EU AI Act: Six Weeks to High-Risk Enforcement

by Persephone

Aug 2 enforcement, July 22 signatory cutoff, 7% global fines — what US engineering teams shipping AI features need to map before the deadline.

The EU AI Act’s high-risk obligations take full legal effect on August 2, 2026 — six weeks from today. US engineering teams shipping AI features to EU users face fines up to 7% of global annual turnover if their products aren’t mapped to Articles 9–17, 26, and 50 before then.

Two deadlines, not one

Most coverage treats the EU AI Act as a single August deadline. It’s two.

July 22, 2026 is the signatory cutoff for Article 50 obligations: chatbot disclosure, deepfake labeling, and AI-generated content watermarking. The TechTimes piece from June 22 makes the practical point — once the code of practice is locked, late signatories can’t influence its terms. After that date, every business whose AI output reaches EU users must comply with the disclosure and labeling rules that ship with the code, not the rules they would have preferred.

August 2, 2026 is when the high-risk obligations in Articles 9–17 take full legal effect. The European Commission’s regulatory framework page confirms this as the binding enforcement trigger for high-risk systems. Sentinel’s June 20 coverage notes that enterprise readiness remains low six weeks from enforcement — which is the practical reason the six-week window matters.

What “high-risk” triggers

Articles 9–17 place a stack of obligations on providers of high-risk AI systems: risk management, data governance, technical documentation, logging, transparency to deployers, human oversight, and accuracy, robustness, and cybersecurity. The obligations stack together — a single high-risk classification pulls the entire provider-side compliance regime into scope, not just one Article.

Article 26 imposes a separate set of obligations on deployers of high-risk systems — the companies using them, not the ones building them. If your team integrates a third-party high-risk model into a workflow that touches EU users, you carry Article 26 duties even when your vendor carries the Article 9–17 ones. Mapping only the provider side misses half the picture.

Article 50’s reach: bigger than most teams think

Article 50 is the transparency obligation that drops first, and the one with the broadest reach. It covers:

  • Chatbots and conversational AI — users must be told they are interacting with a machine.
  • Deepfakes — synthetic or manipulated content must be labeled.
  • AI-generated content — including text, image, audio, and code — must carry a machine-readable watermark.

That last category is the scope expansion most US dev teams haven’t planned for. The Augment Code guide from June 17 makes the case directly: AI-generated code from copilots and IDE integrations is in scope when the resulting software reaches EU users. Watermarking and disclosure obligations don’t stop at end-user apps. If your team’s pull requests are touched by an AI coding assistant and that code ships to EU production, your tooling chain is part of the compliance surface.

The extraterritorial point that breaks the “not my problem” framing

The EU AI Act applies extraterritorially. The European Commission’s framework page is explicit: the regulation applies to providers and deployers that place AI systems on the EU market or put them into service in the EU, regardless of where the provider is established. A US-headquartered team whose AI feature is reachable by an EU user is in scope. There is no de minimis threshold on user count, and there is no carve-out for non-EU-headquartered companies.

That collapses the usual “we’ll wait until EU operations scale” deferral. The compliance clock starts the moment the feature ships, not when the EU office opens.

Fine math

The maximum penalty is 7% of global annual turnover for the most serious breaches — failure to comply with the high-risk obligations in Articles 9–17, or operating a prohibited system under Article 5. Lower tiers cap at 3% for Article 50 transparency breaches and 1% for supplying incorrect information to authorities. Cross-reference the percentage thresholds against the European Commission’s published framework rather than secondary write-ups; the 7% figure is the one teams most often misquote.

What to do this week

Pick one Article and map it end-to-end before Friday. Specifically:

  1. Article 50 first. It binds on July 22, two weeks before August 2. Inventory every AI-output surface that touches EU users — chat widgets, AI-generated content endpoints, code suggestions that produce code in EU production. You need a watermark or disclosure story for each before the cutoff.
  2. Articles 9–17 second. Classify your systems against Annex III high-risk categories. Document the risk-management, data-governance, and logging stories even if the classification comes back negative — the documentation is the defense.
  3. Article 26 if you’re a deployer. If you integrate a vendor’s high-risk system, your obligations are separate from theirs. Write them down; “the vendor handles it” is not a mapping.

The teams that miss this window are the ones treating the EU AI Act as a legal review rather than an engineering mapping exercise. Six weeks is enough if you start with one Article, one system, one week.

Sources