Four months.
That’s the distance between today and August 2, 2026, the date by which providers and deployers of Annex III high-risk AI systems must meet the EU AI Act’s full technical compliance requirements. This week, the EU AI Office reportedly released practical guidelines for Article 6 classification, the provision that determines which systems land in that high-risk category. If the reporting on that guidance is accurate, compliance teams now have more specificity than they’ve had at any point since the Act passed.
The problem: the guidance document itself hasn’t yet surfaced with a verifiable official-domain URL. What’s available is press coverage of its contents. This brief works from that coverage with qualified language where the primary source hasn’t been confirmed, and from the Act’s own text, which is publicly available and authoritative, where the underlying requirements are established regardless of how the guidance frames them.
What Article 6 Actually Covers
Article 6 is the EU AI Act’s classification provision. It determines which AI systems must meet the Act’s most demanding requirements: technical documentation, conformity assessment before market placement, human oversight capability, accuracy and robustness standards, and the logging obligations addressed below.
Annex III of the Act enumerates eight categories of high-risk AI. Two are most directly implicated by this week’s reported guidance:
Category 4, Employment and workforce management. AI systems used in recruitment, selection, promotion, task allocation, performance monitoring, and termination decisions. This category has been in the Act since passage. What the reported guidance reportedly adds is treatment of autonomous agents operating within these workflows, systems that don’t just assist a human decision-maker but take or substantially influence consequential employment actions with minimal human intervention per decision cycle.
Category 5, Access to essential private services and public benefits. This category covers systems used to evaluate creditworthiness and establish credit scores, with an exception for fraud detection. Credit scoring and loan decisioning tools with EU user exposure fall here. The reported guidance’s “significant influence” framing extends this to autonomous agents that feed or constitute credit decisions rather than merely support them.
Both categories describe systems that many large enterprises are already deploying. The compliance gap question, whether a given organization’s deployed tools meet or miss the August 2 requirements, depends on mapping their actual system architectures against these categories, not on waiting for the guidance to be translated into a checklist by a third party.
The Four-Article Logging Requirement
According to reports of the guidance, high-risk systems must implement event-logging capabilities across four articles of the Act. Cross-referencing that characterization against the Act’s text identifies the most likely four: Article 12 (logging capabilities built into the system by the provider), Article 17 (quality management system documentation, which includes logging protocols), Article 26 (deployer obligations including use-log retention for at least six months where technically feasible), and Article 73 (the enforcement and monitoring provisions that give supervisory authorities access to logs). Each addresses a different actor in the supply chain.
What this means in practice: a provider that builds a high-risk HR AI system must design event-logging into the product. The enterprise deploying it must retain usage logs. Both must be able to produce those logs for supervisory authorities. If the guidance’s four-article framing holds on review of the actual document, this is a shared obligation, not something a deployer can fully satisfy by contractual pass-through to the vendor.
Stakeholder Impact: Who This Hits Hardest
Three groups face the most immediate compliance exposure from this guidance, assuming it holds on direct review:
HR technology vendors with EU revenue. Any SaaS or platform company whose product makes or influences employment decisions for EU-domiciled workers needs an Annex III assessment completed before June if they want time to remediate gaps before August. The reported agentic AI framing is particularly relevant for vendors who’ve added autonomous workflow capabilities in the last 18 months, systems that evaluate candidates, triage applications, or route performance flags without per-decision human review.
Fintech and credit platforms with EU user exposure. Consumer lending, BNPL, and credit underwriting platforms that serve EU users and use AI in decisioning are almost certainly in scope. The question is whether they’ve completed conformity assessment and whether their technical documentation would survive regulatory scrutiny. Many haven’t been treating August 2 as a hard date.
Enterprise AI deployers with autonomous internal tools. Large enterprises that have built or deployed autonomous agents for internal HR workflows, talent acquisition automation, performance review tooling, workforce optimization systems, may not have mapped those tools against Annex III. Internal deployment doesn’t exempt an organization from the Act’s deployer obligations; it just means the deployer and the provider may be the same entity.
The Digital Omnibus Question
A proposal to delay high-risk enforcement from August 2, 2026 to August 2027 has been circulating under the Digital Omnibus package. It hasn’t been enacted. The proposal exists because industry stakeholders argued the compliance timeline was too compressed for organizations to complete conformity assessments and technical remediation.
That argument may be correct. It doesn’t change the operative date.
The EU AI Office releasing practical classification guidance while the delay proposal sits unresolved is a meaningful institutional signal. If the Office expected the delay to pass, issuing detailed practical guidance weeks before the current deadline would be an odd use of resources. Compliance teams that have been treating the 2027 date as probable are making a planning bet, not a planning decision.
The defensible position: build toward August 2, treat any delay as optionality, and don’t structure remediation timelines around a proposal that hasn’t moved to a vote.
Three Decisions Compliance Teams Need to Make This Week
First, complete the Annex III system inventory. Map every deployed AI system that touches employment decisions or credit evaluation against the eight high-risk categories. If that inventory doesn’t exist, create it before anything else. The guidance is only useful once you know which systems it applies to.
Second, assess logging readiness. For any system in scope, determine whether event-logging capabilities exist at the provider level and whether your organization retains deployment logs consistent with Article 26’s six-month expectation. If a vendor’s contract doesn’t address log retention or supervisory authority access, that’s a gap to close now.
Third, make the August vs. 2027 planning call explicitly. Don’t let the Digital Omnibus ambiguity become a reason to defer the decision. Choose a planning date, document the rationale, and build a remediation roadmap that reflects it. If the delay passes, you’ve lost nothing except time spent on compliance preparation that remains valid whenever the date arrives.
The guidance reportedly issued this week, once confirmed against the actual document, gives compliance teams the specificity they’ve been waiting for. The calendar doesn’t wait for the confirmation.