The European Commission floated a proposal in November 2025 to push certain EU AI Act deadlines toward late 2027. That proposal has not been enacted into law. Enterprises that filed it under "possible relief" should retrieve it, mark it "did not pass," and open the regulation instead. August 2, 2026 remains the binding enforcement date for high-risk AI system obligations, and the compliance window is not compressing in some abstract future sense: it is compressing right now. ## What the Deadline Actually Covers The August 2, 2026 date triggers a layered set of obligations, not a single checkbox. According to the Cloud Security Alliance AI Safety Initiative's March 2026 research note, the date activates Articles 9 through 17 for providers and Article 26 for deployers. Article 9 requires a risk management system maintained throughout the AI system's entire lifecycle. Articles 10 through 17 then cover, in sequence: data governance, technical documentation, record-keeping, transparency toward deployers, human oversight mechanisms, accuracy, robustness, and cybersecurity. Article 26 places corresponding obligations on the organizations that deploy these systems rather than build them. The breadth is the point. This is not a disclosure checkbox or a cookie banner. It is a documentation regime that reaches into how training data was sourced, screened, and governed before a single inference was ever served. Classification as high-risk flows from Article 6 and Annex III of the Act, as set out in the official EU Artificial Intelligence Act text. Systems operating in employment, credit scoring, law enforcement, biometrics, and essential private services are enumerated as in-scope categories, per the Cloud Security Alliance research. Baker Botts noted in its March 2026 client update that penalties for non-compliance can reach 15 million euros or up to 3 percent of global annual turnover, whichever is higher. That arithmetic matters to any enterprise running AI in a regulated sector, regardless of whether its lawyers have issued a formal opinion yet. ## The Training Data Pipeline Problem Of all the obligations in Articles 9 through 17, Article 10 is the one that catches enterprises unprepared most reliably. It requires that training, validation, and testing datasets meet defined quality criteria, be examined for possible biases, and be relevant, sufficiently representative, and free of errors to their intended purpose. McKenna Consultants, writing specifically on technical readiness for the August 2026 deadline, frames this as requiring enterprises to audit not just the model but the upstream data pipeline: where data originated, what screening it received, and whether that governance was documented contemporaneously or reconstructed after the fact. Reconstructed documentation is not the same as maintained documentation, and auditors know the difference. The practical difficulty is that many enterprises acquired training data through third-party vendors or inherited pipelines from earlier product iterations. Neither circumstance exempts the provider from Article 10 obligations. McKenna Consultants notes that providers must be able to demonstrate data governance decisions at each stage of the pipeline, which means the audit is not a one-time event but a continuous record that should already exist. For organizations that have not yet begun this work, the honest assessment is that they are behind. ## The Deployer Obligation That Gets Overlooked Most compliance commentary focuses on providers: the organizations that build and place high-risk AI systems on the market. Article 26 obligations for deployers receive less attention and are routinely underestimated. The Cloud Security Alliance research note is explicit that Article 26 binds the organizations using these systems, not just the vendors supplying them. Deployers must ensure systems are used in accordance with the provider's instructions, assign human oversight, monitor for risks not identified in the original documentation, and keep logs of operation where technically feasible. An enterprise that purchases a high-risk AI system from a vendor and considers itself a passive consumer of that product is misreading the regulation. The deployer obligation is a substantive one, and it cannot be contracted away to the vendor through a standard software agreement. This is where vendor contract review becomes urgent. Any agreement that lacks explicit allocation of Article 26 responsibilities, logging commitments, and incident notification obligations will need to be renegotiated or supplemented before August 2, 2026. Legal teams that have been waiting for further guidance from national competent authorities before acting are, at this point, waiting for something that will not arrive before enforcement begins. ## What to Do With the Time Remaining The Cloud Security Alliance AI Safety Initiative's March 2026 research characterizes compliance programs at many enterprises as "nascent," which is a diplomatic way of saying that most organizations are not ready. The steps that remain are concrete rather than philosophical. Providers need a completed risk management system under Article 9, documented training data governance under Article 10, and technical documentation that satisfies Articles 11 through 17. Deployers need to review every in-scope system against the Article 26 checklist, update vendor contracts, and designate human oversight responsibilities in writing. Neither set of obligations is satisfied by a policy document that describes intentions. The Act requires operational evidence. For anyone building or deploying AI in regulated sectors and reading this as a prompt to start: the window is narrow but it is not closed. The Commission delay proposal that did not pass is not entirely irrelevant; it signals that enforcement posture in the earliest months may allow some compliance-in-progress grace, though no official guidance to that effect has been published. Planning for August 2, 2026 as a hard date and treating any subsequent flexibility as a bonus is the only defensible posture. Watch the European AI Office for enforcement guidance as the date approaches, and watch national competent authorities for sector-specific interpretations, particularly in employment and financial services where Annex III scope questions remain live. ## Sources - EU AI Act High-Risk Deadline: Enterprise Readiness Gap - Lab Space

Sources