Sixteen weeks isn’t a lot of time. It’s enough to finish a conformity assessment you started six months ago. It isn’t enough to start from zero and have any confidence in your position on August 3, 2026, when national market surveillance authorities can begin asking questions.
The EU AI Act’s Annex III high-risk provisions become applicable August 2, 2026. The European Commission confirmed this timeline at entry into force. The EU AI Act Service Desk’s implementation timeline maps the full four-year implementation arc: August 1, 2024 (entry into force), February 2, 2025 (general provisions and AI literacy obligations), August 2, 2026 (Annex III high-risk), August 2, 2027 (remaining provisions). The August 2, 2026 date doesn’t complete the Act’s implementation, but it is the deadline that most AI-deploying organizations in regulated sectors are directly exposed to.
This deep-dive structures what you need to have done, in what order, across the next 16 weeks. It draws on the EU AI Act’s statutory requirements and available legal analysis. It isn’t legal advice. Organizations with covered systems need qualified EU counsel.
Step 1: Know what you’re operating (Weeks 1–3)
Everything else depends on this. Annex III defines eight high-risk AI system categories:
- Biometric identification and categorization of natural persons
- Management and operation of critical infrastructure
- Education and vocational training
- Employment, workers management, and access to self-employment
- Access to and enjoyment of essential private services and public services and benefits
- Law enforcement
- Migration, asylum, and border control management
- Administration of justice and democratic processes
If your organization provides or deploys AI systems that perform functions within these categories – in EU markets or affecting EU natural persons, you’re a covered entity under Annex III. The determination isn’t always obvious. An HR screening tool that ranks candidates isn’t labeled “employment AI” in your procurement contract. A fraud-detection model used in lending touches “essential private services.” Legal counsel familiar with the Act’s implementing guidance should confirm your system inventory before you begin conformity assessment.
Providers of general-purpose AI models (GPAIMs) with systemic risk designation also face obligations under Title VIII that overlap with this timeline. If your organization develops foundation models above the 10^25 FLOPs training threshold, or models designated as systemic risk by the EU AI Office, those obligations are in scope separately from Annex III.
Step 2: Understand what “conformity” requires for your system type (Weeks 2–5)
The EU AI Act distinguishes between two conformity assessment paths for Annex III systems, depending on the category involved.
Third-party conformity assessment is mandatory for certain high-risk categories, including biometric identification systems and AI used in critical infrastructure. A notified body – an EU-designated independent conformity assessment body, must assess the system before market placement.
Internal conformity assessment is permitted for most other Annex III categories. The provider conducts the assessment against the Act’s technical requirements and produces the required documentation.
Both paths require, at minimum: a technical documentation package meeting the requirements of Article 11 and Annex IV; a quality management system meeting Article 17 requirements; a transparency and logging system meeting Article 12 requirements; a post-market monitoring plan under Article 72; and human oversight mechanisms under Article 14.
If your system requires third-party assessment and you haven’t engaged a notified body, that engagement needs to happen in weeks one through three. Notified body schedules fill up. Waiting until June for a mandatory third-party assessment creates scheduling risk that the assessment itself won’t resolve.
Step 3: Build the technical documentation package (Weeks 3–10)
Article 11 requires providers to draw up technical documentation before placing a high-risk AI system on the market. Annex IV specifies what that documentation must contain. The list is substantial: a general description of the system and its intended purpose, a detailed description of system components and development process, information on training data and training methodologies, validation and testing procedures and results, standards applied and conformity assessment results, human oversight measures, and post-market monitoring arrangements.
Assembling this documentation for a system already in production requires retroactive reconstruction, documenting design decisions that may predate the Act, sourcing records of training data that may be spread across teams, and commissioning testing against applicable harmonized standards where they exist.
This is the most time-intensive requirement. Organizations that began this work in Q4 2025 are positioned to complete it by June. Organizations starting now have roughly eight weeks of working time before the final compliance buffer begins.
Step 4: Implement human oversight mechanisms (Weeks 4–12)
Article 14 requires that high-risk AI systems be designed and developed so that natural persons can oversee the system’s functioning during the period of its use. This isn’t a checkbox. It has specific technical implications: the system must allow the assigned human overseer to understand the system’s capabilities and limitations, monitor its operation, detect malfunctions or anomalies, and intervene or halt the system when needed.
For AI systems already in production with limited auditability or intervention capability, this requirement may require system modifications. Those modifications take time and testing. They also feed back into the technical documentation package, any changes to the system’s human oversight architecture need to be documented.
Step 5: Register your system in the EU database (Weeks 10–15)
Providers of Annex III high-risk AI systems are required to register their systems in the EU AI database before placing them on the market or putting them into service. The EU AI Office manages this registration. If your system was placed on the market before August 2, 2026, you’ll need to determine whether the registration requirement applies immediately upon the deadline or whether a transition period applies, that determination requires review of the implementing regulations that the EU AI Office is publishing through 2026.
The grandfathering question
Legal analysis from Orrick notes that AI systems already placed on the market before August 2, 2026 may benefit from an extended compliance period. This is a meaningful potential buffer for organizations deploying covered systems that already have EU market presence. But it isn’t a blanket exemption, and its applicability to your specific situation depends on how your system is characterized under the Act. Verify the specific terms with EU counsel before treating grandfathering as a compliance strategy.
The penalty structure by violation type
EU AI Act Article 99 establishes a tiered penalty structure. The specific amounts organizations should plan around depend on the violation type:
- Prohibited AI systems (those already banned since February 2, 2025): up to €35 million or 7% of total worldwide annual turnover, whichever is higher
- High-risk system non-compliance (the August 2, 2026 provisions): up to €15 million or 3% of total worldwide annual turnover
- Provision of incorrect information to authorities: up to €7.5 million or 1% of total worldwide annual turnover
These figures are drawn from training knowledge of EU AI Act Article 99 and are consistent with widely published analyses of the Act’s text. Verify against the official text at eur-lex.europa.eu before using in legal or compliance contexts.
The distinction between prohibited and high-risk penalties is important because it’s frequently misreported. The €35M/7% figure applies to prohibited AI systems, social scoring, real-time biometric surveillance in public spaces, and similar systems banned outright. Organizations operating high-risk Annex III systems that miss the August 2 deadline face the €15M/3% tier.
Six-week, twelve-week, sixteen-week milestones
By week 6 (approximately May 22, 2026): System inventory complete and confirmed with legal counsel. Conformity assessment path determined (internal vs. third-party). Notified body engagement initiated if applicable. Technical documentation scope defined.
By week 12 (approximately July 3, 2026): Technical documentation drafted and under internal review. Human oversight mechanisms implemented and tested. Post-market monitoring plan drafted. EU database registration initiated (or grandfathering determination made with counsel).
By week 16 (August 2, 2026): Technical documentation complete. Conformity assessment complete. EU declaration of conformity drawn up. CE marking affixed where required. Registration in EU database complete or grandfathering status confirmed. Human oversight procedures documented and staff trained.
TJS synthesis
The EU AI Act doesn’t reward organizations that wait for certainty before acting. Harmonized standards are still being published. Implementing regulations are still being finalized. Some interpretive questions won’t have official answers before August 2. Organizations that treat regulatory uncertainty as a reason to delay are confusing “we don’t know every detail yet” with “we don’t need to act yet.” Those are different problems with different consequences.
The practical compliance question for most organizations isn’t whether the requirements are final. It’s whether the systems they’re already operating fall within Annex III categories, and whether the documentation and oversight mechanisms they’d need can be assembled before August 3, when enforcement eligibility begins.
Start with the system inventory. Everything else follows from knowing what you have.