The deadline is real and close. As of 17 June 2026, you have less than two months before Regulation (EU) 2024/1689 reaches general application on 2 August 2026.
On that date, Article 50 transparency rules and the Annex III high-risk regime switch on, and the fine ceiling for getting it wrong is up to €15,000,000 or 3% of global annual turnover under Article 99(4).
This is an EU AI Act developer compliance checklist written for engineers, not lawyers. It maps each obligation to a concrete artifact, an owner, and a target date, so your team ships deployable proof of compliance instead of a memo.
TL;DR: Article 50 transparency and Annex III high-risk obligations apply 2 August 2026. GPAI duties (Articles 53/55) have applied since August 2025. Build the artifacts (model cards, C2PA manifests, Annex IV docs, immutable logs) once and reuse them. Fines reach €35M or 7% of turnover for the worst cases.
Key takeaways
- 2 August 2026 activates Article 50 transparency and Annex III high-risk obligations.
- Three fine tiers: 7% of turnover (prohibited), 3% (most obligations), 1% (bad info).
- GPAI providers need a model card, copyright policy, and public training-data summary now.
- Article 50 is solved in practice with C2PA Content Credentials plus a watermark like SynthID.
- The Digital Omnibus deferral proposed on 7 May 2026 is not law yet, so plan for the original dates.
What does the EU AI Act require developers to do by August 2026?
By 2 August 2026 you must label AI-generated content in a machine-readable way (Article 50), run conformity assessment and ship instructions for use for any Annex III high-risk system (Articles 8 to 15, 26, 43), and register that system in the EU database before placing it on the market. GPAI documentation under Article 53 was already due in August 2025.
The European Commission's AI Act timeline and the European Parliament topic page both confirm the staged Article 113 schedule. Here is the version that matters for planning.
| Date | What activates | Your job |
|---|---|---|
| 2 Feb 2025 | Prohibited practices (Art. 5), AI literacy (Art. 4) | Audit and remove banned use cases |
| 2 Aug 2025 | GPAI obligations (Arts. 53, 55), penalties (Art. 99) | Publish GPAI docs, copyright policy |
| 2 Aug 2026 | Art. 50 transparency, Annex III high-risk, EU database | Markings, conformity assessment, register |
| 2 Aug 2027 | Annex I product-embedded high-risk; legacy GPAI transitional deadline (Art. 111(3)) | Bring older models and embedded AI into scope |
One caveat to watch. The Digital Omnibus provisional agreement of 7 May 2026 proposed pushing Annex III high-risk to 2 December 2027 and Annex I to 2 August 2028. As of 17 June 2026 it is not adopted. Build against the enacted dates and treat any deferral as a bonus.
What the fines actually are
Article 99 has three tiers, and the regulation applies the higher of the fixed sum or the turnover percentage. The figures below come from the European Parliament and the Irish DETE summary of the Act.
In euro terms: up to €35M for prohibited practices, €15M for most operator obligations including GPAI and transparency, and €7.5M for supplying incorrect or misleading information to authorities. SMEs and start-ups get scaled-down figures under Article 99(6), but the percentage ceiling still applies.
For most teams the binding risk is not the headline fine. It is a regulatory enforcement action that suspends EU market access. Treat compliance as a market-access cost.
GPAI checklist: what to document for a general-purpose model
GPAI obligations under Articles 53 and 55 have applied since 2 August 2025 for new models. Models placed on the market before that date have until 2 August 2027 under Article 111(3).
Every GPAI provider owes four things under Article 53(1), per the AI Office Code of Practice page: technical documentation (Annex XI), downstream integration docs, a copyright policy that respects Article 4(3) opt-outs from the 2019 DSM Directive, and a publicly available training-data summary on the AI Office template.
If your training compute exceeds 10²⁵ FLOPs, Article 51(2) presumes systemic risk and Article 55 adds model evaluations, systemic-risk assessment, serious-incident reporting to the AI Office, and cybersecurity for the weights.
| Article | Obligation | Ship this |
|---|---|---|
| 53(1)(a) | Technical documentation | Model card (Annex XI fields), reproducible eval harness, training recipe log |
| 53(1)(b) | Downstream docs | System integration guide, capability/limitation matrix |
| 53(1)(c) | Copyright policy | Opt-out detection pipeline (robots.txt, TDM-Rep), rights-holder complaint workflow |
| 53(1)(d) | Training-data summary | AI Office template with dataset categories, sources, curation |
| 55(1)(a-d) | Systemic-risk add-ons | Red-team plan, risk register, incident playbook, threat model + SBOM |
The GPAI Code of Practice, published 10 July 2025, is your shortcut. Signing it creates a presumption of conformity with Articles 53 and 55. Amazon, Anthropic, Google, Microsoft, OpenAI, Mistral, and Cohere have signed.
Meta declined the copyright chapter, and xAI signed only safety and security. The Hugging Face annotated model card template covers most Annex XI sections out of the box.
Article 50 transparency: the artifacts that actually satisfy it
Article 50 applies from 2 August 2026, and non-compliance sits in the 3% Article 99(4) tier. Providers must mark synthetic audio, image, video, and text in a machine-readable, robust, interoperable format. Deployers must disclose deepfakes (50(3)) and AI-generated public-interest text (50(4)), and inform people exposed to emotion-recognition or biometric categorization (50(2)).
The Commission's studies on marking and detecting AI content and the Article 50 Working Group point to a small set of standards that are production-ready today.
| Standard | What it does | Use for |
|---|---|---|
| C2PA Content Credentials v2.x | Signed provenance manifest (JUMBF container, X.509 chain) | Verifiable provenance on images, video, audio |
| Google SynthID | Imperceptible watermark; SynthID Text open-sourced in Transformers 4.46+ | Passive detection alongside provenance |
| Meta AudioSeal | Audio watermarking | AI speech and music |
CAI c2patool SDK |
Reference C2PA implementation | Embedding and verifying credentials in your pipeline |
A practical Article 50 implementation: pick one machine-readable scheme per output type, sign a C2PA manifest with an internal X.509 chain, ship the c2patool verifier, add a visible disclosure layer for public-interest text and deepfakes, and log every generation event with a content hash plus manifest URL. The NYU deep dive on Article 50 is a solid alignment reference for the edge cases.
High-risk AI system requirements: which systems and what testing
A system is high-risk under Article 6 by one of two routes. Route one (Annex I) covers AI inside regulated products like medical devices and machinery, and applies 2 August 2027.
Route two (Annex III) covers eight enumerated use cases and applies 2 August 2026: biometrics, critical infrastructure, education, employment, essential services like credit scoring, law enforcement, migration, and justice or democratic processes.
Article 6(3) gives a carve-out. A system doing a narrow procedural or preparatory task, or merely improving a finished human activity, is not high-risk, but you must document that assessment.
For Annex III systems you owe Articles 9 to 15: a lifecycle risk-management system, data governance with bias checks, Annex IV technical documentation, automatic logging, instructions for use, human oversight, and accuracy plus robustness plus cybersecurity. Article 26 adds deployer duties, including notifying workers before a high-risk system is used on them.
| Article | Obligation | Engineering artifact |
|---|---|---|
| 9 | Risk management | Lifecycle risk register, FMEA, review cadence |
| 10 | Data governance | Datasheets, class-distribution report, bias audit, lineage graph |
| 11 | Technical docs | Annex IV nine-section tree, version-controlled |
| 12 | Logging | OpenTelemetry events to append-only WORM storage with retention policy |
| 14 | Human oversight | Confirmation gates, kill-switch, RBAC |
| 15 | Robustness | Eval harness, adversarial suite, SBOM, pen-test report |
| 43 | Conformity assessment | Annex VI self-assessment or Annex VII notified body, CE marking, EU database record |
Conformity assessment runs through internal control (Annex VI) for most systems, or a notified body (Annex VII) for biometric identification and certain critical-infrastructure cases. Either way you draft an EU Declaration of Conformity, affix CE marking, and register in the EU database under Articles 49 and 71 before going to market.
The step-by-step build plan with owners
Here is the sprint plan. Each row is an artifact you can point an auditor at.
| Step | Action | Owner | Target |
|---|---|---|---|
| L-1 | Define log schema (inputs, outputs, version hashes, overrides) | Platform Eng | 30 Jun 2026 |
| L-2 | Wire OTel logging to immutable WORM storage | SRE | 31 Jul 2026 |
| D-1 | Catalogue datasets (source, licence, PII) + datasheets | Data Eng | 31 Jul 2026 |
| W-1 | Pick marking scheme (C2PA + SynthID/visible) | ML Eng | 30 Jun 2026 |
| W-2 | Embed C2PA signing, deploy c2patool verifier |
ML Eng | 31 Jul 2026 |
| C-1 | Choose conformity route (Annex VI vs VII) | Compliance | 30 Jun 2026 |
| C-2 | Compile Annex IV documentation tree | ML + Compliance | 31 Jul 2026 |
| C-5 | Register in EU database | Compliance | Before market placement |
Sequence it: logging and dataset catalogues first, because they take longest and feed everything else. Provenance marking next, since C2PA plus a watermark is roughly an engineer-quarter of work. Conformity paperwork last, once the technical artifacts exist to cite.
What this means for non-EU teams
Article 2 reaches you if you place a GPAI model or AI system on the EU market, or if your system's output is used in the EU, regardless of where you are based. High-risk providers must appoint an Article 47 Authorized Representative inside the EU as a service-of-process anchor.
Whether that reach gets enforced is still open. The Brussels Effect argument says the EU market is too large to skip, and the fact that OpenAI, Anthropic, and Google signed the Code of Practice supports it.
A competing view points to a real enforcement gap, since the AI Office and national authorities are new and serving process on third-country providers is hard. No non-EU provider has been fined as of June 2026.
The pragmatic read: the text is enforceable, the enforcement record is unproven. For a low-risk public API, year-one compliance is roughly €10k to €50k, cheap insurance. For Annex III high-risk in medical, HR, or law enforcement, you comply fully or geo-fence the EU out.
Build the artifacts once and reuse them against the UK, US, and China regimes that are converging on the same shape.
What to do this week
Assign owners to the L-1, W-1, and C-1 steps above before 30 June, because every later artifact depends on them. Decide today whether you are signing the GPAI Code of Practice, since the presumption of conformity it buys is the single biggest risk reduction available.
And keep one eye on the Digital Omnibus vote, while building as if the 2 August 2026 date holds. It currently does.
Sources
- Regulation (EU) 2024/1689 consolidated text (EUR-Lex)
- AI Act regulatory framework and timeline (European Commission)
- EU AI Act first regulation overview (European Parliament)
- The General-Purpose AI Code of Practice (European Commission)
- Article 50 transparency working group (European Commission)
- Three studies on marking and detecting AI-generated content (European Commission)
- C2PA Content Credentials explainer
- Google SynthID (DeepMind)
- Digital Omnibus high-risk deferral analysis (Gibson Dunn)
- Limited-Risk AI: deep dive into Article 50 (NYU)
- Extraterritorial enforcement of the AI Act (Springer)
- Territorial scope of the EU AI Act (Tatra Legal)