The EU AI Act enforcement deadline for high-risk AI systems is 2 August 2026. That is four months away. If your organisation deploys, builds, or distributes AI systems that fall under Annex III, this is your practical checklist for what needs to happen between now and then β week by week, with no ambiguity about priorities.
Month 1: April 2026 β assess and classify
The single most important action in April is classification. You cannot build a compliance programme without knowing which of your AI systems are in scope and at what risk level. Every week that passes without classification is a week of implementation time lost.
Week 1β2: Inventory your AI systems. List every system that uses AI or machine learning across your organisation. Include internal tools, vendor-provided systems, and embedded AI in third-party platforms. Most organisations undercount β AI is embedded in CRM scoring, fraud detection, HR screening, chatbots, recommendation engines, and operational analytics. If it makes predictions, classifications, or decisions based on data patterns, it is likely an AI system under the Act's broad definition.
Week 2β3: Classify each system. Map each system against Annex III. Determine whether you are the provider (you built it), deployer (you use it), or both. Identify which systems are high-risk, limited risk, or minimal risk. Document the classification rationale for each β this is the foundation document that regulators will ask to see first.
Week 3β4: Commission a gap assessment. With classification complete, you need a structured gap analysis that scores your current compliance posture against every applicable obligation and produces a prioritised remediation roadmap. A CORAβ’ Gap Assessment delivers this in two weeks for β¬999 β including obligation mapping, scored maturity report, and a clear action plan.
Morclear's free AI Act assessment tool gives you a scored preliminary report in 10 minutes. If you haven't classified your systems yet, start there today.
Month 2: May 2026 β build the programme
With the gap assessment complete, May is for building. This is the most labour-intensive phase β producing the documentation, establishing the controls, and embedding the processes into your organisation.
Risk management system (Article 9). Implement a continuous lifecycle risk management system for each high-risk AI system. This is not a one-time risk assessment β it requires a policy, risk identification methodology, analysis and evaluation criteria, mitigation measures, and a review cadence. Document everything.
Data governance (Article 10). Assess your training, validation, and test datasets. Document their provenance, quality measures, bias assessments, and fitness for purpose. If your AI systems process personal data, ensure GDPR compliance is integrated β this is where the two frameworks intersect most directly.
Technical documentation (Article 11, Annex IV). Build the technical documentation package for each high-risk system. Annex IV specifies the required structure: general description, design specifications, development methodology, training and testing details, performance metrics, risk management measures, and post-market monitoring plan. This is the primary evidence file for regulatory scrutiny.
Human oversight (Article 14) and transparency (Article 13). Design and document the human oversight mechanisms for each system. Ensure instructions for use are clear, comprehensive, and reflect the system's actual capabilities and limitations.
Month 3: June 2026 β test and validate
Quality management system (Article 17). Establish and document your QMS covering the full AI lifecycle. This includes design controls, change management, documentation management, supplier oversight, and internal audit procedures.
Accuracy and robustness testing (Article 15). Test each system's performance under expected conditions. Document accuracy metrics, robustness testing results, and cybersecurity resilience assessments. If you identify weaknesses, document the mitigations and the residual risk accepted.
Internal review. Conduct a mock audit of your complete documentation package. Walk through the conformity assessment procedure internally. Identify gaps, inconsistencies, and areas where documentation does not match reality. Fix them now β not in July.
Board briefing. Brief your board on compliance status. Under multiple EU frameworks β DORA, NIS2, and increasingly the AI Act β board members face personal accountability for compliance failures. They need to understand where the programme stands, what risks remain, and what resources are needed for the final push.
Month 4: July 2026 β conformity and registration
Conformity assessment (Article 43). For most high-risk systems, this is a self-assessment based on internal checks. For biometric identification systems and a few other categories, third-party assessment by a notified body is required. Complete the assessment, document the results, and address any non-conformities identified.
Declaration of conformity. Sign the EU declaration of conformity for each high-risk system. This is a formal legal document β it states that the system complies with the requirements of the Act. Someone must sign it. That someone is personally accountable for its accuracy.
EU database registration (Article 49). Register each high-risk system in the EU database before it is placed on the market or put into service. This registration is public β regulators, users, and the general public can access it.
Post-market monitoring plan. Establish the post-market monitoring system required by Article 72. This is your ongoing compliance mechanism β the process by which you detect issues, collect feedback, and update your risk assessment after deployment. This is where continuous compliance begins.
What if you're starting late?
If you're reading this in May or June and haven't started, the timeline compresses but it's not impossible. A CORAβ’ Gap Assessment takes two weeks. Implementation can be accelerated to 6β8 weeks with dedicated resources. The key is starting immediately β every week of delay reduces the available implementation time and increases the risk of gaps at enforcement.
If you're reading this in July, your options are limited. You can still classify systems, begin risk management documentation, and demonstrate good faith progress β but full compliance by August 2 is unlikely. Focus on the highest-risk systems first and build from there.
Whatever your timeline, the first step is the same: understand your exposure. The free AI Act assessment takes 10 minutes and gives you a scored report. Start there.
Primary Regulatory Sources
Morclear resources are independently produced. They do not constitute legal, regulatory, financial, or professional advice.