Most enterprise AI teams I speak with are tracking December 2, 2027 as their EU AI Act planning horizon. That is the date the substantive high-risk AI obligations under Annex III go live — risk management systems, technical documentation, quality management, conformity assessments.
That date is correct and important. But there is an earlier deadline six weeks from now that is receiving far less attention than it deserves: August 2, 2026.
On August 2, enforcement powers for national supervisory authorities go live across EU member states. And several specific obligations become active on that same date, regardless of the December 2027 deferral for high-risk systems.
Here is a plain-language breakdown of what matters, and what does not, on August 2.
What Goes Live on August 2, 2026
Article 50 — Transparency Obligations
Article 50 is the provision that most enterprise AI teams are underestimating because it does not require a risk classification exercise. It applies broadly.
Chatbots: Any AI system intended to interact with humans must make clear to users that they are interacting with AI, unless this is obvious from context. This is not a "high-risk AI" requirement — it applies to all AI chatbots deployed in EU-facing contexts. If your customer service, internal helpdesk, or sales assist chatbot interacts with EU users without disclosing its AI nature, you have an Article 50 compliance gap active on August 2.
Deepfake disclosure: AI-generated or AI-manipulated images, audio, and video must be labelled as artificially generated or manipulated. This applies to synthetic content that is not obviously fictional. Marketing teams using AI-generated imagery in EU-facing content should be reviewing their disclosure practices now.
Emotion recognition systems: Systems that infer the emotional state of natural persons must inform those persons that they are subject to such a system. This catches a broader range of products than most teams expect — sentiment analysis on customer calls, engagement detection in video conferencing, and wellness monitoring tools all potentially fall here.
Articles 53 and 55 — General-Purpose AI Model Obligations
If your organization develops, fine-tunes, or distributes a GPAI model (this includes significant fine-tunes of foundation models, not just training from scratch), you have obligations active August 2:
- Technical documentation of training data and methodology
- Copyright compliance policies and summaries of training data
- For models deemed to pose systemic risk: adversarial testing, incident reporting to the EU AI Office, cybersecurity measures, and energy efficiency reporting
Most enterprise teams are not training frontier models, so the systemic risk provisions are unlikely to apply. The documentation and copyright compliance requirements apply more broadly to teams that have fine-tuned foundation models for internal or commercial use.
Article 49 — Registration of High-Risk AI Systems
High-risk AI systems, as defined under Annex III, must be registered in the EU database before being placed on the market or put into service after August 2. The database itself and the registration process are now operational.
If you have already determined that a system you operate qualifies as high-risk under Annex III, registration is an active obligation on August 2, not December 2027.
Mandatory AI Literacy Training
The AI Act requires deployers of AI systems to ensure their staff have sufficient AI literacy to understand and use the systems deployed to them. This is not a training certification requirement — it is a duty-of-care obligation. The practical implication is that deploying AI tools to employees without adequate training on their capabilities, limitations, and appropriate use creates compliance exposure.
What Is Deferred to December 2, 2027
The May 2026 Digital Omnibus agreement deferred the most demanding substantive obligations for high-risk AI systems under Annex III:
- Risk management systems
- Data governance requirements
- Technical documentation
- Record-keeping
- Transparency to users of high-risk systems
- Human oversight measures
- Accuracy, robustness, and cybersecurity requirements for high-risk systems
If your organization has been focused exclusively on these Annex III obligations, you have bought time. December 2027 is a real deadline, and the preparation work is substantial — but the deferral is genuine, not procedural.
The confusion arises because the August 2 obligations and the December 2027 obligations are frequently conflated in coverage. They are different obligations with different scopes. August 2 is narrower but active. December 2027 is broader but deferred.
The Three Questions Every CTO Should Answer Before August 2
1. Do any of our AI systems interact with EU users without disclosing their AI nature?
Customer-facing chatbots, internal tools used by EU employees, and voice AI systems all fall within Article 50's scope. This is a practical audit, not a legal theory exercise. Go find the chatbots.
2. Do we produce or distribute any AI-generated content in EU-facing contexts without disclosure labeling?
Marketing, sales materials, product imagery, and communications content all potentially carry this obligation. The requirement applies to the content, not the tool — the fact that you used a third-party image generator does not transfer the obligation to the vendor.
3. Have we assessed whether any deployed system meets the Article 3 definition of a high-risk AI system?
If the answer is yes, registration may be required before August 2, and the December 2027 preparation work needs to begin now. If the answer is genuinely uncertain, that uncertainty is itself a compliance risk that needs resolution.
What I Would Do in the Next Six Weeks
The practical playbook for most enterprise AI teams is not complicated, though it requires focused effort:
Inventory your chatbots and AI-facing user interactions. Ensure disclosure language is in place for EU-facing deployments. This is usually a configuration or copy change, not a reengineering effort.
Review AI-generated content workflows. Establish a disclosure practice for synthetic content in EU-facing communications. This is a process and policy question, not primarily a technical one.
Complete your Annex III classification exercise if you have not. The classification determines whether August 2 registration applies, and it is prerequisite work for the December 2027 timeline regardless.
Brief your board and legal counsel. August 2 is the date enforcement powers go live. The first enforcement actions will likely target visible, concrete violations — undisclosed chatbots are a natural starting point. Being ahead of that curve is the responsible position.
The December 2027 deferral is real and gives enterprise teams meaningful runway on the hardest compliance work. But the August 2 obligations are not a minor footnote. For teams operating AI in EU-facing contexts, they are active in six weeks.
The time to fix a chatbot disclosure gap is before enforcement authorities are looking for them.