, high-risk AI systems require a formal conformity assessment — a documented process proving the system was designed, tested, and validated against the Act's requirements. For a mid-sized enterprise without dedicated AI governance staff, a conformity assessment takes 6–12 weeks to complete properly. Companies that started in May are finishing just in time. Companies that haven't started are already in violation territory.
What Counts as High-Risk — And What Doesn't
The high-risk classification catches more AI use cases than most companies expect. Annex III lists eight categories: biometric identification and categorization; management of critical infrastructure; education and vocational training; employment and workers management (CV screening, performance monitoring); access to essential services including credit scoring and insurance pricing; law enforcement; migration and border control; and administration of justice.
Notably absent: AI used purely for internal R&D with no external-facing outputs, AI spam filters, AI that assists rather than determines outcomes in low-stakes contexts, and narrow industrial optimization tools that don't interact with human outcomes. General-purpose AI models like GPT-5.5 face their own transparency requirements under the Act, but are not classified as high-risk solely by virtue of being large language models.
The Enforcement Reality: How Aggressively Will the EU Actually Act?
European legal observers are divided on enforcement intensity in the first year. The EU AI Office has limited staff relative to the volume of AI systems now in scope. Legal firm Latham & Watkins published an April 2026 note suggesting initial enforcement will likely target high-profile obvious violations — algorithmic hiring tools with documented bias, not a customer service chatbot with minor transparency gaps. But legal experts uniformly warn that "wait and see" is a risky strategy given the EU's track record of following through on GDPR enforcement after an initial grace period.
What This Means for You
If your company has any AI systems touching EU users, start a rapid compliance triage this week. Categorize every AI system by use case, identify which fall into Annex III's high-risk categories, and prioritize conformity assessments for those. If you're already GDPR-compliant with strong data governance, you have a significant head start. If you're not sure where to start, the EU AI Act's official compliance portal at digital-strategy.ec.europa.eu provides a self-assessment tool. Use it today.
Frequently Asked Questions (FAQs)
Q: Does the EU AI Act apply to US companies?
A: Yes. The EU AI Act applies to any company whose AI systems are used within the EU or produce outputs affecting EU residents, regardless of where the company is headquartered. US companies deploying AI services accessed by EU users must comply with applicable provisions.
Q: What are the fines for violating the EU AI Act?
A: Fines for prohibited AI practices reach €35 million or 7% of global annual turnover. Violations of high-risk AI requirements carry penalties of up to €15 million or 3% of global turnover. Transparency violations can result in fines of €7.5 million or 1.5% of turnover.
Q: What is a conformity assessment under the EU AI Act?
A: A conformity assessment is a documented process proving a high-risk AI system was designed, tested, and validated against the EU AI Act's requirements. It covers risk management, data governance, human oversight, accuracy, and transparency. Most high-risk systems can self-assess; some categories require third-party assessment.
Q: Does the EU AI Act affect Indian companies serving EU customers?
A: Yes. Like GDPR, the EU AI Act has extraterritorial reach. Indian IT services firms, SaaS providers, or AI platform companies deploying AI systems used by EU residents must comply. Indian companies with EU contracts should conduct the same compliance triage as their US counterparts.
For the contrasting US approach, see our breakdown of Trump's AI cybersecurity executive order. And for a global perspective on how AI regulation divergence affects multinational companies, our analysis of the EU vs US AI regulation split maps the full compliance landscape. August 2 is not a soft deadline — get your documentation in order now.
