On August 2, 2026 – in less than two months – the EU AI Act (Regulation (EU) 2024/1689) will fully enter into force with its core obligations for high-risk AI systems. This marks the end of the two-year transition period that companies received after the regulation came into effect in August 2024. Those who have not yet established a compliance framework risk significant fines and an operational ban on their AI applications. The EU AI Act is the world’s first comprehensive AI regulatory framework and sets the most far-reaching requirements to date for companies that deploy or market artificial intelligence in Europe.
The EU AI Act follows a risk-based approach: the higher the risk a system poses to fundamental rights, health, or safety, the stricter the requirements. In addition to the outright prohibition of particularly dangerous AI applications – such as social scoring or mass biometric surveillance in public spaces – and specific transparency obligations for limited-risk AI systems, so-called high-risk AI systems form the regulatory centrepiece of the legislation. For this category, a comprehensive compliance regime combining technical, organizational and legal requirements will apply from August 2, 2026. Companies active in this space must act now.
Classification as high-risk AI is governed by Annex III of the Regulation, which exhaustively defines which areas of application are considered particularly risky. Covered are systems in the fields of biometrics, critical infrastructure, education, employment and human resources, credit and insurance, law enforcement, migration and asylum, as well as justice and democracy. Many companies are already using AI tools that fall into these categories today – such as automated pre-screening tools for job applicants, AI-powered credit scoring systems, or biometric time-tracking systems. Particularly in the areas of human resources and financial services, there is considerable need for action.
Importantly, classification depends not on the technology itself, but on the specific intended purpose. One and the same AI system may or may not be classified as high-risk depending on its use case. For example, a language model used for internal knowledge management purposes is subject to different requirements than the same model deployed for automated personnel decisions. This purpose-bound nature of classification makes careful individual assessment of each deployed AI system indispensable. The European Commission was required to publish classification guidelines by February 2, 2026 – but missed this deadline, meaning companies currently need to classify based on the regulation text and its recitals alone.
The EU AI Act sets out a comprehensive set of requirements for high-risk AI systems, which primarily affect providers – that is, companies that develop or place such systems on the market. A continuous risk management system must be established for each high-risk AI system and operated throughout the system’s entire lifecycle. This system must systematically identify, assess, and mitigate risks through appropriate technical or organizational measures. The risk management system is not a one-time project, but an iterative process requiring regular reviews and updates.
Each high-risk AI system must be fully technically documented before being placed into service. The documentation must cover system architecture, training methodologies, datasets used, test protocols and performance metrics, and must be kept up to date at all times. In addition, the EU AI Act imposes strict data governance requirements: training and test data must be selected and prepared according to appropriate data governance practices, and known biases must be identified and, wherever possible, remediated. AI systems must also create logs enabling subsequent review of all relevant decisions, and extensive transparency obligations apply towards users and competent authorities.
A central principle of the EU AI Act for high-risk AI is ensuring effective human oversight. High-risk AI systems must be designed and developed in such a way that natural persons can effectively monitor, understand, review, override, stop, or shut down the system’s outputs. In practice, this means that fully automated decision-making processes without human review are not permissible for high-risk applications. Companies must implement technical mechanisms that structurally enable such oversight. Before being placed into service, a conformity assessment must be completed and the system registered in a central EU database before the CE marking may be affixed.
The EU AI Act distinguishes between providers who develop or place high-risk AI systems on the market, and deployers who use such systems within their own organizations. Significant obligations also apply to deployers: they must use the system exclusively within the intended purpose defined by the provider, implement appropriate technical and organizational measures, train their staff, and implement human oversight in accordance with the provider’s specifications. Serious malfunctions and incidents must be reported to the provider and, in certain circumstances, to the competent market surveillance authority. For companies deploying commercially available high-risk AI systems, this means compliance responsibility does not end with the purchase of an AI license. Whoever operates a high-risk AI system within their organization bears independent legal responsibility towards the legislator.
The EU AI Act provides for significant fines that vary depending on the nature of the breach. Violations of the obligations for high-risk AI systems can be fined up to €15 million or 3% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In Germany, the Federal Office for Information Security (BSI) acts as the primary national market surveillance authority. The BSI has announced that it will conduct active inspections from August 2026 onwards and can, in addition to fines, prohibit the operation of a non-compliant AI system or order a market recall. Reduced fine ceilings apply for micro-enterprises and SMEs, but there are no content-level exemptions from the technical requirements.
With less than two months until the deadline, time for sweeping system overhauls is short. Companies should first take a complete inventory of all AI systems in use and classify them according to the EU AI Act’s risk categories. For each system, it should be clarified whether the company is acting as a provider or as a deployer – both roles give rise to different, but equally important, obligations. Systems that are or may be classified as high-risk should be prioritized immediately and subjected to a detailed compliance gap analysis.
The next step is to assess which legal requirements are already met and where action is needed. Is a risk management system in place? Is the technical documentation complete and up to date? Can users effectively override or shut down the system? Based on this analysis, a prioritized implementation plan should be drawn up that bundles the most important measures before August 2, 2026. Conformity assessment and – where required for the product – engagement with a notified body should be planned well in advance, as capacity at accredited bodies is limited. Specialized legal advice is essential given the still-absent final guidelines from the European Commission, in order to arrive at a well-founded classification and a legally sound compliance concept.
The EU AI Act fundamentally and permanently changes the rules for the use of artificial intelligence in Europe. Companies that deploy or develop high-risk AI must have a comprehensive compliance framework in place by August 2, 2026 – otherwise they face significant penalties and an operational ban on their AI applications. The time remaining until the deadline is short, and the still-absent final EU Commission guidelines add additional legal uncertainty. Act now, identify your high-risk AI systems, and put in place the legal and technical foundations needed for sustainable compliance.
Do you have questions about the EU AI Act or the compliance obligations for AI systems in your company? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
.png)
