August 2 Is When EU AI Act Enforcement Starts. Here's What "Compliance-Ready" Actually Means.
Kennedys Law put it plainly: August 2, 2026 is when most of the remaining EU AI Act rules become active, and GPAI fine enforcement begins. that's 38 days. what "compliance-ready" looks like in 38 days is not the same as what it looks like in 18 months.
this is a practical read on what you actually need by August 2 — and what you can defer without material risk.
the non-deferrable items
GPAI transparency documentation. if you deploy a GPAI model, you need a published acceptable use policy and copyright summary policy by August 2. these don't require legal team sign-off on every line — they need to exist and be accessible. the enforcement case for missing documentation is straightforward for regulators.
Article 52 disclosure mechanisms. any customer-facing AI system that interacts with humans needs a disclosure at first contact. this is a product deployment issue — verify it's live before August 2. the disclosure doesn't need to be prominent, but it needs to be present and logged.
High-risk system registration. if you're deploying AI in credit scoring, hiring, law enforcement support, or biometric recognition contexts in the EU, registration in the EU AI Act database is required before deployment. if you're already deployed, you need to register now.
what you can defer without material risk
Full conformity assessments. for high-risk AI systems, third-party conformity assessments are not required immediately for existing deployed systems — there's a transitional period. document your current risk assessment and mitigation measures. that's what's defensible in August.
Complete technical documentation packages. GPAI model documentation has specific content requirements, but regulators have indicated they're looking for good-faith effort in the first enforcement wave, not perfection. a documented risk position beats an empty file.
Staff training completion. Article 4 literacy obligations are real but not the first enforcement priority. get the documentation and transparency controls in place first.
the actual audit gap
the Kennedy's analysis highlights something that doesn't show up in most compliance guides: the enforcement gap isn't usually "company had no idea this existed." it's "company knew the rules but couldn't produce evidence they were followed."
what regulators can ask for by August 2:
- documentation of which AI systems you operate and how they're classified
- evidence that transparency disclosures are live in production
- a risk assessment for any high-risk category system
- for GPAI: the technical summary and acceptable use policy
the companies that are going to get hit in the first enforcement wave are the ones who can't produce that documentation on 30 days' notice — not because they're non-compliant, but because they never wrote anything down.
what a 38-day audit covers
the BizSuite AI audit is a 2-hour working call where we go through your AI stack, classify every system against the Act's risk tiers, identify the live gaps, and deliver a prioritized plan in 48 hours. $997.
what comes out of it: a documented inventory you can hand to a regulator, a list of the disclosure and documentation gaps ordered by enforcement risk, and a concrete remediation sequence for the 38 days you have.
it's not a full conformity assessment — that's a months-long engagement. it's the thing you need to be defensible by August 2.
Top comments (0)