EU AI Act August 2026 Deadline: Your 9-Week Developer Sprint Plan
Post #1 in the sota.io EU AI Act August Deadline Sprint Series
The clock is ticking. With 63 days until August 2, 2026, the EU AI Act's general application date, SaaS developers face the most consequential software compliance deadline of the decade. If your product uses AI in any form — a chatbot, a recommendation engine, a hiring tool, a credit scorer — this is the moment to act.
This is Post #1 of a 5-part sprint series designed to take your team from "we need to start" to "we are compliant" before August 2. Each post covers a distinct compliance domain in depth. This opener maps the full 9-week sprint.
What Happens on August 2, 2026?
The EU AI Act (Regulation (EU) 2024/1689) follows a phased application timeline:
| Deadline | What Applies |
|---|---|
| February 2, 2025 | Prohibited AI practices (Art.5), AI literacy obligations (Art.4) |
| August 2, 2025 | GPAI model obligations for foundation model providers (Art.51–55) |
| August 2, 2026 | Full general application: Annex III high-risk AI, Art.50 transparency, Art.26 deployer obligations |
| February 2, 2027 | High-risk AI in Annex I safety components |
August 2, 2026 is the pivotal date for most SaaS teams. It triggers obligations for:
- Every AI-enabled SaaS — Art.50 transparency requirements apply universally: chatbot disclosure, emotion-recognition disclosure, and AI-generated content labeling.
- High-risk AI deployers — Art.26 obligations include conformity verification, logging, human oversight, and registration in the EU database before you can put a high-risk system into service.
- HR, education, credit, law enforcement, and essential-services AI — Annex III classification triggers the full provider and deployer compliance stack with technical documentation, conformity assessments, and post-market monitoring.
If you have not started compliance work, 9 weeks is tight — but achievable with a structured sprint.
The 9-Week Sprint Framework
Weeks 1–2: AI System Inventory and Classification (By June 13)
Goal: Know exactly what AI systems your product contains and whether any qualify as high-risk under Annex III.
The EU AI Act applies differently depending on whether your AI system is:
- Prohibited (Art.5): Already banned since February 2025 — social scoring, real-time biometric surveillance in public spaces, subliminal manipulation.
- High-risk (Art.6 + Annex III): Requires full compliance stack by August 2, 2026.
- Limited-risk (Art.50): Requires transparency disclosures only.
- Minimal-risk: No mandatory obligations, but best practices recommended.
Annex III high-risk categories most relevant to SaaS developers:
| Annex III Category | Examples |
|---|---|
| 1. Biometric identification | Facial recognition in access control, identity verification |
| 2. Critical infrastructure | AI managing power grids, water systems, digital infrastructure |
| 3. Education and vocational training | AI grading, admission scoring, learning analytics |
| 4. Employment and workers | CV screening, interview scoring, performance monitoring, task allocation |
| 5. Essential services | Credit scoring, insurance risk assessment, benefits eligibility |
| 6. Law enforcement | Predictive policing, evidence analysis |
| 7. Migration and border | Visa risk assessment |
| 8. Administration of justice | AI-assisted legal decisions |
Week 1–2 deliverables:
- Complete AI system inventory (every model, pipeline, and automated decision in production)
- Classify each system against Art.6 + Annex III
- Flag systems that are borderline — document your reasoning
- Identify whether you are a provider (you build the AI system) or deployer (you put someone else's AI system into use) for each system
Weeks 3–4: Implement Art.50 Transparency (By June 27)
Goal: Deploy mandatory transparency measures for all AI-enabled interactions.
Art.50 applies to all AI-enabled SaaS — not just high-risk systems. Four specific obligations:
Art.50(1) — Chatbot Disclosure If users interact with an AI system that could be mistaken for a human, you must inform them they are interacting with AI — unless this is obvious from context. Implementation: a persistent disclosure banner, "Powered by AI" indicator, or initial message in the conversation.
Art.50(2) — Emotion Recognition and Biometric Categorization If your system infers emotions, assigns individuals to protected categories (political views, ethnicity, religion, sexual orientation) from biometric data, you must inform individuals before processing. This applies to HR tools, marketing analytics, and customer service systems that use sentiment analysis tied to individual profiles.
Art.50(3) — AI-Generated Content Labeling Deployers of AI that generates synthetic audio, video, image, or text content that could be mistaken for authentic human-created content must mark that content as AI-generated. This covers AI-written blog posts, synthetic voices, video synthesis, and image generation used for marketing or communications.
Art.50(4) — Machine-Readable Watermarking for GPAI If you deploy a GPAI model (Claude, GPT-4, Gemini) to generate content, the content must be technically marked as AI-generated in a machine-detectable format. Anthropic, OpenAI, and Google are responsible for providing watermarking mechanisms — you are responsible for not stripping them.
Week 3–4 deliverables:
- Audit all user-facing AI interactions for Art.50(1) compliance
- Add chatbot disclosure to every AI-powered chat interface
- Audit any emotion/sentiment analysis systems for Art.50(2)
- Implement AI-content labeling for any generated content published externally
- Verify your GPAI providers' watermarking status (check Anthropic, OpenAI, Google documentation)
Weeks 5–6: High-Risk AI Compliance Stack (By July 11)
Goal: If you have Annex III systems, complete the technical compliance stack before the deadline.
For high-risk AI systems, both providers and deployers have obligations that must be in place before you can legally put the system into service after August 2, 2026.
For providers of high-risk AI systems:
- Art.9 Risk Management System: A documented, iterative risk management process covering identification, estimation, evaluation, and mitigation of risks. Must include testing under real-world conditions before deployment.
- Art.11 Technical Documentation: A comprehensive package in Annex IV format covering system description, development process, training data governance, performance metrics, and monitoring procedures.
- Art.12 Logging: Automatic logging of system operation for audit purposes. Logs must be kept for at least 6 months (longer for high-risk in law enforcement or justice).
- Art.13 Transparency for Deployers: Instructions for use, including limitations, conditions for safe operation, performance specifications, human oversight requirements, and maintenance procedures.
For deployers of high-risk AI systems (Art.26):
- Verify the AI system's conformity before deployment
- Implement the provider's instructions for use
- Assign human oversight responsibilities (Art.14 — designate specific individuals responsible for oversight during operation)
- Keep operational logs as instructed by the provider
- Register in the EU database (via your national market surveillance authority) before deployment
- Report serious incidents to the national market surveillance authority under Art.73
Week 5–6 deliverables:
- If provider: complete Art.9 risk management documentation, Art.11 technical documentation package
- If deployer: verify conformity documentation from your AI system provider
- Implement Art.12 logging infrastructure
- Draft Art.13 instructions-for-use document for downstream deployers (if you are a provider)
- Designate human oversight roles per Art.14
- Identify your national market surveillance authority for EU database registration
Weeks 7–8: Documentation Bundle and Internal Audit (By July 25)
Goal: Assemble the full compliance documentation package and run an internal readiness audit.
One week before the deadline, your compliance package should be complete and internally audited. The documentation bundle for high-risk AI deployers includes:
| Document | Required By | Format |
|---|---|---|
| AI System Inventory | Internal governance | Spreadsheet/database |
| Classification Rationale | Market surveillance | Written memo with legal analysis |
| Conformity Assessment | Art.43 | EU declaration or third-party report |
| Technical Documentation | Art.11 | Annex IV format |
| Risk Management Record | Art.9 | Dated audit trail |
| Log Retention Policy | Art.12 | Policy document |
| Art.50 Disclosure Implementations | Art.50 | Screenshots + code documentation |
| Human Oversight Designation | Art.14 | Org chart + role descriptions |
| Incident Reporting Procedure | Art.73 | SOP document |
Week 7–8 deliverables:
- Assemble complete documentation bundle
- Internal legal or compliance review of documentation
- Gap analysis: identify any missing documents or incomplete implementations
- Test Art.50 transparency implementations in staging
- Verify logging is capturing required data under Art.12
Week 9: Final Checks and August 2 Go-Live (By August 2)
Goal: Final verification that all systems are compliant before the deadline.
Pre-deadline checklist:
- All Art.50 disclosures are live in production
- High-risk AI systems have complete technical documentation
- Human oversight designations are in place and documented
- Logging infrastructure is operational and retention policy is enforced
- National authority registration submitted (for Annex III systems)
- Incident reporting SOP (Art.73 timelines: 2/10/15-day thresholds) is distributed to the team
- Legal counsel has reviewed the compliance package
- Executive sign-off obtained
What If You Are Behind Schedule?
If you are starting now with 9 weeks remaining, prioritize in this order:
- Immediately: Art.50 chatbot disclosures (1–2 days of engineering, maximum business risk if missed)
- Week 1: Classification audit — you cannot plan the right work without knowing what you have
- Week 2–3: If any Annex III systems identified, begin Art.9 and Art.11 documentation
- Week 4+: Logging, oversight, documentation bundle
The biggest compliance risk for most SaaS teams is not knowing they have a high-risk AI system. Employment analytics, credit decisions, and identity verification are the most commonly overlooked categories.
What About Systems That Are Not High-Risk?
Even if none of your AI systems fall under Annex III, you still have obligations from August 2:
- Art.50(1): Chatbot disclosure (applies to all conversational AI)
- Art.50(3): AI-generated content labeling (applies to any synthetic content you publish)
- Art.50(4): Watermarking obligations from GPAI providers
These three transparency requirements are simple to implement but carry real enforcement risk if missed. Regulators are expected to start with Art.50 enforcement as the most visible, consumer-facing obligation.
What's Next in This Sprint Series?
This 5-post series will cover:
- This post: 9-week sprint overview and timeline ✅
- Post #2: Art.9 Risk Management System — implementing the documentation in practice
- Post #3: Art.50 Transparency — complete implementation guide for SaaS developers
- Post #4: Art.73 Incident Reporting integration with your existing monitoring stack
- Post #5: August 2026 Compliance Finale — the complete developer checklist
sota.io and EU AI Act Compliance
Hosting your AI-enabled SaaS on EU-sovereign infrastructure reduces your Art.26 documentation burden. When your AI systems run entirely on EU servers (no US parent company, no CLOUD Act exposure), your data processing documentation for Art.9 and Art.11 is significantly simpler — you can make unambiguous statements about data residency, access controls, and processing jurisdiction.
sota.io is Hetzner Germany, no US parent, no CLOUD Act. €9/month. Git deploy in minutes.
63 days. Start with the classification audit. Everything else follows from knowing what you have.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.