When do EU AI Act requirements take effect and what is the compliance timeline?

The next phase of the EU AI Act takes effect on August 2, 2026, at which point organizations must comply with requirements for high-risk AI systems, including automated audit trails, cybersecurity measures, and incident reporting obligations.

Compliance with the EU AI Act will become a legal requirement, not just a best practice, with penalties up to 3% of global revenue for non-compliance. For AI systems classified as high-risk, the Act mandates specific design and development practices to ensure effective human oversight during their use. This aligns with the NIST AI Risk Management Framework's "Govern" function, which also requires human oversight, and ISO 42001, which specifies defined human oversight roles.

Concrete controls for compliance include:

• Automated Audit Trails: Implement systems that automatically generate audit trails for all AI system actions. This helps address the "Lack of Accountability" (L6) risk by ensuring every consequential action has a traceable path.
• Cybersecurity Requirements: Ensure all high-risk AI systems meet specified cybersecurity standards. This is crucial for protecting against various threats, including those that could exploit vulnerabilities in AI models.
• Incident Reporting Obligations: Establish processes for reporting incidents related to AI systems. This contributes to transparency and allows for timely responses to security breaches or failures.
• Human Oversight: Design AI systems to be effectively overseen by natural persons. This is a direct requirement of EU AI Act Article 14 and can be supported by controls such as risk-based routing for approvals, decision quality monitoring, and structured logging of human decisions.
• Identity and Access Management (IAM) for Agents: Address the governance and regulatory urgency around non-human agent identity. While the sources do not provide specific controls for this, it is highlighted as a critical area for securing the agentic AI economy.