EU AI Act August 2, 2026: What High-Risk AI Systems Must Have Ready

Full Annex III obligations under the EU AI Act take effect in 34 days. Regulated financial institutions deploying high-risk AI systems need more than a compliance plan by then. They need a tamper-evident audit trail that can answer a regulator on demand.

What Becomes Enforceable on August 2

August 2, 2026 is when EU AI Act Annex III obligations become fully enforceable across member states. This covers high-risk AI applications in financial services: credit scoring, insurance underwriting, algorithmic systems that materially influence decisions affecting individuals or organisations, and AI used in employment and access to essential services.

From that date, national competent authorities can open investigations, request audit logs, and issue penalties for non-compliance. The maximum penalty for a provider of a non-compliant high-risk AI system is 3% of global annual turnover or 15 million EUR, whichever is higher.

Article 12: The Logging Obligation

Article 12 requires that high-risk AI systems technically allow for the automatic recording of events throughout operational lifetime. Three words carry the compliance weight: automatic, lifetime, and technically.

• Automatic means logs generated without operator intervention at the moment events occur. Scheduled exports do not qualify. Manual captures do not qualify.
• Lifetime means from deployment to decommissioning. Not from when your compliance programme started. If your AI system has been running, those logs should already exist.
• Technically means built into the system. A policy document stating intent to log does not satisfy Article 12.

The Six-Month Gap Problem

Article 19 requires automatically generated logs to be retained for a minimum of six months. Organisations that start logging on August 2 will have no audit trail for decisions made before that date.

If a complaint or regulatory investigation covers a decision made in June or July 2026, there will be no records to produce. That absence is itself a compliance failure. Organisations that started logging in February have a complete six-month trail from day one of enforcement.

What Must Be in Place Before August 2

• Automatic event capture at each decision point. Input, model version, prompt, output, timestamp. Every inference that could materially affect a person or organisation.
• Tamper-evidence you can demonstrate. Not a policy statement. A mechanism. Cryptographic hash chaining means any modification breaks the entire subsequent chain — detectable by anyone, not just your vendor.
• Six months of retained records with clear chain of custody. Know where logs are stored, who has access, and how you produce them on regulator request within a reasonable timeframe.
• Independent verifiability. The integrity of your audit trail should be checkable without depending on your own infrastructure or your vendor's word.

On the Omnibus Delay Proposal

The European Commission proposed delays to some AI Act obligations through the Digital Omnibus package, potentially pushing certain requirements toward December 2027. As of June 2026, that proposal has not been finalised by either the Council or Parliament.

The current legally enforceable date remains August 2, 2026. Organisations waiting for the delay to be confirmed before acting are accepting regulatory exposure on a timeline that may not materialise. If the delay passes, organisations with logging already in place lose nothing. Organisations without it who bet on the delay and lose face penalties with no audit trail to show.