EU AI Act launches Aug 2, yet high‑risk oversight gap persists

Key Takeaways

• The deadline remains August 2, 2026, as the binding application date. The EU Council voted on 13.03.2026 for a postponement to December 2, 2027 (standalone) and August 2, 2028 (embedded), with the EU Parliament largely agreeing on 18.03.2026. The Digital Omnibus is in trilogue, with a final text targeted under the Cypriot Council Presidency in May 2026. Until formal adoption, the original date applies.
• The primary friction point is not with companies

  The Council justified its position on March 13, 2026: without official technical guidance and without functional national supervisory structures in most member states, the application of high-risk obligations from August 2, 2026, would enforce a rule in a vacuum. The EU Commission had missed its February deadline for the guidance.

  As of April 28: eight member states have formally designated national AI contact points. 19 are missing. The formal designation says little about the operational readiness of market surveillance; it is a prerequisite for subsequent steps. Trilogue negotiations on the Digital Omnibus are ongoing, with the final text aimed for under the Cypriot Council Presidency in May 2026.

  Until that happens, August 2, 2026, remains the applicable implementation date. Germany, under the AI Market Surveillance Act, relies on a hybrid supervisory model: The Bundesnetzagentur takes on coordination as the central body, supplemented by sectoral authorities depending on the system context. BfDI is responsible for data protection-relevant high-risk systems, BaFin for financial AI, and the BSI provides support with cybersecurity and KRITIS relevance. Market surveillance powers include fines, operating bans, and recall orders.

  8 out of 27

  What Security and Compliance Teams Need in the Next 90 Days

  The obligations can be condensed into a minimum list of artifacts that must be in place before August 2, 2026. Only then can harmonized standards and guidance be meaningfully applied.

  • AI Inventory covering all deployed systems, including providers, versions, and data sources.
  • Annex III Classification per system, with justification and documentation of the high-risk assessment.
  • Provider/Operator Matrix, assigning conformity and logging responsibilities for each system.
  • Risk Management Process according to Art. 9, as lifecycle documentation, not a one-off audit.
  • Data Quality Evidence according to Art. 10, with measurable representativeness and bias indicators.
  • Monitoring and Incident Runbook according to Art. 72, with a logging pipeline and escalation path to the supervisory authority.

  Three operational obligations directly impact the CISO and Compliance areas. Firstly: the risk management system according to Art. 9 must be documented as a continuous process, not as an audit snapshot. This includes identification, assessment, and measures against risks to health, safety, and fundamental rights throughout the entire lifecycle.

  Secondly: Data Quality Governance according to Art. 10. Training, validation, and test data must be relevant, sufficiently representative, and, to the best of one’s ability, free from errors. Statistical properties of the datasets concerning the affected groups of persons must be demonstrated.

  Thirdly: Post-Market Monitoring according to Art. 72. Providers must establish a documented monitoring system for the period after placing on the market, including logging, incident reporting, and corrective measures.

  ENISA has published the Framework for AI Cybersecurity Practices (FAICP) as an implementation aid. According to the current state of discussion, final standards and

  If the December 2027 postponement is approved, can compliance efforts be put on hold?

  No. Until the Digital Omnibus is formally adopted, August 2, 2026, remains the binding application date. German market surveillance, under the KI-MüG, will be enforced by the Bundesnetzagentur and sectoral authorities starting from this date. Experience shows that conformity assessments take three to six months. Anyone who hasn’t started by May 2026 will simply not meet the deadline in time.

  Which DACH applications typically fall under Annex III?

  HR screening (applicant management, performance evaluation), credit scoring by banks and savings banks, educational AI with exam evaluation, biometric verification in access control, AI in critical infrastructures such as energy and transport, as well as AI in law enforcement and judicial administration. Embedded AI in regulated products under Annex I applies with an extended deadline until August 2, 2027, or August 2, 2028.

  What is the difference between a Provider and an Operator under the EU AI Act?

  The Provider develops the system and places it on the market. The Operator uses it in their own business operations. Providers bear the central conformity obligation, including conformity assessment, technical documentation, and CE marking. Operators must ensure logging, organize human oversight, and verify suitability for the intended purpose. Both are liable, both are addressed. For user companies, this is the crucial point: Even if the central conformity assessment lies with the Provider, their own obligations do not disappear. Logging, intended use, human oversight, incident processes, and internal responsibilities are Operator tasks and also apply when using third-party HR, scoring, or recruiting tools.

  Editor’s Reading Recommendations

  • ITDR alongside SIEM and EDR: Detection Architecture 2026
  • Adobe CVE-2026-34621: Federal Deadline and DACH CISO Lessons
  • GDPR
    Print article
    

    About the author: Alec Chizhik

    More articles by Alec Chizhik

    Also available in

    FrançaisEspañolDeutsch