Stop counting the days. Start completing the requirements.
The hub has tracked the August 2, 2026 high-risk systems deadline across prior coverage going back to the original effective date analysis, and by this point the deadline is established fact, the question compliance teams are actually asking is “what do I do with the 87 days I have?” That’s the question this piece answers.
The EU AI Act’s requirements for high-risk AI systems, set out in Chapter 3 of the regulation, are specific. They’re also tiered. Some are completable right now with available tools and methodology. Others depend on harmonized standards under Article 40 that the European AI Office hasn’t fully published, and those gaps require a documented alternative approach, not paralysis.
A note on scope before going further: the Annex III categories are not a monolith. Hiring and recruitment systems face different conformity assessment pathways than law enforcement systems. Credit scoring tools have different self-assessment options than biometric categorization systems. This roadmap addresses the requirements that apply across Annex III categories broadly; the specific conformity pathway for your system depends on which Annex III category you’re in and your role (provider vs. deployer). Qualified EU law counsel should map your specific obligations. This is not legal advice.
Where Things Stand on Day 87
The EU AI Act (Regulation (EU) 2024/1689) applies from August 2, 2026 to high-risk AI systems as defined in Annex III. The extraterritorial reach follows the GDPR model, any provider whose system affects persons within the EU is in scope, regardless of where that provider operates. US-based companies with EU customers or employees affected by their AI systems are subject to the regulation.
Harmonized standards under Article 40, the technical standards that would specify exactly how to demonstrate compliance, remain incomplete. As covered in prior hub analysis of the Omnibus situation, the standards gap isn’t going to resolve cleanly before August 2. This is the defining operational challenge for compliance teams right now. The regulation’s requirements are clear. The specific technical benchmarks for meeting them aren’t all published yet.
The approach for operating in the gap: document your methodology. The regulation requires demonstration of conformity, it doesn’t require conformity via a specific harmonized standard. Where standards don’t exist, providers must document the methodology they applied, why it’s technically justified, and how it addresses the regulation’s underlying requirements. That documentation needs to be in your technical file.
The QMS Requirement: What It Actually Involves
Article 17 of the EU AI Act requires providers of high-risk AI systems to implement a Quality Management System. This isn’t a certification process, it’s a documented internal governance framework. What a compliant QMS needs to contain is specified in the regulation: policies and procedures for regulatory compliance; data governance and management practices; technical documentation procedures; record-keeping on conformity assessment; post-market monitoring procedures; incident reporting procedures; and processes for system modifications.
If your organization already has an ISO 9001 QMS, it doesn’t automatically satisfy Article 17 – but it gives you a structural foundation to build from. The gap is usually the AI-specific requirements: data governance for training data, documentation of model evaluation methodology, and the incident reporting pathway for AI-specific failures.
What should already be complete for most compliance teams: the QMS framework document, the data governance policy, the roles and responsibilities structure. What typically isn’t complete: the post-market monitoring procedures (which require defining what you’re monitoring, at what frequency, and what triggers an incident report) and the system modification governance (which requires defining what constitutes a substantial modification that restarts the conformity assessment process).
Technical Documentation: The Specific Items Required
Annex IV specifies what technical documentation must contain. This is a checklist, not a judgment call. The items include: a general description of the system including its intended purpose; a description of the development process; a description of the training data and training methodology; a description of the system’s performance and accuracy; an assessment of known and foreseeable risks; details of pre-deployment testing and evaluation; post-deployment monitoring measures; and the conformity assessment procedure applied.
Several of these items are achievable without harmonized standards. The general description, development process, and training data documentation can be completed from internal records. The risk assessment framework can be built from existing methodologies (NIST AI RMF maps well onto the EU AI Act’s risk documentation requirements, though it isn’t a direct substitute).
The item most affected by the harmonized standards gap is “conformity assessment procedure applied”, because the procedure for certain categories depends on standards that aren’t finalized. For those categories, document the alternative methodology you applied and why it demonstrates compliance with the underlying regulatory requirement.
Conformity Assessment: Which Path for Which Category
Not all Annex III systems require third-party assessment. The regulation distinguishes between categories that require notified body involvement and categories that permit internal (self-) assessment via Annex VI procedures.
Systems requiring notified body involvement include: biometric identification systems used in real-time public surveillance; AI used in critical infrastructure management where failures could risk safety; AI used in certain law enforcement contexts. For these categories, you need a notified body, and notified body availability is constrained. There are meaningful queues. If your system falls into a third-party assessment category and you haven’t begun that engagement, 87 days may not be enough to complete it.
Systems where self-assessment is available under Annex VI include: AI systems used in employment and hiring; AI systems used in credit scoring and insurance; AI used in education; AI used in migration and asylum decisions. For these, an internal conformity assessment following the Annex VI procedure is legally sufficient, provided the technical documentation supports it and the QMS is in place.
The practical implication: identify your Annex III category first, then determine your conformity pathway. If you’re in a third-party category and haven’t started, contact a notified body this week. If you’re in a self-assessment category, the 87 days are workable, but only if documentation work starts now.
The 90-Day Action Sequence
Here’s the prioritized sequence for the remaining compliance window, based directly on the regulation’s requirements:
Weeks 1-2: Confirm your Annex III category and your role (provider or deployer). Deployers have different obligations from providers, knowing which you are determines which requirements apply to you. Engage legal counsel if this isn’t already settled.
Weeks 2-4: Complete or finalize your QMS documentation. Close the post-market monitoring and system modification gaps if they exist. This is foundational, everything else builds on the QMS.
Weeks 4-6: Complete your technical documentation file per Annex IV. Don’t wait for harmonized standards on items where you can document methodology now. For items affected by the standards gap, document your alternative approach explicitly.
Weeks 6-10: Execute conformity assessment. If third-party: you should already be in the queue. If self-assessment: complete the Annex VI procedure with your documented technical file.
Weeks 10-12: Register in the EU AI Act database (Article 51 requires registration before high-risk systems are placed on the market). Finalize post-market monitoring setup. Train relevant staff on incident reporting procedures.
The deadline applies to systems placed on the market or put into service on or after August 2. Systems already deployed face a different transition timeline, the regulation includes provisions for systems in service before the deadline, though those provisions depend on your specific category. Prior coverage on building 2026 AI compliance programs addresses the transition timeline in more detail.
What to Watch
Two variables could affect this roadmap before August 2. First: whether any Omnibus amendments modify Annex III scope or conformity requirements before the deadline, as tracked in prior hub coverage of the Omnibus stakeholder positions. If scope changes arrive after compliance work is underway, documentation will need updating. Second: whether the European AI Office publishes any guidance on alternative conformity methodology for categories where harmonized standards aren’t ready. That guidance would directly affect how the standards-gap documentation approach works in practice.
TJS Synthesis
87 days is enough time to complete EU AI Act high-risk compliance for organizations that start executing the sequence now and are in self-assessment categories. It isn’t enough time to start the process from scratch and complete third-party notified body engagement. The non-obvious implication for compliance teams: if your organization has been waiting for harmonized standards to finalize before starting documentation work, that wait is now a liability. The regulation requires demonstration of conformity. It doesn’t require waiting for standards to arrive. Starting the documented alternative methodology approach today produces a technical file that demonstrates good-faith compliance effort, which matters both for regulatory purposes and for how enforcement authorities approach organizations that engaged substantively with the requirements before the deadline.
This briefing is not legal advice. EU AI Act compliance obligations depend on your specific system category, role, and organizational context. Engage qualified EU law and technical counsel to map your specific requirements and confirm your conformity pathway before August 2.