EU AI Act Q4 2026: Which Obligations Activate After the August Sprint
Post #2 in the EU AI Act Enforcement Timeline 2026-2028 Series
Most EU AI Act planning has focused on a single date: August 2, 2026. Get your high-risk documentation done, configure your incident reporting system, complete the conformity assessment — and the sprint is over. Except the sprint is not over. It transforms.
August 2 is the moment enforcement authority switches on. The three months that follow — September, October, November, December 2026 — are when national competent authorities (NCAs) begin their first supervisory cycles, when GPAI model providers face their first formal review under the GPAI Code of Practice, and when developers who treated August as the finish line discover it was actually the starting gun for ongoing operations.
This guide details what changes in Q4 2026 and what it means operationally for your team.
Why Q4 2026 Is a Distinct Compliance Phase
The EU AI Act's phased application schedule (from Art.113) means that August 2, 2026 is not a one-time event — it's the activation of a supervisory machinery that then runs continuously.
Before August 2, 2026: regulators were building capacity, not enforcing. NCAs were being designated, the AI Office was staffing up, notified bodies were seeking accreditation, and the GPAI Code of Practice was being drafted. Enforcement authority existed on paper but the enforcement infrastructure was not yet operational.
From August 2, 2026 onwards: the machinery is live. NCAs can investigate, the AI Office can audit GPAI providers, notified bodies can conduct conformity assessments, and the serious incident reporting pipeline (Art.73) is active. Q4 2026 is the first operating quarter under full enforcement.
The Immediate Post-August Transition (August–September 2026)
Incident Reporting Goes Live
Art.73 reporting obligations for serious incidents involving high-risk AI systems become operationally active from August 2, 2026. This means:
- Day 0 capability required: You need a triage process that can detect a qualifying serious incident and determine whether it triggers the Art.73 reporting clock.
- Reporting timelines: 15 days for incidents causing serious harm to persons (Art.73(2)), 10 days for incidents resulting in death (Art.73(4)), 2 days for incidents affecting critical infrastructure or widespread harm (Art.73(3)).
- Report destination: Your relevant national market surveillance authority — typically the same NCA designated for your sector.
If your incident management system was not wired to Art.73 before August 2, it needs to be wired the day it goes live. The reporting timelines are short — there is no grace period because the system was just switched on.
Post-Market Monitoring Begins
Art.72 requires providers of high-risk AI systems to actively collect and analyze data from deployed systems after they go live. This is not a one-time obligation — it's a continuous program.
What Q3 2026 preparation should have produced:
- Defined performance indicators tracked in production
- A process for reviewing those indicators at regular intervals
- A trigger condition that feeds Art.73 incident reports
By September 2026, if your high-risk AI system has been deployed and August 2 has passed, the post-market monitoring clock is running. The first quarterly review cycle lands in November 2026.
NCAs Begin First Supervisory Cycles
NCAs across EU member states use different approaches, but the pattern is consistent: Q4 2026 is typically when the first "desk-based" review cycles begin. This means NCAs requesting documentation from providers, reviewing technical documentation against the Art.9–Art.17 requirements, and checking that conformity assessments are complete.
The practical signal for developers: if you received an NCA inquiry in Q4 2026, this is expected. Have your Art.11 technical documentation package and your Art.47 declaration of conformity accessible. Assign a contact who can respond within the time windows an NCA specifies.
The GPAI Model Landscape in Q4 2026
Providers of general-purpose AI models (GPAI models) have been under Chapter V obligations since August 2, 2025. By Q4 2026, the second annual cycle is underway.
GPAI Code of Practice: Operational
The EU AI Act required the AI Office to facilitate a Code of Practice for GPAI providers. This code was developed through 2025 with input from model providers and was expected to be finalized by August 2026. By Q4 2026, GPAI model providers operating under the Code have already agreed to its requirements and are in the first year of implementation.
What this means operationally in Q4 2026:
- Annual self-assessment against Code commitments (first cycle due by end of year)
- Transparency reports covering GPAI model capabilities and training data (summary versions, per transparency templates)
- Updated model cards reflecting any significant capability changes since the last reporting cycle
Systemic GPAI Models Under Closer Scrutiny
GPAI models classified as systemic (based on training compute thresholds defined under Art.51) face stricter requirements including adversarial testing (red-teaming) and obligations to report incidents to the AI Office under Art.73. By Q4 2026, the first cohort of systemic GPAI model providers are expected to have completed their initial adversarial testing and submitted results to the AI Office.
If you are a GPAI model provider who crosses or is near the systemic threshold, the AI Office's capacity to run independent evaluations — authorized under the AI Act — becomes relevant in Q4 2026. AI Office evaluation requests are a normal part of operating in this space from 2026 onwards.
Conformity Assessment Timelines
High-risk AI systems in many Annex III categories must complete conformity assessments before being placed on the EU market or put into service. For systems requiring third-party assessment (not self-assessment), the Q4 2026 backlog dynamic matters.
Notified Body Bottleneck
Notified bodies across the EU were being designated and accredited through 2025 and early 2026. The first cohort of fully operational AI Act notified bodies became active around mid-2026, which means:
- Assessment slots in Q4 2026 were already in high demand by Q2 2026
- Lead times of 3–6 months for notified body assessments are realistic for the first cycle
- Providers who have not yet initiated a notified body engagement by August 2026 may be looking at Q1 or Q2 2027 for completed assessments
The practical implication: if your high-risk AI system is in a category requiring notified body assessment and you have not started the process, Q4 2026 is the moment to initiate — not wait for completion, but at least have the engagement underway. Documented evidence of an in-progress assessment, along with your Art.47 declaration, demonstrates compliance intent to an NCA conducting a desk review.
Self-Assessment Path: Compliance Evidence
For high-risk AI systems in categories where self-assessment (Art.43) is permitted, the relevant evidence is:
- Complete Art.11 technical documentation package
- Art.47 EU declaration of conformity signed by an authorized signatory
- CE marking if the product is placed on the EU market (for products covered by Union harmonisation legislation)
- Art.72 post-market monitoring plan in operation
These documents should be accessible and not require reconstruction if an NCA requests them in Q4 2026.
The Transparency Obligation Maintenance Window
Art.50 transparency obligations for deployments of certain AI systems — chatbots, AI-generated content systems, emotion recognition systems, biometric categorization systems — were active from August 2, 2026. Q4 2026 is the first full quarter where these disclosures are in place.
Common compliance issues that surface in Q4 2026 reviews:
Disclosure drift: The required disclosure was implemented before August 2 but has been removed, obscured by UI changes, or degraded in clarity by unrelated product updates. Implement a quarterly check that confirms the disclosure is still visible, clear, and matches what the system actually does.
Scope expansion: The product team added a feature that brings a system into Art.50 scope (for example, adding an AI chat assistant that was not there before). Without a process that flags AI feature additions for compliance review, these additions can go without the required disclosure.
Watermarking gaps: For AI-generated audio and visual content, Art.50 requires machine-readable marking. Verify the marking is present in current production builds — implementation gaps are common after product updates.
Preparing for NCA Engagement in Q4 2026
Even if you receive no NCA contact in Q4 2026, the following preparation makes any engagement manageable:
Documentation Response Pack
Prepare a folder (or equivalent in your compliance tooling) containing:
- Technical documentation per Art.11
- Risk management records per Art.9
- Training data governance documentation per Art.10
- Human oversight configuration per Art.14
- Incident log (even if empty — showing the system is operational)
- Conformity assessment records or notified body engagement documentation
- EU declaration of conformity per Art.47
- Post-market monitoring plan per Art.72
An NCA request for documentation typically gives a response window of 2–4 weeks. Having the pack pre-assembled is the difference between a manageable administrative exercise and an emergency.
SME Provisions Remain Available
Art.62 provides specific support measures for SMEs and startups: priority access to regulatory sandboxes (Art.57), reduced administrative burdens, and guidance from NCAs. If your organization qualifies, the support infrastructure becomes more accessible in Q4 2026 as NCA capacity stabilizes.
The Q4 2026 Compliance Checklist
| Area | What to verify by December 31, 2026 |
|---|---|
| Incident reporting | Art.73 process is live; at least one test drill completed |
| Post-market monitoring | First quarterly data review complete; no unresolved performance flags |
| Transparency disclosures | Art.50 disclosures confirmed visible in current production builds |
| GPAI (if applicable) | Code of Practice self-assessment underway; transparency report drafted |
| Technical documentation | Art.11 package is current, signed, and accessible |
| Conformity assessment | Either completed (notified body) or in-progress engagement documented |
| NCA contact readiness | Documentation response pack assembled; contact person designated |
| Human oversight logs | Art.14 oversight records capturing human review decisions (for audit trail) |
| Watermarking | Machine-readable marking verified in production for AI-generated content |
What Comes Next in This Series
The next post in this series covers the 2027 compliance calendar — when the final wave of EU AI Act obligations activates for AI systems embedded in safety-critical products (Annex I), and what GPAI model providers face in their second full year under the GPAI Code.
If your compliance program addresses only August 2, 2026 and stops there, you have addressed the most acute deadline. The work that follows — ongoing incident reporting, post-market monitoring, NCA engagement, conformity assessment — is operational compliance. It runs continuously. Q4 2026 is where that operational mode begins.
sota.io provides EU-compliant hosting for developers building AI-powered applications — deployed on Hetzner Germany, no US parent, no CLOUD Act exposure. Start free and deploy your AI stack with confidence.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.