The alarm has been sounded. Multiple times. The EU AI Act’s August 2, 2026 high-risk compliance deadline is real, confirmed, and not moving, as established in Regulation (EU) 2024/1689 and confirmed by every subsequent legislative development, including the failure of the omnibus extension effort.
What hasn’t been written is the compliance operations question that the countdown obscures: which obligations can you actually satisfy right now, with the tools and standards that exist, and which ones are waiting on something the Commission hasn’t published yet?
That’s the question this brief addresses.
Section 1: Status as of May 4, What the EC Has and Hasn’t Published
As of the reporting date, the European Commission has not yet published final harmonized standards for high-risk AI systems under Annex III, according to legal and standards commentary. The Commission has released guidance documents and codes of practice, including the Code of Practice for General Purpose AI providers, but harmonized standards under the EU AI Act, which would provide a presumption of conformity for high-risk system requirements, have not been finalized.
This matters structurally. Under Regulation (EU) 2024/1689, compliance with harmonized standards creates a presumption of conformity with the corresponding AI Act requirements. Without published standards, providers cannot use that presumption pathway. They must either demonstrate compliance through other means, typically internal documentation and third-party conformity assessment, or wait.
Ninety days is not long enough to wait.
Section 2: Article 6(2) Obligations, What Can Be Met Without Published Standards
Article 6(2) of the regulation defines which AI systems qualify as high-risk by virtue of their intended purpose under Annex III. Getting this classification right doesn’t require harmonized standards, it requires a careful reading of the Annex III list and honest assessment of your system’s intended purpose.
Several Article 6(2)-adjacent obligations are substantially self-assessable today:
Risk management. Per Regulation (EU) 2024/1689, high-risk AI systems must have a documented risk management system throughout the system lifecycle. The structure of that system, identifying, analyzing, estimating, evaluating, and mitigating risks, can be built and documented now. Harmonized standards would specify preferred methodologies, but their absence doesn’t prevent a provider from implementing and documenting a defensible risk management approach.
Data governance. Requirements for training, validation, and testing data governance under the regulation are framed in terms of practices and documentation, not standards-dependent technical specifications. A provider can audit its data lineage, bias testing, and data management practices against the regulation’s text today.
Technical documentation. The regulation’s Annex IV specifies what technical documentation for high-risk systems must contain. Annex IV is a list. Work through the list.
These obligations require organizational effort, legal review, and documentation discipline. They don’t require the Commission to publish anything else first.
Section 3: Articles 25 and 50, Where the Standards Gap Creates Compliance Uncertainty
Article 25 addresses the responsibilities of deployers of high-risk AI systems, including obligations around human oversight, use conditions, and monitoring. Article 50 addresses transparency obligations for GPAI providers specifically, including disclosure requirements for AI-generated content.
Per Regulation (EU) 2024/1689, these provisions are among those applicable as of the August 2 deadline. The compliance challenge is not that they’re ambiguous on their face, the regulation’s text is specific enough to act on for most organizations. The challenge is that harmonized standards, when published, may specify technical and procedural conformity pathways that differ from what organizations are currently building.
This creates a practical risk for organizations that are actively implementing compliance programs now. If you build to your interpretation of Article 25 deployer obligations and harmonized standards subsequently specify a different approach, you may face a documentation and technical retrofit before the standards-based presumption pathway is available to you.
Legal and standards experts have noted the absence of final harmonized standards as a compliance challenge for smaller providers in particular, according to regulatory commentary. Larger organizations can absorb a retrofit. SMEs building compliance programs from scratch on a 90-day timeline face greater exposure if their initial interpretation diverges from eventual standards.
Section 4: SME-Specific Implications, Why the Gap Hits Smaller Providers Harder
The harmonized standards gap is not symmetrically distributed across the market.
Large providers, the frontier labs, major cloud platform operators, established enterprise software vendors, typically have legal and compliance teams that can run parallel tracks: implement to the regulation text now, monitor standards development, and retrofit when standards land. They have the organizational capacity to treat compliance as an iterative process.
Smaller providers face a different calculus. A compliance program built by a five-person legal team on a fixed budget doesn’t get rebuilt easily. The gap between “what we built to” and “what the standards require” represents real cost, not just legal risk.
For SMEs operating in the EU with Annex III systems, the practical guidance is to document your compliance decisions explicitly. Note which article provision you are satisfying, how you are satisfying it, and that you are doing so in the absence of published harmonized standards. That documentation record demonstrates good-faith compliance effort and creates an audit trail that can support a retrofit conversation with a notified body when standards arrive.
Section 5: A 90-Day Action Map, What Compliance Teams Can Do Now vs. What Requires Waiting
With 90 days remaining, the compliance decision tree looks like this:
Act now, don’t wait for standards: – Complete the Annex III classification analysis for all systems in your portfolio – Build or finalize the Article 9 risk management system with documented lifecycle coverage – Complete Annex IV technical documentation for all confirmed high-risk systems – Audit human oversight design against Article 14 requirements, this is substantially self-assessable – For deployers: document Article 25 obligations and your current implementation against each
Proceed with internal implementation but monitor standards development: – Article 13 transparency and instructions for use: build to the regulation text, flag for potential standards alignment – Article 15 accuracy, robustness, and cybersecurity: implement to the regulation’s performance requirements; harmonized standards may specify preferred test methodologies – Article 17 quality management system: structure is implementable now; standards may affect specific procedural requirements
Do not wait for standards before acting: – Post-market monitoring under Article 72 (providers) and Article 26 (deployers): start now – Serious incident reporting procedures: establish now – Registration obligations: confirm applicability and prepare for the EU database
One final point on timing. The EU AI Act page on this hub has tracked the extension debate through its collapse and documented the omnibus failure in detail. The political story is settled. August 2 is the date. The operational story, which obligations are actionable right now, is what compliance teams need to be working through this week.
TJS Synthesis
The harmonized standards gap is real, but it shouldn’t be used as a reason to slow down compliance preparation. The bulk of the EU AI Act’s August 2 obligations are implementable today against the regulation text alone. The gap creates genuine uncertainty in specific technical areas, conformity methodology, some Article 15 performance specifications, but it doesn’t prevent organizations from completing classification analysis, building risk management systems, documenting technical specifications, or establishing oversight procedures. The question worth considering: if your compliance program is waiting for harmonized standards before it can proceed, is it actually the standards gap that’s blocking you, or is it something else?