Does the AI Act apply to AI systems built before August 2026?

Yes, but with nuance. Systems placed on the market before August 2, 2026 must comply only when subject to significant changes in design. Routine updates do not trigger compliance — but major functionality changes do.

What counts as a significant change requiring new compliance?

Not precisely defined yet. Generally: changes affecting intended purpose, how the system was trained, or its risk profile. Commission guidance is expected by early 2026.

Can we use existing ISO certifications to satisfy requirements?

Partially. ISO 42001 (AI management systems) and ISO 27001 (information security) can support compliance but do not automatically satisfy AI Act requirements. You still need AI Act-specific conformity assessment.

What if we are a deployer, not a provider — do we still need conformity assessment?

No. Deployers do not conduct conformity assessments — providers do. But deployers must verify the systems they use have been properly assessed (CE marked, registered, documented).

How do regulatory sandboxes work in practice?

Apply to your national authority's sandbox program. If accepted, you develop your AI system under regulatory supervision, getting guidance on compliance. Systems developed successfully in sandboxes get streamlined market access.

We are a non-EU startup selling to EU customers — does this apply to us?

Yes. The AI Act applies to providers placing AI systems on the EU market, regardless of where they are established. You will need an EU-based authorized representative.

Can we delay compliance if we are in active development?

No grace period. If you place a high-risk system on the market after August 2, 2026, it must be compliant at that point — regardless of when development started.

What documentation do we need to keep and for how long?

Technical documentation: 10 years from market placement. Automatically generated logs: minimum 6 months. Quality management records: duration of AI activities plus retention period.

Is there a simplified process for startups?

Not a separate process, but SME provisions include reduced fees, priority processing, and tailored guidance. Regulatory sandboxes offer the most significant startup support.

Outlex - AI powered OS for Startups and SMBs

Robot hand placing chess piece on minimalist chessboard representing AI regulation strategy

Is Your AI System High-Risk?

An AI system is classified as high-risk if it is used in contexts where errors or biases could significantly harm individuals' rights, safety, or livelihoods.

Approach 1: Safety Component

AI systems that are safety components of products covered by existing EU product safety legislation and require third-party conformity assessment.

Approach 2: Listed Use Cases (Annex III)

Category	Examples
Biometrics	Remote biometric identification, emotion recognition
Critical Infrastructure	AI managing electricity, water, gas, traffic
Education	AI determining access, exam proctoring, student assessment
Employment	CV screening, interview assessment, hiring decisions
Essential Services	Credit scoring, insurance pricing, emergency dispatch
Law Enforcement	Risk assessment tools, evidence analysis
Migration/Border	Visa assessment, asylum processing
Justice	Systems assisting judicial authorities

The Quick Classification Test

If Your AI Does This...	Classification
Screens job applications	High-risk (Employment)
Assesses creditworthiness	High-risk (Essential Services)
Recommends products	Not high-risk
Generates marketing copy	Not high-risk
Analyzes contracts	Usually not high-risk
Detects fraud in payments	Potentially high-risk

The Seven Requirements for High-Risk AI

Requirement 1: Risk Management System (Article 9)

A continuous process to identify, analyze, and mitigate risks throughout your AI system's lifecycle. Document all identified risks, implement measures, test under foreseeable misuse conditions, and maintain ongoing assessment.

Requirement 2: Data Governance (Article 10)

Element	What You Need
Data sources	Where did training data come from?
Data collection	How was it collected?
Data preparation	What preprocessing was applied?
Bias assessment	How did you check for and address bias?
Data gaps	What limitations exist in your dataset?

Requirement 3: Technical Documentation (Article 18)

Comprehensive records covering design, development, and operation. Retention: 10 years. Your 2026 documentation must be accessible until 2036.

Requirement 4: Automatic Logging (Article 19)

Logging capabilities appropriate to purpose. Minimum: period of use, reference databases, input data, identification of verifying persons. Retention: at least 6 months.

Requirement 5: Transparency (Article 13)

Clear documentation for deployers: identity, characteristics, intended purpose, misuse scenarios, human oversight instructions, performance metrics.

Requirement 6: Human Oversight (Article 14)

Humans must be able to understand outputs, decide not to use the system, intervene or interrupt operation. The key word is "effectively."

Requirement 7: Accuracy, Robustness, Cybersecurity (Article 15)

Appropriate levels of accuracy, resilience to errors, and protection against threats.

The Conformity Assessment

Pathway	When It Applies	What It Involves
Self-Assessment	Most high-risk Annex III systems	Internal procedures, documentation review
Third-Party	Remote biometric ID and certain sectoral systems	Notified Body evaluation

The Real Timeline: 8–14 Months

Phase 1: Assessment (4–8 weeks)

AI inventory, risk classification, gap analysis, resource planning.

Phase 2: Technical Implementation (12–20 weeks)

Risk management system, data governance framework, logging infrastructure, human oversight, cybersecurity.

Phase 3: Documentation (8–12 weeks)

Technical documentation, instructions for use, risk management records, training records.

Phase 4: Conformity Assessment (8–16 weeks)

Quality management setup, internal assessment, Notified Body (if required), registration.

If you have not started, you are already behind. Work backward from August 2, 2026 — you should have started by Q2 2025.

Deployer Obligations

Not building AI? If you use a third-party high-risk AI system, you still have obligations:

Obligation	What It Means
Technical measures	Implement according to provider instructions
Human oversight	Assign qualified persons to monitor
Data quality	Ensure input data is relevant
Monitoring	Watch for risks, report to provider
Staff training	Ensure users understand AI limitations

Startup Support Provisions

Regulatory Sandboxes (Article 57)

Controlled testing environments with guidance from regulators, reduced fees, and priority processing.

SME-Specific Provisions (Article 62)

Reduced conformity assessment fees, faster processing, tailored guidance, and dedicated information campaigns.

Penalties

Violation	Maximum Penalty
Non-compliance with high-risk requirements	€15M or 3% of global turnover
Providing incorrect information	€7.5M or 1% of global turnover

The Bottom Line

The startups that treat compliance as a competitive advantage — not just a legal burden — will be the ones customers trust. Classify your systems. Assess your gaps. Plan your timeline. Start now.

Reviewed by Outlex Legal Team

E-E-A-T Verified Content

This content was reviewed by qualified legal professionals with experience advising European companies on compliance, contracts, and corporate matters. Our legal team brings expertise across EU jurisdictions, ensuring accuracy and practical relevance for founders.

Last updated:March 23, 2026

Stay ahead on company legal

Get practical guides, compliance updates, and fundraising insights. No spam—just actionable legal knowledge for European founders.

AI Act High-Risk Systems: August 2026 Deadline Preparation Guide