2 August 2026 is the date the EU AI Act stops being a planning exercise. It is when the core obligations for high-risk AI systems, the tier with the real legal and operational weight, become fully applicable under Regulation (EU) 2024/1689. The earlier milestones have already passed: the Article 5 prohibitions since February 2025, the general-purpose AI rules since August 2025. For most product teams the open question is no longer whether the Act applies, but whether they sit in the high-risk tier. If they do, the work is substantial and the runway is short.
What becomes mandatory on 2 August 2026
From that date, a high-risk AI system cannot be placed on the EU market until the provider has a defined set of controls in place and documented. In practice that means a risk-management system maintained across the lifecycle (Art. 9); data governance over the training, validation and test sets (Art. 10); technical documentation to Annex IV and automatic logging (Arts. 11–12); transparency and instructions that let a deployer operate the system safely (Art. 13); genuine human oversight (Art. 14); and demonstrated accuracy, robustness and cybersecurity (Art. 15). The system must then pass a conformity assessment, be registered in the EU database for high-risk systems, and carry CE marking like any other regulated product. The Commission's implementation timeline sets out how these obligations phase in.
What actually counts as "high-risk"
This is where most companies underestimate their exposure, because there are two independent routes into the high-risk tier, and product manufacturers tend to look only at the first.
Route 1: the Annex III use cases
The first route is what the system is used for. Annex III lists the high-risk domains: employment and worker management (including CV-screening tools), creditworthiness and credit scoring, access to education and vocational training, essential public and private services, law enforcement, migration and border control, the administration of justice, and biometric identification. If your system is used in one of these areas, it is presumptively high-risk.
Route 2: the Annex I product-safety route
The second route is the one that catches hardware and machinery teams off guard. If the AI is a safety component of, or is itself, a product already covered by the EU harmonisation legislation listed in Annex I (machinery, medical devices, in-vitro diagnostics, toys, lifts, personal protective equipment, radio equipment, and more), and that product requires third-party conformity assessment, then the AI is high-risk too. It does not matter that the product never touches HR or credit decisions. The safety function alone is enough.
The dual-compliance burden for CE-marked products
The consequence of Route 2 is that a large group of manufacturers now face two regimes at once. If your product already falls under, say, the Machinery Regulation or the Medical Device Regulation and you have integrated AI into a safety-relevant function, you carry both the sectoral CE-marking requirements you already meet and the AI Act's high-risk obligations on top. The frameworks are designed to fit together rather than duplicate each other, but the AI-specific duties are genuinely additional work. Risk management tied to the AI lifecycle, dataset governance, human oversight and event logging are not covered by your existing certification.
Why capable teams still miss this
The problem is rarely awareness. It is classification and interpretation. Teams struggle to decide whether a given system meets the legal definition of high-risk, to map their product's real functionality onto the Annex III categories, and to reconcile the AI obligations with certification workflows they already run for CE marking. The harmonised standards that will make conformity routine are still being finalised. That ambiguity is what turns into late classification, delayed launches, and, in the worst case, a redesign discovered too close to the deadline to absorb.
Penalties, stated precisely
It is worth being exact here, because the figures are widely misquoted. Breaching the obligations for high-risk AI systems can incur fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher. The headline €35 million or 7% ceiling applies specifically to the prohibited practices under Article 5, not to high-risk breaches, and supplying incorrect or misleading information to authorities is capped at €7.5 million or 1.5%. For SMEs and start-ups the lower figure of each pair applies rather than the higher (Art. 99).
Confirm your tier before you build the plan
Because both routes matter, and because the second one is easy to miss, the first concrete step is a defensible classification, not a reading of the regulation from scratch. NormScout's free EU AI Act check works through both the Annex III use cases and the Annex I product-safety route, determines your risk tier, flags where you overlap with the CE-marking directives your product already falls under, and lists the obligations that apply, each traced back to the regulation text. It takes a few minutes and needs no account.