EU AI Act Enforcement August 2026: What Changes on 2 August

# The date that matters: 2 August 2026

EU AI Act enforcement August 2026 is not a soft launch. On 2 August 2026, the obligations that have been phased in since the Regulation entered into force on 1 August 2024 reach their most operationally significant milestone for most European businesses. National market surveillance authorities gain full power to investigate, sanction, and publicly name non-compliant organisations. If your company uses AI in hiring, performance management, credit scoring, or customer-facing decisions, the clock is running.

The Regulation itself was published in the Official Journal on 12 July 2024 and applies in stages. The prohibited-AI provisions kicked in on 2 February 2025. General-purpose AI obligations followed on 2 August 2025. The full framework, covering high-risk AI systems under Annex III, becomes enforceable on 2 August 2026. That is the date that most HR Directors and COOs should have circled.

# What actually changes on that date

Before 2 August 2026, national authorities can observe and warn. After it, they can fine. Article 99 of the AI Act sets out the penalty structure in plain terms:

• Violations involving prohibited AI practices: up to €35 million or 7% of global annual turnover, whichever is higher.
• Non-compliance with most other obligations, including high-risk system requirements: up to €15 million or 3% of global annual turnover.
• Supplying incorrect or misleading information to authorities: up to €7.5 million or 1.5% of global annual turnover.

For a company with €20 million in revenue, 3% means €600,000. That is not theoretical. The GDPR enforcement record shows that regulators do fine SMEs, not just multinationals.

These figures apply to providers and deployers. If you bought an AI tool from a vendor and you are deploying it in an employment context, you are a deployer under the Act. Deployers carry real obligations, particularly around transparency, human oversight, and data governance.

# Who enforces this in the Netherlands

Each EU member state designates a national competent authority. In the Netherlands, the Autoriteit Persoonsgegevens (AP) and the Autoriteit Consument en Markt (ACM) share oversight responsibilities depending on the sector and AI use case. The AP handles AI systems that process personal data in high-risk contexts, which covers most HR tools. The ACM focuses on consumer-facing and market-related deployments.

Both bodies have enforcement staff already familiar with digital regulation. They do not need to build capacity from scratch. The AP has handed out GDPR fines exceeding €750,000 against Dutch organisations. Expect the same pattern here: early investigations, a public example or two, then settled enforcement activity.

# Article 4: the obligation that surprises people

Article 4 of the AI Act requires providers and deployers to take measures to ensure staff working with AI systems have sufficient AI literacy. The text says: "sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf."

This is not about training data scientists. It means the HR manager using an AI shortlisting tool, the compliance officer approving automated decisions, and the line manager receiving AI-generated performance scores all need to understand what the system does, how it can fail, and when to override it. Article 4 does not specify a minimum number of training hours or a certification standard, but it does create a documented duty. Regulators will ask: what did you do, when did you do it, and how do you know it worked?

For most SMEs, this is the lowest-hanging fruit in terms of compliance. A structured, documented literacy programme costs far less than a €15 million fine.

# The high-risk category you probably already meet

Annex III of the AI Act lists the AI use cases classified as high-risk. Point 4 is the one most relevant to companies with 20 to 200 employees:

AI systems used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests.

If you use any tool that scores CVs, ranks candidates, or analyses video interviews, you are operating a high-risk AI system. The obligations that come with this classification include conformity assessments, technical documentation, logging of system outputs, and the transparency disclosures required under Article 13.

Many HR teams are unaware that an off-the-shelf ATS with an AI ranking feature qualifies. The vendor may be the provider, but you, as the deployer, still have obligations under Articles 26 through 29.

# A 90-day preparation checklist

If you start today, 90 days gives you enough time to reach a defensible compliance position. Work through these steps in order.

Week 1 to 2: Map your AI systems. List every tool your company uses that automates or significantly influences a decision about a person. Include ATS platforms, performance management software, scheduling tools, and any chatbot used in customer service. Classify each one against Annex III.

Week 3 to 4: Identify your role. For each system, determine whether you are a provider (you built or significantly modified it) or a deployer (you bought and use it). Your obligations differ materially. Most SMEs are deployers.

Week 5 to 6: Request documentation from vendors. Under Article 26, deployers are entitled to receive information from providers, including instructions for use and technical documentation. Ask for it in writing. If a vendor cannot provide it, that is a compliance risk sitting in your supply chain.

Week 7 to 8: Conduct an AI literacy assessment. Identify every staff member who interacts with an AI system in a high-risk use case. Design a short, documented training session covering what the system does, its known limitations, and the process for human review. Keep attendance records.

Week 9 to 10: Establish a human oversight procedure. Article 14 requires that high-risk AI systems be designed and used so that humans can effectively oversee them and intervene when necessary. Document the procedure. Assign a named responsible person.

Week 11 to 12: Draft your transparency notices. If you use AI in hiring or performance management, affected individuals have a right to know. Prepare clear, plain-language disclosures and embed them in your candidate communications and employee handbook.

Final two weeks: Internal review and gap log. Run everything past your legal or compliance adviser. Document what you have done, what gaps remain, and your plan to close them. Regulators treat documented good-faith effort very differently from silence.

# The one thing most companies skip

Most SMEs focus on the AI tools themselves and forget about internal governance. Appointing a named compliance lead for AI, even if that person is also the COO or HR Director, creates accountability. Without a named owner, documentation stalls, training gets deprioritised, and vendor follow-up falls through the gaps. Forty-five minutes spent writing a one-page AI governance policy before the end of this month will make every subsequent step faster.

The enforcement date is fixed. The obligations are specific. The fines are real. Start the mapping exercise this week, request vendor documentation by the end of the month, and deliver your first AI literacy session before 2 August 2026.

---

Not sure where your company stands? Run the free 2-minute compliance check at comply.khairos.ai to get a prioritised list of actions based on the AI tools you actually use.