EU AI Act

The EU AI Act's August 2026 Deadline: What "High-Risk" Means for Your Product

From 2 August 2026, the core obligations for high-risk AI systems apply. Learn which systems are caught, why CE-marked products can face a double compliance burden, and how to confirm your risk tier before the deadline.

By the NormScout Compliance Team · Updated July 2026 · 8 min read

Reviewed against the official EUR-Lex texts.

← Back to Blog

2 August 2026 is the date the EU AI Act stops being a planning exercise. It is when the core obligations for high-risk AI systems, the tier with the real legal and operational weight, become fully applicable under Regulation (EU) 2024/1689. The earlier milestones have already passed: the Article 5 prohibitions since February 2025, the general-purpose AI rules since August 2025. For most product teams the open question is no longer whether the Act applies, but whether they sit in the high-risk tier. If they do, the work is substantial and the runway is short.

The one question to answer first: is your AI system high-risk? Everything about the 2 August 2026 deadline flows from that single classification: the cost, the timeline, and the conformity route.

What becomes mandatory on 2 August 2026

From that date, a high-risk AI system cannot be placed on the EU market until the provider has a defined set of controls in place and documented. In practice that means a risk-management system maintained across the lifecycle (Art. 9); data governance over the training, validation and test sets (Art. 10); technical documentation to Annex IV and automatic logging (Arts. 11–12); transparency and instructions that let a deployer operate the system safely (Art. 13); genuine human oversight (Art. 14); and demonstrated accuracy, robustness and cybersecurity (Art. 15). The system must then pass a conformity assessment, be registered in the EU database for high-risk systems, and carry CE marking like any other regulated product. The Commission's implementation timeline sets out how these obligations phase in.

What actually counts as "high-risk"

This is where most companies underestimate their exposure, because there are two independent routes into the high-risk tier, and product manufacturers tend to look only at the first.

Route 1: the Annex III use cases

The first route is what the system is used for. Annex III lists the high-risk domains: employment and worker management (including CV-screening tools), creditworthiness and credit scoring, access to education and vocational training, essential public and private services, law enforcement, migration and border control, the administration of justice, and biometric identification. If your system is used in one of these areas, it is presumptively high-risk.

Route 2: the Annex I product-safety route

The second route is the one that catches hardware and machinery teams off guard. If the AI is a safety component of, or is itself, a product already covered by the EU harmonisation legislation listed in Annex I (machinery, medical devices, in-vitro diagnostics, toys, lifts, personal protective equipment, radio equipment, and more), and that product requires third-party conformity assessment, then the AI is high-risk too. It does not matter that the product never touches HR or credit decisions. The safety function alone is enough.

The dual-compliance burden for CE-marked products

The consequence of Route 2 is that a large group of manufacturers now face two regimes at once. If your product already falls under, say, the Machinery Regulation or the Medical Device Regulation and you have integrated AI into a safety-relevant function, you carry both the sectoral CE-marking requirements you already meet and the AI Act's high-risk obligations on top. The frameworks are designed to fit together rather than duplicate each other, but the AI-specific duties are genuinely additional work. Risk management tied to the AI lifecycle, dataset governance, human oversight and event logging are not covered by your existing certification.

Why capable teams still miss this

The problem is rarely awareness. It is classification and interpretation. Teams struggle to decide whether a given system meets the legal definition of high-risk, to map their product's real functionality onto the Annex III categories, and to reconcile the AI obligations with certification workflows they already run for CE marking. The harmonised standards that will make conformity routine are still being finalised. That ambiguity is what turns into late classification, delayed launches, and, in the worst case, a redesign discovered too close to the deadline to absorb.

Penalties, stated precisely

It is worth being exact here, because the figures are widely misquoted. Breaching the obligations for high-risk AI systems can incur fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher. The headline €35 million or 7% ceiling applies specifically to the prohibited practices under Article 5, not to high-risk breaches, and supplying incorrect or misleading information to authorities is capped at €7.5 million or 1.5%. For SMEs and start-ups the lower figure of each pair applies rather than the higher (Art. 99).

Confirm your tier before you build the plan

Because both routes matter, and because the second one is easy to miss, the first concrete step is a defensible classification, not a reading of the regulation from scratch. NormScout's free EU AI Act check works through both the Annex III use cases and the Annex I product-safety route, determines your risk tier, flags where you overlap with the CE-marking directives your product already falls under, and lists the obligations that apply, each traced back to the regulation text. It takes a few minutes and needs no account.

Check whether your product is high-risk →

Frequently asked questions

What changes on 2 August 2026 under the EU AI Act?

The core obligations for high-risk AI systems become fully applicable. Before such a system can go on the EU market, the provider needs several things in place: a risk-management system, data governance, technical documentation, event logging, transparency and instructions for deployers, human oversight, and evidence of accuracy, robustness and cybersecurity. Only then can it complete the conformity assessment, register the system, and affix CE marking. The Article 5 prohibitions have applied since February 2025, and the general-purpose AI rules since August 2025.

What makes an AI system "high-risk"?

There are two routes. The first is the use case. Annex III lists the areas that count: employment and worker management, creditworthiness, education, essential public and private services, law enforcement, migration, and biometrics. The second is the product-safety route in Annex I. If the AI is a safety component of, or is itself, a product already covered by EU harmonisation law that needs third-party conformity assessment (machinery, medical devices, toys, lifts, PPE, radio equipment and more), it is high-risk as well. Product teams miss the second route most often.

We already CE-mark our product. Does the EU AI Act add more?

Usually yes. Say your product already falls under EU harmonisation law, such as the Machinery Regulation or the Medical Device Regulation, and you have built AI into a safety-relevant function. You now carry two sets of duties: the CE-marking requirements you already meet, plus the AI Act's high-risk obligations. The frameworks are meant to fit together, but the AI-specific work is genuinely additional. Risk management, data governance, human oversight and logging are not covered by your existing certification.

What are the penalties for breaching the high-risk obligations?

Breaching the high-risk obligations can cost up to €15 million or 3% of worldwide annual turnover, whichever is higher. The larger €35 million or 7% ceiling is reserved for the prohibited practices under Article 5, and giving authorities incorrect information is capped at €7.5 million or 1.5%. SMEs and start-ups are judged against the lower figure of each pair.

How do I confirm whether my product is high-risk before the deadline?

Run NormScout's free EU AI Act check. It works through both routes, the Annex III use cases and the Annex I product-safety route, to settle your risk tier. It also flags any overlap with the CE-marking directives your product already falls under, and lists the obligations that apply, each traced to the regulation text. No account needed.

Sources & references

  1. Regulation (EU) 2024/1689, Artificial Intelligence Act (full text, EUR-Lex)
  2. European Commission, AI Act: regulatory framework and implementation timeline
  3. European Commission, AI Act enters into force (press release, August 2024)

This guide draws on the official regulation texts and European Commission guidance linked above. It is general information, not legal advice.