EU AI Act Enforcement Timeline After August 2026: What Changes for SaaS & AI Developers
Post #1 in the EU AI Act Enforcement Timeline 2026-2028 Series
August 2, 2026 has dominated EU AI Act planning for two years. Every compliance guide, webinar, and legal memo has pointed to that date as the finish line. But it isn't. It's the starting gun for a second phase of obligations that most developers haven't planned for.
This guide maps the full enforcement timeline: what becomes mandatory on August 2, what shifts in September through December, what 2027 brings, and how the EU AI Act's market surveillance machinery will mature through 2028.
The Four-Phase Structure of EU AI Act Enforcement
The EU AI Act (Regulation 2024/1689) uses a phased applicability schedule tied to its entry into force date of August 1, 2024:
| Phase | Date | What Activates |
|---|---|---|
| Phase 1 | February 2, 2025 | Prohibited AI practices (Art.5) |
| Phase 2 | August 2, 2025 | General-purpose AI model obligations (Chapter V) |
| Phase 3 | August 2, 2026 | Core high-risk AI obligations, transparency rules, most of the Regulation |
| Phase 4 | August 2, 2027 | Annex I embedded software (safety-critical products) |
Phase 1 is behind us. Phase 2 has been active for nearly a year. The focus now is the boundary between Phase 3 and what follows.
What August 2, 2026 Actually Activates
Phase 3 is the largest enforcement moment: the bulk of Title III (high-risk AI systems), Title IV (transparency), and the penalty regime become fully applicable.
High-risk AI providers (systems listed in Annex III or embedded in Annex I products as of Aug 2027) must have:
- Risk management systems under Art.9
- Data governance under Art.10
- Technical documentation under Art.11
- Automatic logging under Art.12
- Transparency to deployers under Art.13
- Human oversight mechanisms under Art.14
- Conformity assessment under Art.43
- EU declaration of conformity under Art.47
- Post-market monitoring plans under Art.72
Deployers of high-risk AI gain obligations under Art.26, including fundamental rights impact assessments under Art.27 for certain public-sector deployers.
Transparency obligations (Art.50) become enforceable across chatbots, deepfakes, AI-generated content labelling, and GPAI watermarking requirements.
The Penalty Regime Becomes Live
Art.99 fines become applicable at the same moment. The penalty tiers for violations occurring from August 2, 2026:
| Violation Type | Maximum Fine |
|---|---|
| Prohibited AI practices (Art.5) | €35M or 7% of global annual turnover |
| Other obligations for operators | €15M or 3% of global annual turnover |
| Incorrect/misleading information to authorities | €7.5M or 1.5% of global annual turnover |
| SMEs and startups | Lower of absolute amount or turnover percentage |
For GPAI model providers, Art.101 creates a separate enforcement channel via the AI Office, with fines up to €15M or 3% of global turnover.
These are maximum amounts. National market surveillance authorities (NCAs) have discretion in specific cases — but the framework is live from August 2, 2026.
What Happens in August–December 2026: The Transition Gaps
The immediate post-August period contains several underappreciated obligations that activate on delayed schedules.
Serious Incident Reporting Systems (Art.73)
Providers and deployers of high-risk AI must report serious incidents to market surveillance authorities. The reporting obligation itself activates August 2, 2026 — but most NCAs are still establishing their reporting portals and procedures in mid-2026. Expect operational guidance to emerge between August and December 2026.
SaaS teams operating high-risk AI should build internal serious incident tracking pipelines now, even if submission endpoints aren't finalized. The obligation is live even if the submission infrastructure is delayed.
National Market Surveillance Authority Operationalization
Member States must designate national competent authorities. Many already have (ANSSI in France, BSI in Germany, CNIL for data-related enforcement). However, the specific AI market surveillance workflows — inspection checklists, audit procedures, complaint intake processes — are still maturing. Expect the first formal NCA guidance documents between September and December 2026.
AI Office GPAI Enforcement Ramp-Up
The EU AI Office, established within the European Commission, has been developing the codes of practice for general-purpose AI models since mid-2025. The codes cover the Chapter V obligations active since August 2025 for GPAI providers. By end of 2026, the AI Office is expected to issue its first formal compliance assessments and potentially its first enforcement proceedings against GPAI providers operating in the EU without adequate compliance frameworks.
The 2027 Timeline: Annex I Products
August 2, 2027 brings Phase 4: AI components embedded in products already covered by EU harmonized legislation under Annex I (medical devices, machinery, lifts, toys, aviation components, vehicles).
This matters for SaaS developers who:
- Build AI features in medical device software (MDR-classified)
- Provide AI components to manufacturers of Annex I products
- Operate as both AI system provider and product manufacturer
The 36-month window was designed to let product manufacturers integrate AI Act conformity assessment into their existing CE marking renewal cycles. If your SaaS touches any of these product categories as a component supplier, your obligations may activate 12 months later than the main Phase 3 deadline — but the technical documentation and quality management work should start now.
The 2028 Picture: Market Surveillance Matures
By 2028, the EU AI Act enforcement ecosystem will look substantively different from 2026:
Notified bodies will have accumulated 18+ months of conformity assessment experience for high-risk AI systems. Certification queues that were backlogged in 2026-2027 will have cleared, making Annex III conformity assessment more standardized and predictable.
Post-market monitoring data (Art.72) will have generated the first systemic datasets. NCAs will have 18+ months of serious incident reports under Art.73. Patterns of systemic failure will become visible, triggering targeted enforcement actions against specific AI system categories.
Market surveillance coordination will mature under Art.74. Cross-border enforcement — crucial when an AI system is developed in Germany but deployed across 27 member states — will be operationally established rather than in early design.
The AI database (EU-wide registry of high-risk AI systems) will contain thousands of registered systems, making market surveillance sampling statistically meaningful rather than opportunistic.
What SaaS Developers Should Do Today (60 Days Before August 2)
With 60 days until Phase 3 enforcement:
1. Complete your Annex III risk classification. If you haven't formally determined whether your AI features meet any of the 8 Annex III categories (biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, justice), do it now with legal counsel sign-off.
2. Gap-assess Art.72 post-market monitoring. Do you have logging that would support a serious incident report? Can you reconstruct what your AI system did in a specific session 6 months ago? Art.72 requires systematic post-market monitoring — not just incident reaction.
3. Build your Art.73 internal incident response process. Even before NCAs publish their reporting portals, define internally: what counts as a "serious incident," who decides, who files, and in what timeframe. The obligation is live on August 2 regardless of portal availability.
4. Register high-risk AI systems in the EU database (operated by the EU AI Office) before August 2, 2026.
5. Plan for the 2026-2027 cost of compliance operations. Art.72 post-market monitoring, Art.73 incident reporting, and any NCA audit responses are ongoing operational costs, not one-time implementation projects.
How EU Hosting Simplifies the Post-August Picture
The enforcement mechanics of the EU AI Act interact significantly with where your AI infrastructure runs. Market surveillance authorities operate under EU jurisdiction — and their requests for technical documentation, logs, and incident records are governed by EU law.
AI systems running on EU-sovereign infrastructure (servers physically in the EU, governed by EU law only) face a structurally simpler audit response situation than systems using US-based cloud providers subject to US law enforcement requests. When an NCA requests your Art.12 logs, you need certainty that those logs haven't been accessed under a foreign jurisdiction's legal process — a certainty that EU-only hosting provides by default.
For post-August 2026 compliance operations, the choice of where your AI infrastructure runs is no longer primarily about GDPR data residency. It's about EU AI Act audit trail integrity.
This is the first post in our 5-part EU AI Act Enforcement Timeline 2026-2028 series. Next: which additional obligations activate between September and December 2026, and what the first real NCA enforcement actions will target.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.