The EU AI Act Is Live: What Your Organization Must Do Before August 2, 2026

Published May 14, 2026 · Sunday Deep Dive

The EU AI Act entered into force on August 1, 2024. That date matters less than the compliance calendar that followed — a phased timeline of obligations that most organizations have treated as a distant future concern. It is not.

The first hard deadline — prohibiting certain categories of AI systems — passed on February 2, 2026. If your organization was operating prohibited AI systems on that date, it was in violation of EU law. The penalties under the Act for prohibited AI: up to €35 million or 7% of global annual turnover, whichever is higher. Not a fine. A ceiling. The actual enforcement discretion sits with national supervisory authorities — and they are building capacity.

The next major deadline is August 2, 2026 — less than twelve weeks from today. This deadline covers two distinct obligation categories that affect most large enterprises: the requirements for high-risk AI systems, and the obligations for providers of general-purpose AI models (GPAIs).

For Dutch enterprises, the supervisory authority is the Autoriteit Persoonsgegevens (AP), which has been designated as the coordinating national AI authority for the Netherlands. The AP has signaled it will prioritize high-risk AI systems in HR, financial services, and critical infrastructure in its first enforcement wave.

Here is what your board needs to understand, and what your legal and compliance functions need to have completed before August.

The Risk-Tier Architecture: Where Does Your AI Actually Sit?

The EU AI Act operates through a tiered risk classification system. The first executive task is to understand which tier applies to each AI system in your portfolio — not "AI in general" but specific systems, specific use cases, specific deployment contexts.

Tier 1: Prohibited AI Systems (Deadline: February 2, 2026 — already passed)

These are systems that are banned outright under the Act. The prohibition list includes:

• Biometric categorization systems using sensitive characteristics (political opinions, religious beliefs, sexual orientation) to target individuals
• "Social scoring" systems operated by public or private entities that evaluate or classify individuals based on social behavior and assign consequences unrelated to the context that generated the data
• AI systems that exploit psychological vulnerabilities (age, disability, social/economic situation) to distort behavior in ways that cause harm
• Real-time remote biometric identification systems in public spaces by law enforcement (with narrow exceptions)
• Emotion recognition systems in workplaces and educational institutions (with some exceptions for safety use cases)
• Predictive policing systems based solely on profiling

For most Dutch enterprises, the most relevant prohibition is emotion recognition in workplaces. Several HR technology platforms have marketed "engagement monitoring" and "mood analysis" tools that may constitute prohibited emotion recognition systems. If your organization has deployed such tools, they need to have been switched off by February 2. If they haven't been, this is urgent.

Tier 2: High-Risk AI Systems (Core compliance deadline: August 2, 2026)

High-risk AI systems are permitted but subject to substantial compliance requirements. The Act defines high-risk by reference to two categories:

Annex I systems: AI used as safety components of products already subject to EU legislation (medical devices, aviation, automotive safety systems, industrial machinery)

Annex III systems: AI used in specific high-impact domains:

• Biometrics — remote biometric identification, emotion recognition, biometric categorization
• Critical infrastructure — AI managing water, gas, heat, electricity networks
• Education and vocational training — AI determining access, evaluating performance, proctoring exams
• Employment and HR — AI used in recruitment, selection, promotion, task allocation, termination monitoring, and behavior monitoring of employees
• Essential private and public services — creditworthiness assessment, insurance risk rating, health and life insurance pricing
• Law enforcement — individual risk assessments, polygraphs, crime analytics, facial recognition
• Migration and border control — risk assessments of individuals, examination of asylum applications
• Administration of justice — AI assisting judicial decisions

For Dutch enterprises, the employment and HR category is the highest-impact Annex III classification. If your organization uses AI for any of the following, you are likely operating a high-risk AI system:

• CV screening and candidate ranking tools (Applicant Tracking Systems with AI scoring)
• Interview analysis tools that assess candidates based on recorded video or audio
• Performance management systems that use AI to set targets, monitor outputs, or generate performance ratings
• Task allocation systems that use AI to assign work, shift scheduling, or resource allocation
• Systems monitoring employee behavior, productivity, or attention

The creditworthiness and insurance pricing category is equally significant for financial services firms. AI models used in credit scoring, loan origination decisions, or insurance underwriting are high-risk under the Act.

Tier 3: General-Purpose AI Models (GPAIs) (Obligations: August 2, 2026)

This tier is new territory — the Act is the first major jurisdiction to impose obligations on the developers of foundation models. If your organization develops, fine-tunes, and deploys a GPAI model internally, or if you deploy a third-party GPAI in ways that make you a "deployer" under the Act's definitions, specific obligations apply.

For most enterprises, the relevant question is: what obligations do your AI vendors have as GPAI providers, and what contractual protections have you secured to ensure you can meet your own compliance requirements?

Tier 4: Minimal-Risk AI Systems (No mandatory requirements)

AI systems that don't fall into the above categories face no mandatory requirements under the Act — only voluntary codes of practice. Spam filters, AI-generated content tools, and recommendation algorithms that don't trigger Annex III classifications fall here.

The Compliance Requirements for High-Risk AI: What August 2 Actually Requires

For organizations operating high-risk AI systems, the August 2, 2026 deadline triggers a specific set of compliance requirements. The full list is extensive; here are the requirements that most enterprises will find most operationally challenging:

1. Risk Management System A documented, ongoing risk management process covering the entire lifecycle of the high-risk system — from design through deployment through monitoring. This is not a one-time audit. It is a living process that must identify, analyze, and evaluate risks on a continuous basis. The documentation must demonstrate that residual risks are acceptable after mitigation.

2. Data and Data Governance Training, validation, and testing datasets must meet quality criteria: relevant, representative, free from errors, complete. Critically, datasets must be examined for biases that could produce discriminatory outcomes — particularly for HR applications. This requires traceability of training data, documentation of data curation processes, and bias testing results.

3. Technical Documentation Comprehensive documentation covering: the system's purpose and intended use, performance metrics on relevant datasets, architecture and design choices, known limitations, and the human oversight measures built into the system. This documentation must be available to supervisory authorities on request.

4. Logging and Traceability High-risk systems must automatically log events relevant to identifying risks and monitoring performance. For HR systems, this means logging every AI-generated decision or recommendation, the input data used, and the output produced — with sufficient detail to reconstruct and audit individual decisions.

5. Transparency and Information Provision Deployers of high-risk AI must inform the individuals subject to AI decisions that they are subject to an AI system, what the system does, and (for HR systems specifically) the right to request human review. This is an operational requirement with communications implications.

6. Human Oversight High-risk systems must be designed to be effectively overseen by humans during operation. This means trained human reviewers who understand the system's limitations, with defined authority to override, interrupt, or not act on AI outputs. Rubber-stamping AI decisions does not satisfy this requirement — supervisory authorities will examine whether human oversight is substantive.

7. Accuracy, Robustness, and Cybersecurity Documented accuracy metrics across relevant use cases, testing for performance degradation under adversarial conditions, and demonstrated resilience against manipulation attempts on training data or model behavior.

8. Registration High-risk AI systems must be registered in the EU AI Act database before deployment. The registration portal is operational as of Q1 2026. This is a hard requirement — unregistered deployment of a high-risk system is a compliance failure regardless of how good your internal documentation is.

The Compliance Gap: Where Most Dutch Enterprises Actually Stand

In March and April 2026, the Dutch AI Authority (operating under the AP) published the results of its first enterprise AI inventory outreach. The findings were pointed: fewer than 15% of large Dutch enterprises had completed a comprehensive AI system inventory. Fewer than 8% had initiated formal risk classification processes for all deployed systems. Registration of high-risk systems in the EU database was minimal.

This is not a Dutch-specific problem. The European Parliament's AI Committee reported in March 2026 that across EU member states, enterprise compliance readiness for the August 2 deadline was "materially insufficient" at the aggregate level.

The compliance gap is not primarily a technical problem. Most of the documentation and process requirements are organizational — they require legal, compliance, HR, IT, and business unit owners to work together in ways that don't typically happen naturally. The gap is a coordination and prioritization problem.

For Dutch enterprises, the specific priority areas before August 2:

1. Complete your AI system inventory. You cannot classify what you don't know you have. A comprehensive inventory of all AI systems in operation — including tools embedded in vendor platforms (your ATS, your ERP, your productivity suite) — is the non-negotiable starting point. Many organizations are shocked to discover the extent of AI embedded in software they think of as "just software."

2. Classify every system against the risk tiers. This requires legal judgment — the Act's definitions have nuance and gray areas, and classification decisions should be documented with reasoning, not just asserted.

3. For any high-risk systems: audit compliance against the eight requirements above. In most organizations, this reveals significant gaps, especially in logging, documentation, and human oversight substance.

4. Engage your AI vendors. Every AI vendor serving European enterprise clients has obligations under the Act — either as a provider or as a third party in a deployer's compliance chain. You need contractual assurances that vendor systems meet their requirements, and you need the technical documentation from vendors to complete your own compliance records.

5. Register high-risk systems. This is a procedural requirement with a hard deadline. It needs to be on a compliance calendar with a named owner.

6. Prepare transparency communications. If you use AI in hiring, performance management, or other HR processes, you need to have employee communications ready that disclose this, explain what the system does, and describe the human oversight process.

The Enforcement Reality: What to Expect Post-August

The enforcement reality of new EU regulation follows a consistent pattern: the first twelve months post-deadline focus on the most egregious violations and on building a track record of enforcement decisions that clarify the regulatory landscape. The AP's stated priorities suggest:

• High-risk HR applications, particularly AI in hiring and performance monitoring
• Financial services AI in credit and insurance pricing
• Any system that touches children or other vulnerable populations

The enforcement mechanism is important to understand. The AP can impose fines, mandate remediation, and — in severe cases — prohibit the operation of a non-compliant system. For enterprises operating high-risk AI without the required documentation and processes, a prohibition order is an existential operational risk, not just a financial one.

There is also reputational exposure. The Act requires that enforcement actions be publicly reported. A disclosed AP finding against a major Dutch employer for operating non-compliant HR AI is a media event with real talent and commercial consequences.

The strategic response is not compliance theater — it is substantive compliance. Building genuine risk management systems, real human oversight processes, and meaningful transparency communications is both legally safer and operationally more valuable than checkbox compliance that won't survive regulatory scrutiny.

Key Takeaways

• The August 2 deadline is twelve weeks away. High-risk AI system compliance requirements are not future planning items. They are current legal obligations with a hard activation date.

• The HR/employment category is the highest-impact classification for most Dutch enterprises. CV screening, interview analysis, performance monitoring, and task allocation AI likely constitute high-risk systems.

• Fewer than 15% of large Dutch enterprises have completed AI inventories. The compliance gap across the market is real and substantial. Acting now is a competitive advantage, not just a legal obligation.

• Eight specific requirements govern high-risk AI. Risk management system, data governance, technical documentation, logging, transparency, human oversight, accuracy/robustness, and registration. Each requires organizational work, not just technical fixes.

• Engage your vendors immediately. Your compliance depends partly on your vendors' compliance. Contractual assurances and technical documentation from AI vendors are critical path items.

• Enforcement will be substantive, not symbolic. The AP has staffed up for AI enforcement. The first enforcement wave will target the categories that matter most to Dutch working life: employment AI and financial services AI.

Sources: EU AI Act (Regulation (EU) 2024/1689), Official Journal of the European Union; European AI Office Guidance on High-Risk AI Classification (March 2026); Dutch Authority for Personal Data (AP) AI Supervision Statement (April 2026); European Parliament AI Committee Compliance Readiness Report (March 2026); EU AI Act Database Registration Portal (aiact.eu); KPMG EU AI Act Implementation Survey Q1 2026; Allen & Overy EU AI Act Compliance Guide (February 2026); Hogan Lovells Dutch AI Regulation Briefing (March 2026).

Word Count: ~2,050 words | Sunday Deep Dive | May 14, 2026