Crafting Excellence in Software
Let’s build something extraordinary together.
Rely on Lasting Dynamics for unparalleled software quality.
Michele Cimmino
Feb 27, 2026 • 10 min read
On August 2, 2026, the European Union's Artificial Intelligence Act becomes fully applicable. Every company that develops, deploys, or uses AI systems within the European market — regardless of where the company is headquartered — must comply with its requirements or face fines that reach up to €35 million or 7% of global annual turnover, whichever is higher.
That deadline is now less than six months away. Most companies are not ready.
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It is not a suggestion, not a set of guidelines, and not a voluntary code of conduct. It is binding regulation with enforcement mechanisms, penalties, and regulatory bodies that will actively supervise compliance. As Crowell & Moring stated in their 2026 analysis, this year "marks a major regulatory turning point" for any company using AI in Europe.
The regulation entered into force on August 1, 2024. Prohibited AI practices — social scoring systems, manipulative subliminal techniques, and real-time biometric identification in public spaces for law enforcement (with narrow exceptions) — were already banned as of February 2, 2025. Transparency obligations for general-purpose AI models took effect in August 2025. But the most consequential requirements — those governing high-risk AI systems, which cover the majority of enterprise AI applications — become enforceable on August 2, 2026.
If your company uses AI for hiring decisions, credit scoring, medical diagnostics, critical infrastructure management, educational assessment, law enforcement, or dozens of other high-impact applications, this deadline applies to you directly. Here is exactly what you need to understand and what you need to do.
The EU AI Act takes a risk-based approach to regulation. Rather than treating all AI systems the same, it categorizes them into four tiers based on the potential harm they can cause. This approach is pragmatic and its architects designed it specifically to avoid stifling innovation while protecting fundamental rights.
The first tier is unacceptable risk. These AI systems are outright prohibited. The list includes AI that uses subliminal or manipulative techniques to distort behavior, systems that exploit vulnerabilities of specific groups (children, disabled persons, elderly), social scoring systems operated by governments, real-time remote biometric identification in public spaces for law enforcement (with very limited exceptions for serious crime and terrorism), and systems that categorize people based on biometric data to infer sensitive characteristics like race, political opinions, or sexual orientation. If your company operates any of these systems in the EU, you must shut them down. There is no compliance path — they are banned.
The second tier is high-risk. This is where the regulation has its greatest practical impact on enterprises, because this category covers a vast range of business applications. AI systems are classified as high-risk when they are used in areas including biometric identification and categorization of persons, management and operation of critical infrastructure (energy, water, transport, digital), education and vocational training (admissions, assessment, proctoring), employment and worker management (recruitment, performance evaluation, task allocation), access to essential services (credit scoring, insurance pricing, emergency dispatch), law enforcement (risk assessment, polygraphs, evidence evaluation), migration and border control (visa processing, risk assessment), and administration of justice and democratic processes.
The practical implication is significant. If your company uses AI to screen job applicants, the system is high-risk. If you use AI to decide loan approvals, it is high-risk. If your AI manages energy distribution, it is high-risk. If your AI grades students or decides who gets admitted to an educational program, it is high-risk. Every one of these systems must meet the full set of technical and organizational requirements by August 2, 2026.
The third tier is limited risk. These systems face transparency obligations — meaning users must be informed when they are interacting with an AI system. This covers chatbots, emotion recognition systems, AI-generated content (deepfakes), and biometric categorization systems that do not fall into the high-risk category. The requirements here are lighter but still legally binding.
Let’s build something extraordinary together.
Rely on Lasting Dynamics for unparalleled software quality.
The fourth tier is minimal risk. The vast majority of AI applications — spam filters, AI-powered video games, inventory management systems — fall here. The Act does not impose specific obligations on minimal-risk systems, though it encourages voluntary codes of conduct.
For companies deploying high-risk AI systems, the EU AI Act imposes a comprehensive set of requirements that touch every aspect of the system's lifecycle. Understanding these requirements now — not in July — is essential for meeting the August deadline.
The first requirement is a risk management system. Companies must establish, implement, document, and maintain a continuous risk management process throughout the entire lifecycle of the high-risk AI system. This is not a one-time assessment. It is an ongoing obligation that requires identifying foreseeable risks, estimating and evaluating risks that may emerge when the system is used in accordance with its intended purpose and under reasonably foreseeable misuse conditions, and implementing mitigation measures. The risk management system must be reviewed and updated regularly.
The second requirement concerns data governance. High-risk AI systems must be developed using training, validation, and testing datasets that meet specific quality criteria. The data must be relevant, representative, free of errors, and complete. Companies must consider the specific geographical, contextual, behavioral, or functional setting within which the system is intended to operate. For companies that have built AI systems on convenience data — whatever happened to be available — this requirement may necessitate significant investment in data collection, cleaning, and validation.
The third requirement is technical documentation. Before a high-risk AI system is placed on the market or put into service, the provider must prepare comprehensive technical documentation. This documentation must demonstrate that the system complies with the requirements of the Act and provide authorities with all necessary information to assess compliance. The documentation must include a general description of the system, detailed information about the development process, monitoring and testing procedures, and a description of the risk management system.
The fourth requirement is record-keeping and logging. High-risk AI systems must be designed and developed with capabilities that enable automatic recording of events (logs) throughout the system's operation. These logs must be adequate to enable the tracing of the system's functioning, the identification of risk situations, and post-market monitoring. The logging must be active for the entire period of the system's use and must be accessible to authorized parties.
The fifth requirement is transparency and information provision. Providers of high-risk AI systems must ensure that the system is designed and developed in such a way that its operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. Instructions for use must be provided, including the identity and contact details of the provider, the system's characteristics, performance, and limitations, the changes that have been pre-determined and assessed in the conformity assessment, the human oversight measures, and the expected lifetime and maintenance needs.
The sixth requirement is human oversight. High-risk AI systems must be designed and developed in such a way that they can be effectively overseen by natural persons during the period in which they are in use. The human oversight measures must enable the individuals who oversee the system to fully understand the system's capabilities and limitations, to properly monitor its operation, to be able to decide not to use the system or to disregard, override, or reverse the output, and to intervene or interrupt the system through a "stop" button or similar procedure.
The seventh requirement is accuracy, robustness, and cybersecurity. High-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity, and perform consistently throughout their lifecycle. This includes resilience against errors, faults, and inconsistencies that may occur within the system or its operating environment, as well as resistance against attempts by unauthorized third parties to alter the system's behavior or exploit vulnerabilities.
From idea to launch, we craft scalable software tailored to your business needs.
Partner with us to accelerate your growth.
Preparing for August 2, 2026, requires a structured approach. Orrick published a practical six-step framework that provides a solid foundation for any company's compliance efforts. Based on that framework and additional guidance from regulatory analysis, here is a comprehensive checklist.
| Step | Action | Timeline | Key Deliverable |
|---|---|---|---|
| 1 | AI Systems Inventory — Catalog every AI system your company develops, deploys, or uses. For each system, document its purpose, data inputs, outputs, decision-making scope, and affected individuals. | Immediately | Complete AI system register |
| 2 | Risk Classification — Classify each system according to the Act's four risk categories. Pay particular attention to systems that might fall into high-risk through sector-specific Annex III classifications. | Within 4 weeks | Risk classification matrix |
| 3 | Gap Analysis — For each high-risk system, assess your current practices against each of the seven requirements (risk management, data governance, documentation, logging, transparency, human oversight, accuracy/robustness). Identify gaps. | Within 8 weeks | Gap assessment report per system |
| 4 | Remediation Plan — For each identified gap, define specific actions, assign responsible teams, set deadlines, and allocate budget. Prioritize gaps that require architectural changes over those that require only documentation. | Within 10 weeks | Remediation project plan |
| 5 | Implementation — Execute the remediation plan. This may involve re-engineering logging capabilities, implementing human oversight interfaces, retraining models with compliant data practices, and creating technical documentation. | Within 20 weeks | Compliant systems |
| 6 | Conformity Assessment & Registration — Conduct the conformity assessment (self-assessment for most categories, third-party assessment for biometric systems). Register high-risk systems in the EU database before deployment. | Before August 2, 2026 | Conformity declaration + EU database registration |
One critical detail highlighted in the compliance guidance is the grandfathering provision. AI systems that were already placed on the market or put into service before August 2, 2026, may benefit from transitional arrangements — but only if they are not "significantly modified" after that date. New deployments must comply immediately. This means that companies rushing to deploy AI systems before the deadline to avoid compliance obligations will find that strategy backfires the moment they need to update or modify those systems.
The impact of the EU AI Act varies significantly by industry, and understanding these sector-specific implications is essential for prioritizing compliance efforts.
Financial services faces some of the most immediate pressure. AI used for credit scoring, insurance underwriting, fraud detection, and algorithmic trading falls squarely into the high-risk category. Banks and insurance companies that have deployed machine learning models for lending decisions must now ensure those models meet all seven requirements — particularly transparency (explaining why a loan was denied), data governance (ensuring training data is not discriminatory), and human oversight (enabling loan officers to override AI recommendations with proper justification). The European Banking Authority and EIOPA have been working on sector-specific guidance that builds on the AI Act's requirements, adding another layer of regulatory complexity.
Healthcare is another sector facing profound changes. AI systems used for medical diagnosis, treatment recommendations, surgical assistance, and patient triage are classified as high-risk. Medical device regulations already impose stringent requirements, but the AI Act adds specific obligations around algorithmic transparency and continuous post-market monitoring that go beyond existing medical device frameworks. Hospitals and healthtech companies that have deployed AI diagnostic tools must demonstrate that those tools meet accuracy standards, that clinicians can understand and override AI recommendations, and that the training data reflects the diversity of patient populations the system will serve.
Human resources and recruitment has become one of the most scrutinized areas. AI-powered hiring tools, performance management systems, employee monitoring solutions, and automated scheduling systems all fall into the high-risk category. Crowell & Moring analysis specifically highlights that companies using AI in HR face "immediate compliance obligations" once the Act becomes fully applicable. This is particularly relevant for multinational companies that may use AI recruiting tools developed outside Europe — those tools must still comply when used to evaluate candidates for positions within the EU.
Manufacturing and critical infrastructure operators face requirements related to safety-critical AI systems. AI that manages energy grids, water treatment facilities, transportation networks, or industrial control systems must meet the highest standards of robustness and cybersecurity. The consequences of failure in these domains are measured not just in euros but in human safety, and the Act's requirements reflect that gravity.
For companies in any sector that use AI agents — the autonomous software systems that are rapidly transforming enterprise operations — the compliance implications are significant. AI agents that make decisions affecting individuals (approving applications, allocating resources, escalating or closing service requests) may well qualify as high-risk systems. Their autonomous nature makes human oversight requirements particularly challenging to implement retroactively, which is why building compliance into the agent architecture from day one is far more efficient than trying to retrofit it later.
Article 57 of the EU AI Act requires every EU member state to establish at least one AI regulatory sandbox by August 2, 2026. These sandboxes provide a controlled environment where companies can develop, test, and validate their AI systems under regulatory supervision before bringing them to market.
We design and build high-quality digital products that stand out.
Reliability, performance, and innovation at every step.
For companies that are still in the early stages of AI development, regulatory sandboxes represent a significant opportunity. Participants can engage directly with regulators, receive guidance on compliance requirements, test their systems in a supervised environment, and gain a de facto regulatory pre-approval that reduces commercial risk. Member states are required to give priority access to small and medium-sized enterprises, including startups.
The sandbox approach also benefits companies that are developing innovative AI applications where the risk classification is not immediately clear. By working within the sandbox, companies can establish a regulatory dialogue that helps both sides — the company understands what compliance requires, and the regulator understands the technology well enough to apply the Act's provisions appropriately.
Companies should investigate the sandbox programs being established in their home member states. Italy, France, Germany, Spain, and the Netherlands are among the countries that have announced or are developing their sandbox frameworks. Participation is voluntary but strategically valuable.
The most important insight about EU AI Act compliance is that it should not be treated as a legal exercise to be handled by the compliance department after the technology team has finished building. Compliance must be architectural. It must be designed into the system from the beginning — into the data pipelines, the model training processes, the inference engines, the logging systems, the user interfaces, and the deployment infrastructure.
This approach, which the regulation community calls "compliance by design," is both more effective and less expensive than retrofitting compliance onto existing systems. A system designed with robust logging from day one costs a fraction of what it costs to re-engineer logging into a system that was built without it. A model trained from the start with documented, governed data requires no costly data remediation project. A user interface designed with human oversight controls from the first sprint saves months of redesign.
For European companies, the AI Act is not merely a regulatory burden — it is a competitive advantage waiting to be claimed. When August 2026 arrives, European companies that have embraced compliance by design will be ready to deploy AI systems anywhere in the EU without friction. Their non-European competitors will face one of three choices: invest heavily in compliance engineering for the European market, accept the risk of fines and enforcement, or withdraw from the EU market entirely. Each of those options has costs. European companies that build compliant AI from the start bear none of them.
This is why choosing a European AI development partner is not just a matter of convenience. It is a strategic decision. A European software development company lives within the regulatory framework, understands GDPR as a foundation rather than an add-on, thinks about data sovereignty as a default rather than an exception, and approaches the AI Act not as a foreign regulation to be navigated but as a familiar framework within which to build excellent technology.
Lasting Dynamics builds AI systems with EU AI Act compliance integrated from the architecture phase. Our development process incorporates risk assessment, technical documentation, logging infrastructure, human oversight interfaces, and data governance practices from day one — not as an afterthought, not as a checkbox exercise, but as fundamental engineering practice. For companies that need to deploy AI in Europe and want to do it right, having a partner who speaks the regulatory language natively is not optional. It is essential.
The August 2 deadline will arrive faster than most companies expect. The companies that start their compliance journey now will be ready. The companies that wait will face a choice between rushed, expensive remediation and significant regulatory exposure. The regulation is final. The deadline is fixed. The only variable is how prepared you choose to be.
Transform bold ideas into powerful applications.
Let’s create software that makes an impact together.
Michele Cimmino
I believe in hard work and daily commitment as the only way to get results. I feel an inexplicable attraction for the quality and when it comes to the software this is the motivation that makes me and my team have a strong grip on Agile practices and continuous process evaluations. I have a strong competitive attitude to whatever I approach - in the way that I don't stop working, until I reach the TOP of it, and once I'm there, I start to work to keep the position.
