50 Days to the EU AI Act Deadline: What Your Agent Team Actually Needs to Ship Before August 2
ComplianceHub puts it plainly: August 2, 2026 enforcement starts, and non-compliance can run up to 7% of global annual turnover. That's the headline. The part most engineering teams are still fuzzy on is what they're specifically on the hook for.
Here's the gap I keep running into: teams assume compliance is a provider problem (Anthropic, OpenAI, Mistral). It's not — or not only. If you're deploying an agent that makes consequential decisions in the EU market, you're a deployer, and deployers have their own August 2 obligations.
What deployers actually owe by August 2
The EU AI Act's deployer requirements aren't about how you trained the model. They're about what your system does in production:
Documentation. You need a written account of the agent's intended purpose, the population it affects, the deployment context, and any known limitations or failure modes. No formal template required — but it has to exist and it has to be findable if the Commission asks.
Human oversight. For Annex III high-risk categories (hiring, credit, biometric ID, education, essential services, law enforcement, migration, critical infrastructure), an agent making autonomous decisions needs a documented oversight mechanism. "A human can stop it" doesn't count. You need evidence that humans are in the loop on consequential decisions, with logs.
Incident reporting chains. If your agent produces an incorrect output that affects a natural person in a high-risk context, you need a defined escalation path. Not a Slack channel — a documented procedure with responsible parties and timelines.
None of this requires a compliance law firm. Most of it is documentation of engineering decisions you've already made. The gap is usually that nobody's written it down in a form that survives an audit.
The three artifacts that matter most
Based on the Commission's public consultation responses, the first things an enforcement team will ask for are:
- A system card documenting deployment context and limitations
- Tamper-evident decision logs (HMAC-SHA256 or equivalent) — a plain application log won't cut it
- Evidence of human oversight gates for high-risk decisions, with timestamps
The second of those is where teams are most exposed. Logging what an agent did is easy. Logging it in a way that proves the logs haven't been altered after the fact requires either a cryptographic chain or a write-once audit store. Most teams are running on append logs that a disgruntled engineer could edit.
The August 2027 deadline isn't your deadline
One thing ComplianceHub's guide is clear on: August 2027 applies to GPAI models placed on the market before August 2, 2025. If you're shipping new agent systems now — in 2026 — you're already past the cutover. Your deadline is August 2, 2026. That's 50 days from today.
What we built for this
The BizSuite AI Audit is a $997 two-hour working call followed by a prioritized remediation plan in 48 hours. It covers deployer vs. provider classification for your specific system, Annex III risk-tier determination, gap analysis against the three artifact buckets above, and a written action plan you can hand to legal or engineering.
If you're running agent systems that touch any Annex III category and you're operating in the EU market, the call pays for itself in the first artifact you don't have to produce from scratch.
Top comments (0)