The August 2nd Countdown: A 10-Step Checklist for EU AI Act Compliance
TL;DRGPAI obligations and Article 50 transparency duties go live August 2, 2026 β β¬35M or 7% of global turnover for prohibited practices. Most enterprises have a 70-day window left.
On August 2, 2026, the second major wave of EU AI Act obligations becomes enforceable. General-Purpose AI (GPAI) model providers, deployers of high-risk systems, and any organisation using AI in HR, finance, education, or critical infrastructure must demonstrate compliance β or risk fines of up to β¬35 million or 7% of global annual turnover for prohibited practices (Art. 5), and β¬15M / 3% for high-risk system failures (Art. 99).
Most compliance teams underestimate the scope: the Act applies extraterritorially to any provider placing AI on the EU market, regardless of where the company is headquartered. A U.S. SaaS vendor selling to a Berlin client is in scope.
Step 1 β Inventory every AI system in production. This is the single biggest gap we see. Shadow AI tools (consumer ChatGPT accounts, Otter.ai recorders, free image generators) typically account for 40β60% of an enterprise's true AI footprint. You cannot classify what you cannot see.
Step 2 β Classify each system by risk tier. Prohibited (Art. 5), High-risk (Annex III β HR, biometrics, critical infra, education, credit scoring, law enforcement), Limited-risk (Art. 50 transparency), or Minimal-risk. Most enterprise tools fall into Limited or High.
Step 3 β Identify GPAI dependencies. If you build on top of a foundation model (GPT-4, Claude, Gemini, Llama), you inherit downstream obligations including technical documentation and copyright-compliant training-data policy disclosures.
Step 4 β Run a Data Protection Impact Assessment (DPIA) under GDPR Art. 35 for every high-risk use case. The AI Act explicitly cross-references GDPR β they are not separate workstreams.
Step 5 β Implement Art. 50 transparency duties. Users interacting with chatbots must be informed they're talking to AI. Synthetic media (deepfakes, AI avatars, voice clones) must carry machine-readable provenance signals (C2PA content credentials are the emerging standard).
Step 6 β Sign Data Processing Agreements (DPAs) with every vendor processing personal data on your behalf. Consumer-tier AI accounts almost never come with a compliant DPA β this is a fast track to enforcement action.
Step 7 β Lock down EU data residency where required. Several Member State DPAs have already signalled they will treat non-adequate jurisdiction transfers as Chapter V GDPR violations regardless of Standard Contractual Clauses.
Step 8 β Train your workforce. Article 4 mandates AI literacy obligations: staff using AI systems must be sufficiently trained to understand the system's limitations and risks.
Step 9 β Establish an AI governance committee with documented authority to approve, restrict, or block AI tools. Regulators will ask for the minutes.
Step 10 β Produce a board-ready compliance report. Not a 200-page PDF nobody reads β a one-page risk score with item-level legal references and remediation owners. This is the artefact that gets you through an audit.
SafeScan AI compresses this 10-step process from a 12-week consulting engagement into a 60-second automated scan. Upload your software inventory, get a board-ready report mapped to every relevant Article.