The EU AI Act is in force. Two deadlines have passed; under current law the critical high-risk deadline falls on 2 August 2026, though following the provisional Digital Omnibus agreement of 7 May 2026 it is set to be postponed to 2 December 2027 (formal adoption still pending, as of June 2026). Here is the current status, obligations, and what enterprises should do now.

At a Glance - EU AI Act 2026 Status for Enterprises

  • Prohibited AI practices (social scoring, manipulation, emotion recognition at work) and AI literacy obligations have been legally binding since February 2025.
  • GPAI transparency and documentation obligations for deployers of general-purpose AI models are in force since August 2025.
  • The critical deadline: under current law all high-risk AI systems (including nearly all HR AI) must be fully compliant by 2 August 2026. Fines: up to 15 million euros or 3% of global turnover.
  • The Digital Omnibus package is set to postpone the high-risk deadline to 2 December 2027: the Council and Parliament reached a provisional political agreement on 7 May 2026. It is not yet formally adopted (publication in the EU Official Journal expected before 2 August 2026). The high-risk classification itself is unchanged - use the time to prepare.
  • First step for every organization: complete an AI system inventory covering all officially deployed and shadow AI systems within four to eight weeks.

According to Gartner (2025), fewer than 10% of organizations subject to the EU AI Act have completed their AI system inventory, the foundational step for compliance. The European Commission estimates that over 300,000 enterprises across the EU deploy AI systems that may fall under regulatory scope.

MilestoneDateStatusKey Obligations
Entry into ForceAugust 2024ActiveFramework established
Prohibited Practices + AI LiteracyFebruary 2025ActiveBans on social scoring, manipulation; training obligation
GPAI ObligationsAugust 2025ActiveTransparency, labeling, governance inventory
High-Risk Systems2 Aug 2026 (Dec 2027 prov.)Postponement provisionally agreedFull compliance: risk mgmt, data gov, human oversight
Remaining ProvisionsAugust 20272027Sector-specific rules, remaining categories

The World’s First Comprehensive AI Law

The EU AI Act has been in force since August 2024. It is the world’s first comprehensive legislation for regulating artificial intelligence, and it applies to every organization that develops, deploys, or provides AI systems. As of June 2026, we are in the middle of the implementation phase: two deadlines have already passed, and the high-risk deadline falls on 2 August 2026 under current law (provisionally set to move to 2 December 2027 under the Digital Omnibus of 7 May 2026, formal adoption still pending). The high-risk classification is unchanged, so organizations that prepare now have time on their side.

This article provides a sober overview of the current state: what already applies, what is coming when, which obligations affect your organization, and what you should do in the next 90 days.

Timeline: Five Milestones

The phased implementation of the EU AI Act spans three years. Each milestone activates different obligations.

August 2024          February 2025         August 2025         August 2026          August 2027
│                    │                    │                   │                    │
▼                    ▼                    ▼                   ▼                    ▼
Entry into Force   Prohibited AI        GPAI Obligations    High-Risk Systems    Remaining
Practices +          Take Effect         Must Be Compliant    (Dec 2027 prov.)     Provisions
AI Literacy
ACTIVE                ACTIVE              ACTIVE               2 AUG 2026 /         AUG 2027
                                                              DEC 2027 PROV.

For organizations, this means: two stages are already legally binding. The third, and for many enterprises the most critical, has its deadline on 2 August 2026 under current law - provisionally set to move to 2 December 2027 under the Digital Omnibus of 7 May 2026 (formal adoption still pending). The classification is unchanged, and preparation typically requires four to six months, so the lead time is best used now.

What Applies Now

Prohibited AI Practices (since February 2025)

Since February 2, 2025, certain AI applications have been fully prohibited in the EU. This covers:

  • Social scoring: AI systems that evaluate individuals based on their social behavior and derive disadvantages in unrelated contexts.
  • Manipulative AI: Systems that manipulate human behavior through subliminal techniques, such as dark patterns that coerce purchasing decisions or consent.
  • Real-time biometrics in public spaces: Real-time biometric identification is fundamentally prohibited. Narrowly defined exceptions exist for law enforcement in cases involving serious crimes, counterterrorism, and missing persons searches, each requiring judicial authorization.
  • Emotion recognition in the workplace and educational institutions: AI systems that detect emotions of employees or learners are impermissible.
  • Predictive policing based on individual characteristics: Risk assessments for criminal behavior based solely on personal attributes.

Penalties: Violations of the prohibition provisions are punishable by fines of up to 35 million euros or 7 percent of global annual turnover, whichever amount is higher.

For most enterprises, these prohibitions are not directly action-relevant because the described applications rarely occur in a business context. But the review is mandatory: ensure that none of your AI systems falls under these categories.

AI Literacy (since February 2025)

In parallel with the prohibitions, the AI literacy obligation under Article 4 has been in effect since February 2025: all persons who operate, deploy, or use AI systems must possess a sufficient level of AI competence. The competence must be appropriate to the respective context. A developer requires deeper knowledge than an end user who uses a chatbot.

What this means in practice:

  • Training obligation: Organizations must be able to demonstrate that their employees have been trained.
  • Documentation obligation: Training content, participant lists, and refresh intervals must be documented.
  • Context appropriateness: Training must match the role. A generic 30-minute e-learning module is insufficient for decision makers who select and take responsibility for AI systems.

The AI literacy obligation is frequently underestimated because it does not impose high technical requirements. But it is already enforceable. And it applies to every organization that uses AI, regardless of the risk class of the system. More on the organizational implications can be found in the article works council & AI Literacy: The Organizational Questions.

GPAI Obligations (since August 2025)

Since August 2025, the transparency and documentation obligations for General-Purpose AI models (GPAI) are in effect. These primarily concern the providers of language models, not the organizations that use them. But as a deployer, an organization that uses a GPAI model in its own applications, you have obligations:

  • Usage notices: If your application generates content that could be mistaken for human-created, you must label it accordingly.
  • Transparency toward users: Individuals interacting with an AI system must be informed of that fact.
  • Governance infrastructure: You must be able to document which GPAI models you deploy, in which context, and with which safeguards.

The GPAI obligations require a clean inventory: Which AI models do you deploy? From which provider? In which application? With which risk classification? This information forms the foundation for the high-risk compliance whose deadline is 2 August 2026 under current law (provisionally set to move to 2 December 2027).

The High-Risk Deadline: 2 August 2026 (Provisionally Postponed to December 2027)

The high-risk deadline of 2 August 2026 is the most critical deadline in the EU AI Act for most organizations. From that date, under current law, all AI systems falling under Annex III must be fully compliant; following the provisional Digital Omnibus agreement of 7 May 2026 that date is set to be postponed to 2 December 2027 (formal adoption still pending, as of June 2026). The requirements are extensive, and the classification is unchanged.

Which Systems Fall Under High Risk?

Annex III of the EU AI Act defines eight areas in which AI systems are classified as high-risk. The most relevant for enterprises:

  • Employment, personnel management, and access to self-employment: AI systems for job postings, candidate selection, performance evaluation, promotion decisions, and terminations.
  • Creditworthiness and insurance: Automated credit scoring, risk scoring.
  • Biometric identification: Facial recognition, voice identification, including in non-public spaces.
  • Critical infrastructure: AI systems in energy, water, transportation, telecommunications.
  • Education and vocational training: Automated exam grading, access control to educational institutions.

Requirements for High-Risk Systems

If any of your AI systems is classified as high-risk, you must meet the following requirements by the high-risk deadline (2 August 2026 under current law, provisionally set to move to 2 December 2027 under the Digital Omnibus of 7 May 2026):

  1. Risk management system: A documented system for identifying, analyzing, and mitigating risks throughout the entire lifecycle of the AI system.
  2. Data governance: Requirements for quality, representativeness, and accuracy of training data. When using pre-trained models: documentation of data provenance and fine-tuning.
  3. Technical documentation: Comprehensive documentation of the system prior to deployment: architecture, training procedures, performance metrics, testing procedures, limitations.
  4. Record-keeping obligations: Automatic logging of all relevant events to ensure the traceability of decisions.
  5. Transparency: Instructions for deployers that enable proper use.
  6. Human oversight: Technical measures that enable effective human monitoring. The Decision Layer is an architecture that implements precisely this requirement.
  7. Accuracy, robustness, cybersecurity: The system must reliably deliver its declared performance and be protected against manipulation.
  8. Conformity assessment: For certain categories, an assessment by a notified body (conformity assessment body) is required. For others, a self-assessment is sufficient.

Penalties: Violations of the high-risk obligations are punishable by fines of up to 15 million euros or 3 percent of global annual turnover.

Particular Relevance for HR

The HR department is the business area where AI applications most frequently fall under the high-risk category. This is due to Annex III, Number 4, Employment and Personnel Management. The classification covers:

Automated screening of applications: high-risk. Any AI system that pre-sorts, evaluates, or filters job applications falls under the high-risk category. Regardless of whether the final decision is made by a human. The pre-selection alone is regulated.

AI-assisted performance evaluations: high-risk. When AI systems analyze performance data and derive evaluations or prepare evaluations from them, that is high-risk. This applies even to systems that only issue recommendations.

Predictive attrition: high-risk. AI systems that predict which employees are likely to leave the organization process personal data to derive employment decisions. That is high-risk.

Automated shift optimization: potentially high-risk. If an AI system creates shift schedules while processing individual preferences, performance data, or health information, it may fall under high-risk. The classification depends on the specific scope of data involved.

For HR departments, this means: inventory all AI systems used in employment contexts. Review the classification. Begin compliance preparation. The high-risk deadline is 2 August 2026 under current law and provisionally set to move to 2 December 2027 - either way, the classification stands, so the lead time is best used to reach full high-risk conformity. Further information on the interplay of AI and HR can be found at HR & AI Agents.

Digital Omnibus: Postponement Provisionally Agreed, Adoption Pending

The European Commission proposed a Digital Omnibus package at the end of 2025 that would, among other things, defer the high-risk deadlines of the EU AI Act to December 2027 at the latest. The package also addresses a simplification of reporting obligations and a raising of thresholds for SMEs. The deferral is conditional: it only takes effect once harmonised standards are available. After confirmation, six months apply for Annex III systems and twelve months for Annex I systems. The backstop date is December 2, 2027.

Current status (June 2026): On 7 May 2026, the Council and Parliament reached a provisional political agreement on the Digital Omnibus package, postponing the high-risk deadline from 2 August 2026 to 2 December 2027. The agreement is not yet in force: formal adoption and publication in the EU Official Journal are still pending, expected before the 2 August 2026 deadline it replaces. Until that publication, the current-law deadline of 2 August 2026 stands.

The recommendation: Treat 2 August 2026 as the deadline still in force while the postponement is only provisionally agreed and not yet adopted. The likelihood of the deferral to 2 December 2027 is now high - it has a provisional political agreement - but until publication in the Official Journal it is not law. Either way, the high-risk classification is unchanged, so use the lead time to prepare: if the postponement is adopted you gain additional time, and if it is not you are already compliant. Betting compliance on an extension that is not yet in force remains an avoidable risk.

Practical Recommendation: Start an AI System Inventory

Regardless of whether your AI systems fall under high-risk or not: the first step is always the same. You need a complete inventory of all AI systems in your organization.

What Must Be Captured

For each AI system, document:

  • System designation and description: What does the system do? Which process does it support?
  • Provider and model: Which AI model is being used? From which provider? Cloud API or self-hosted?
  • Your organization’s role: Are you the provider, deployer, or both?
  • Risk classification: Does the system fall under one of the categories in Annex III (high-risk)? Under the prohibition provisions in Article 5? Or is it a system with limited risk?
  • Affected individuals: Which persons are affected by the system’s decisions or outputs?
  • Data processing: What data does the system process? Personal data? Trade secrets?
  • Safeguards: What technical and organizational measures are implemented? Human oversight? Audit trail?

Timeline

An AI system inventory for a mid-sized organization is achievable in four to eight weeks. The effort depends on the number of systems, the state of documentation, and internal coordination. Start with the obvious systems, the officially procured AI tools, and then expand to shadow AI: AI systems that employees use independently without IT knowledge.

The inventory is not a one-time task. It must be continuously updated as new systems are added, existing systems are modified, and regulatory assessments evolve. The governance infrastructure must be designed so that the inventory remains a living document.

Summary: What You Should Do Now

  1. Review the prohibition provisions. Ensure that none of your AI systems falls under the practices prohibited since February 2025.
  2. Fulfill the AI literacy obligation. Document training for all AI users in your organization. The obligation is in effect now.
  3. Create an AI system inventory. Capture all AI systems, their providers, deployment context, and risk classification. Timeframe: four to eight weeks.
  4. Identify high-risk systems. Review the HR area, credit decisions, and automated processes with direct impact on individuals in particular.
  5. Begin high-risk compliance. For systems falling under Annex III: establish risk management system, data governance, technical documentation, and human oversight. Deadline: 2 August 2026 under current law, provisionally set to move to 2 December 2027 under the Digital Omnibus of 7 May 2026.
  6. Do not bet on the Digital Omnibus being in force. The deferral to 2 December 2027 has a provisional political agreement (7 May 2026) but is not yet formally adopted. Treat the extra time as a bonus, not a planning basis - the high-risk classification is unchanged either way.

📘 Enterprise AI Infrastructure Blueprint 2026 - Article Series

← PreviousOverviewNext →
What AI Really Costs: TCO Comparison for EnterprisesOverviewWorks Council & AI Literacy: The Organizational Questions

All articles in this series: Enterprise AI Infrastructure Blueprint 2026

Gosign supports organizations with EU AI Act compliance, from system inventory to conformity assessment. If you want to know where your organization stands, talk to us.

Book a consultation. 30 minutes to assess your compliance status.

Bert Gogolin

Bert Gogolin

CEO & Founder, Gosign

AI Governance Briefing

Enterprise AI, regulation, and infrastructure - once a month, directly from me.

No spam. Unsubscribe anytime. Privacy policy