August 2, 2026 marks the enforcement date for high-risk AI system obligations under Regulation (EU) 2024/1689, the EU Artificial Intelligence Act. Organizations deploying AI systems in the European market have approximately 84 days from the date of this publication to complete the documentation, risk assessment, and oversight infrastructure required by the regulation. This checklist addresses the five categories of preparation that high-risk AI deployers must complete before that deadline. It is structured for compliance officers and legal counsel at business-to-business software companies whose products incorporate automated decision-making.
What Qualifies as a High-Risk System Under the EU AI Act
Article 6 and Annex III of the EU AI Act define the categories of AI systems subject to high-risk obligations. The regulation uses a system-classification approach rather than a use-case approach: the category of application determines the risk designation, not the specific deployment context or the magnitude of any individual decision.
The following categories are designated as high-risk under Annex III of Regulation (EU) 2024/1689:
- Biometric identification and categorization of natural persons
- Management and operation of critical infrastructure
- Education and vocational training, including access, admission, and assessment
- Employment, workforce management, and access to self-employment, including hiring, promotion, and termination
- Access to and enjoyment of essential private and public services, including credit scoring and insurance underwriting
- Law enforcement
- Migration, asylum, and border control management
- Administration of justice and democratic processes
For business-to-business software companies, the categories of greatest relevance are employment and workforce management, access to essential services, and education and vocational training. An AI component embedded in a human resources platform that assists in candidate screening qualifies as a high-risk system under Article 6(2) and Annex III, Point 4, regardless of whether the human resources team characterizes the tool as a filtering aid rather than a decision-making system. The classification follows the application category, not the vendor's product description.
The Five Documentation Requirements Before Deployment
The EU AI Act imposes specific pre-deployment obligations on providers of high-risk AI systems. The following five requirements must be satisfied before a high-risk system is placed on the EU market or put into service within the Union.
1. Risk Classification and Conformity Assessment
Article 43 requires that high-risk AI systems undergo a conformity assessment procedure before deployment. For most Annex III systems, this involves an internal control process documented by the provider. For systems in the biometrics and law enforcement categories, a third-party notified body assessment is required. The provider must document the conformity assessment process, retain records, and affix a CE marking upon successful completion. The assessment is not a one-time obligation: any substantial modification to the system requires a new conformity assessment before the modified system is placed on the market.
2. Technical Documentation
Article 11 and Annex IV require providers to maintain comprehensive technical documentation covering the system's intended purpose, architecture, training data sources, performance metrics, accuracy levels, known limitations, and robustness measures. This documentation must be kept current throughout the system's operational life. Annex IV identifies 15 distinct categories of required technical documentation content. Organizations that have not yet begun Annex IV documentation reviews should treat this as the highest-priority task before August 2, given the volume of documentation required and the coordination between engineering and legal teams it demands.
3. Transparency and Labeling Obligations
Article 13 requires that high-risk AI systems be designed and developed in a way that allows operators and users to interpret the system's output and use it appropriately. Providers must supply instructions for use that document the system's intended purpose, technical specifications, accuracy parameters, human oversight requirements, and any foreseeable misuse scenarios. These instructions must be provided in a form that is understandable to non-technical users in the deploying organization.
4. Automatic Logging Requirements
Article 12 requires that high-risk AI systems maintain automatic event logs to enable monitoring of system operation after deployment. Logs must capture operational data sufficient to trace the system's outputs back to input conditions, record changes in system performance over time, and support post-incident analysis. The regulation does not specify a single minimum retention period for all system categories; retention requirements vary by sector-specific regulation applicable to the deploying organization.
5. Human Oversight Mechanism
Article 14 requires that providers design high-risk AI systems to allow natural persons to effectively oversee system operation during the period of use. The oversight mechanism must enable authorized personnel to monitor system functioning, identify anomalies, intervene in system operation, and override or disregard system outputs when appropriate. The mechanism must be documented and functional before deployment, and its adequacy must be assessed as part of the conformity assessment procedure.
The Penalty Structure Under Article 71
Article 71 of the EU AI Act establishes three administrative fine tiers. The applicable tier depends on the nature of the violation, and the higher of the fixed amount or the revenue-based percentage applies in each case.
| Violation Category | Maximum Fine | Revenue Cap |
|---|---|---|
| Prohibited practices (Article 5): real-time remote biometric surveillance, social scoring systems | 35,000,000 EUR | or 7% of global annual turnover |
| High-risk system non-compliance: documentation, conformity assessment, transparency failures | 15,000,000 EUR | or 3% of global annual turnover |
| Provision of incorrect or misleading information to competent authorities | 7,500,000 EUR | or 1.5% of global annual turnover |
Source: Regulation (EU) 2024/1689, Article 71. Enforcement is conducted by National Competent Authorities (NCAs) designated by each EU member state. GPAI systemic-risk enforcement falls under the EU AI Office directly.
Completing these requirements before August 2, 2026 requires coordinated effort across legal, engineering, and product teams. The documentation obligations are substantial: technical documentation under Annex IV covers 15 separate categories of information, and conformity assessments for systems in the biometrics and law enforcement categories require third-party review from a notified body. Organizations that have not begun this process should prioritize risk classification review and Annex IV gap analysis before allocating resources to other compliance workstreams.
RegBrief monitors EU AI Act obligations and EU AI Office guidance continuously, providing plain English summaries with exact citations from EUR-Lex and the Official Journal of the European Union. The 2026 EU AI Act Compliance Brief covers the full regulation and four high-impact guidance documents, including the GPAI Code of Practice and MDCG 2025-6, in a 12-page reference format built for compliance teams preparing for August 2 enforcement.
Not legal advice. Content is AI-assisted research derived from official EU government sources including EUR-Lex and the Official Journal of the European Union. Verify against primary sources before making compliance decisions. © 2026 MoogDa LLC — RegBrief