EU AI Act: What Enterprises Must Do Before August 2026

The EU AI Act is no longer a policy discussion. It is law, and August 2, 2026 is a key planning date for many high-risk AI system obligations. The rollout is phased, and enterprises should keep monitoring implementation updates, but the preparation work should not wait.

If your organization runs AI systems that influence decisions about people, you may be affected. If you have not started preparing, the sensible next step is a structured inventory and classification exercise.

The Enforcement Timeline

The AI Act entered into force on August 1, 2024. Enforcement is phased:

• February 2, 2025 (already passed): Prohibited AI practices are enforceable. Social scoring systems, manipulative AI, and most real-time biometric identification in public spaces are banned.
• August 2, 2025 (already passed): General-purpose AI model obligations took effect. If you deploy or fine-tune foundation models, you should already be compliant with transparency and documentation requirements.
• August 2, 2026: High-risk AI system requirements are scheduled to become applicable for many systems. Treat this as the main readiness window for enterprise planning, while confirming the timeline for each system category.
• August 2, 2027: Obligations for high-risk AI systems embedded in products regulated under existing EU sectoral legislation (medical devices, machinery, vehicles).

For many German and EU enterprises, August 2026 is the planning date to test against while monitoring implementation updates.

What “High-Risk” Means for German Industries

The Act defines high-risk AI systems by their use case, not by the technology itself. A simple logistic regression model used for credit scoring is high-risk. A sophisticated large language model used for internal content summarization is not.

Here is how the classification maps to key German industries:

Financial Services (BaFin-regulated entities)

AI systems used in creditworthiness assessment, insurance pricing, fraud detection with direct customer impact, or algorithmic trading decisions that affect retail clients can fall under high-risk categories. If you are a bank, insurer, or fintech operating in Germany, expect regulatory scrutiny to combine GDPR data protection requirements, existing BaFin guidance on algorithmic decision-making such as MaRisk, and the new AI Act obligations into a single supervisory lens.

Healthcare

Clinical decision support systems, diagnostic AI, treatment planning tools, and patient triage algorithms can fall into high-risk categories. Hospitals and healthcare providers should note that many of these systems also fall under the Medical Device Regulation (MDR), which means the August 2027 timeline for product-embedded AI may apply instead. Administrative patient decision systems such as resource allocation or appointment prioritization should be classified carefully.

Public Sector and Critical Infrastructure

AI used in benefits administration, citizen identification, emergency response prioritization, and public service allocation is high-risk. German public sector entities face an additional complexity: the interplay between the EU AI Act, the BSI (Bundesamt für Sicherheit in der Informationstechnik) security requirements, and existing administrative law governing automated decision-making under the Verwaltungsverfahrensgesetz.

Manufacturing and Automotive

AI systems used for safety-critical quality control, worker safety monitoring, and predictive maintenance that directly affects operational safety can be high-risk. For automotive, ADAS components and autonomous driving systems fall under sectoral legislation with the 2027 timeline, while factory-floor AI used for workforce management or hiring decisions may fall within the 2026 planning window.

The Five Requirements You Must Meet

For every high-risk AI system in your portfolio, the Act requires:

1. A Risk Management System

Not a one-time risk assessment. A continuous, documented process that identifies risks before deployment, monitors them during operation, and feeds findings back into system improvements. The risk management system must cover the entire lifecycle of each AI system and must be reviewed and updated regularly.

For German enterprises, this means aligning your AI risk management with existing frameworks. If you already run risk management under ISO 31000 or sector-specific standards, you have a foundation to build on. But the AI Act demands AI-specific risk categories: bias risk, performance degradation risk, adversarial vulnerability risk, and risks arising from the interaction between AI outputs and human decision-making.

2. Data Governance

Training, validation, and test datasets must be documented with clear provenance. You need to demonstrate that your data is relevant, representative, and as free from errors and bias as reasonably achievable. For German enterprises already complying with the DSGVO, the data governance requirements of the AI Act are additive: the DSGVO governs how you collect and process personal data, while the AI Act governs how you ensure that data is suitable for training a system that will make decisions about people.

This intersection is where many organizations struggle. A system can be fully DSGVO-compliant in its data handling and still fail the AI Act’s data quality and representativeness requirements.

3. Technical Documentation

Detailed enough that a competent authority can understand how your system works, what it was trained on, how it was validated, and what its known limitations are. This includes system architecture, training methodology, performance metrics, and the results of bias and robustness testing.

If you did not document these decisions as you built the system, you are now facing a reconstruction project. That work is slower and less reliable than capturing the decisions as part of the build process.

4. Human Oversight Mechanisms

Every high-risk system must have meaningful human oversight. The word “meaningful” is doing heavy lifting here. A compliance checkbox where someone clicks “approve” without understanding the AI’s reasoning does not satisfy the requirement. You need trained personnel, interpretable outputs, clear intervention protocols, and documented escalation paths.

For Vorstand and Geschäftsführung, this means organizational accountability. Someone at the leadership level must own the human oversight framework, and the people performing oversight must have the authority and information to actually override the AI when necessary.

5. Accuracy, Robustness, and Cybersecurity

High-risk systems must meet appropriate levels of accuracy for their intended purpose. They must be resilient to errors and inconsistencies, and protected against adversarial attacks. Performance levels must be declared, tested, and monitored post-deployment.

German enterprises should note that BSI standards for IT security will likely serve as a reference point for the cybersecurity requirements. If your AI infrastructure already meets BSI IT-Grundschutz requirements, you have a head start on this dimension.

The Cost of Waiting

Retrofitting compliance into an existing AI system is usually more expensive than building it in from the start.

The reasons are structural. Retroactively adding audit trails means refactoring data pipelines. Reconstructing documentation for decisions made long ago requires forensic effort. Writing a comprehensive test suite for a live production system without taking it offline demands careful parallel infrastructure.

For a mid-size enterprise running several high-risk AI systems, the difference between a proactive readiness program and a reactive retrofit can be material. That does not account for operational disruption or the opportunity cost of diverting your AI team from new development to compliance remediation.

A Practical Compliance Roadmap

If you are starting now, here is a realistic readiness sequence:

Months 1-2: Inventory and Classification

Conduct a complete AI system inventory. Most enterprises undercount their AI systems by a factor of 3-5x because teams deploy ML models, automated decision rules, and third-party AI-powered tools without central visibility. For each system, determine the risk classification and identify the responsible business owner.

Month 2-3: Gap Analysis

For each high-risk system, assess the current state against each requirement. Where is your documentation? Do you have data provenance records? Is human oversight in place and functioning? What monitoring exists? Prioritize the gaps by severity and effort.

Months 3-5: Remediation

Address the critical gaps. Build the technical documentation. Implement or upgrade monitoring infrastructure. Design and deploy human oversight mechanisms. Establish or formalize the risk management process.

Month 6: Validation and Readiness

Test your compliance measures. Run tabletop exercises. Verify that your documentation would withstand a regulatory inquiry. Ensure that the people responsible for human oversight are trained and empowered.

This timeline is aggressive. It assumes dedicated resources and executive sponsorship. If your Vorstand has not yet allocated budget and mandate for AI Act readiness, that conversation needs to happen soon.

What Happens As Obligations Apply

Enforcement will not arrive as a single event. National competent authorities, which in Germany will involve coordination between BaFin (for financial services), the BfArM (for medical AI), and other sector-specific regulators, will begin supervisory activities. Penalties for non-compliance with high-risk requirements reach up to EUR 15 million or 3% of global annual turnover, whichever is higher.

But penalties are the least important consequence. The real risk is operational: being forced to shut down or substantially modify AI systems that your business depends on, under regulatory pressure, on a timeline you do not control.

The Strategic Opportunity

Organizations that approach the EU AI Act purely as a compliance burden will spend more and gain less. The requirements, rigorous documentation, continuous monitoring, meaningful human oversight, are also the requirements for building AI systems that actually work reliably at enterprise scale.

The enterprises that invest in governed AI infrastructure now will have a structural advantage: they will deploy AI faster, with fewer production incidents, greater stakeholder trust, and lower total cost of ownership.

If you are unsure where your organization stands, we can conduct a rapid assessment of your AI portfolio against the EU AI Act requirements and give you an honest read on what needs to happen before the relevant obligations apply. Start a conversation with us.