Compliance readiness

EU AI Act readiness: what actually applies August 2, 2026

Scan your codebase for Article 50 transparency, disclosure, inventory, and evidence gaps under the updated 2026 EU AI Act timeline. Free read-only scan, evidence-ready JSON, free registry upload.

Updated Jun 22, 2026

By August 2, 2026, Article 50 transparency obligations start to apply. Under the May 2026 Digital Omnibus political agreement, high-risk obligations move to later dates: December 2, 2027 for Annex III systems and August 2, 2028 for Annex I product-embedded systems. The agreement is provisional until formal adoption and publication in the Official Journal.

Run the free AI Act transparency gap scanner

Create a free account to copy the scanner prompt into your code agent. It will produce an AI inventory, Article 50 transparency gaps, upcoming high-risk review items, and an evidence-ready JSON report.

Start free scan

Key takeaways

  • August 2, 2026 is when Article 50 transparency obligations start to apply - not the full high-risk oversight deadline for every AI system.
  • As provisionally agreed in the May 2026 Digital Omnibus, Annex III high-risk obligations move to December 2, 2027 and Annex I product-embedded high-risk obligations move to August 2, 2028, pending Official Journal publication.
  • Prohibited practices and AI literacy have applied since February 2, 2025; GPAI obligations have applied since August 2, 2025.
  • The first useful step is an inventory: know where AI runs, who owns it, what it can do, and what evidence currently exists.
  • Contro1 turns scan findings into operating controls: AI registry, disclosure logging, ownership, human approval routing, signed callbacks, audit trails, and evidence packets.

Why teams need to act now

Most companies do not fail AI governance because they lack a policy. They fail because nobody can prove what AI systems are running, what those systems can do, when users were notified, which actions were reviewed, and where the evidence lives.

This page was updated on June 22, 2026 to reflect the May 2026 Digital Omnibus political agreement. The changed high-risk dates are provisional until formal adoption and publication in the Official Journal, so treat this as implementation planning, not legal advice.

This page is not a legal certification checklist. It is an operational readiness scan for the code, workflows, and agents that create EU AI Act exposure.

What changed in the May 2026 Omnibus

The European Parliament and Council reached a provisional political agreement on May 7, 2026 to simplify parts of the AI Act implementation timeline. The agreement does not repeal the AI Act. It moves the main high-risk obligation dates while leaving near-term transparency work in place.

As provisionally agreed, the high-risk regime moves to fixed later dates: December 2, 2027 for standalone Annex III high-risk AI systems, and August 2, 2028 for high-risk AI systems embedded in regulated products under Annex I. These amendments take legal effect only after formal adoption and publication in the Official Journal.

DateWhat appliesPlanning tier
February 2, 2025Prohibited practices and AI literacy.In force
August 2, 2025GPAI model obligations and AI governance infrastructure.In force
August 2, 2026Article 50 transparency: disclose AI interactions and relevant AI-generated content.Active / due now
December 2, 2026Machine-readable marking grace for some existing AI-generated content systems and new nudifier/CSAM prohibition.Near-term
December 2, 2027High-risk Annex III obligations, such as recruitment, credit, education, employment, biometrics, and essential services.Upcoming
August 2, 2028High-risk Annex I obligations for AI embedded in regulated products.Upcoming

What still applies on August 2, 2026

The August 2, 2026 workstream is mainly transparency and evidence. Teams should know where AI interacts with people, where AI-generated content appears, whether users are told they are interacting with AI, and whether those disclosures are logged.

The scanner therefore treats Article 50 disclosure and transparency gaps as active. It also keeps prohibited-practice and GPAI checks active because those obligations already apply.

AI interaction disclosure

Find chatbots, assistants, copilots, and agent surfaces where users are not told they are interacting with AI.

AI-generated content disclosure

Find generated text, image, audio, video, or public-interest content without labeling, review, or publishing evidence.

Disclosure evidence

Record user/session, agent, disclosure text, timestamp, channel, and disclosure version.

Already-active obligations

Keep prohibited-practice and GPAI usage checks visible because those obligations are already in force.

What moved to 2027 and 2028

High-risk obligations did not disappear. Under the provisional Omnibus agreement, they moved. Annex III high-risk obligations are planned for December 2, 2027, and Annex I product-embedded high-risk obligations are planned for August 2, 2028.

That means high-risk candidates should not be scored as overdue for August 2, 2026 simply because they may require legal classification. They should be tracked as upcoming, assigned to legal or governance owners, and connected to the inventory and evidence program now.

Regulation did not create the problem

Organizations needed inventory, ownership, approvals, and audit trails before the AI Act existed. The deferral changes the deadline, not the operational gap.

The practical question is still the same: which AI agents exist, who owns them, what can they access, which actions need review, and what evidence exists after something happens?

Teams that need this now

Teams with AI already in production should start with inventory, transparency checks, and evidence capture.

  • Customer support chatbots, sales assistants, internal copilots, and customer-facing agents
  • AI agents connected to tools, APIs, databases, CRMs, payments, or external services
  • AI-generated emails, reports, posts, documents, or public-interest content
  • Workflows where AI updates CRM records, triggers refunds, sends communications, or makes decisions affecting users

What August 2, 2026 means in practice

The EU AI Act applies in phases. By August 2, 2026, Article 50 transparency obligations start to apply for AI systems interacting with people or generating relevant synthetic content. High-risk obligations are now planned for later dates under the provisional Omnibus agreement.

This is not a blanket full high-risk compliance deadline for every chatbot. It is the point where invisible AI interactions and unlabeled AI-generated content become hard to defend.

Transparency

Show and log when a user is interacting with AI or exposed to AI-generated content.

Evidence

Record the agent, model, prompt, output, tool call, reviewer, decision, reason, timestamp, and final outcome.

Operational control

Keep ownership, approval routing, escalation, rejection reasons, and signed callbacks ready before the later high-risk dates.

Not full high-risk for everyone

High-risk obligations depend on use case and are now planned for December 2027 or August 2028 under the provisional Omnibus timeline.

Article 50: what to scan for

Article 50 is the EU AI Act section on transparency obligations for providers and deployers of certain AI systems. The operative duties for implementation planning are easiest to scan as concrete system behaviors.

Short official excerpt: "informed that they are interacting with an AI system". Use the EUR-Lex link below for the full Article 50 wording and legal context.

  • AI systems that interact directly with people must be designed so people are informed that they are interacting with AI, unless this is obvious from context.
  • Providers of AI systems that generate synthetic audio, image, video, or text content must support machine-readable marking and detection where required.
  • Deployers must disclose deepfakes and certain AI-generated or manipulated content, including public-interest text unless human review/editorial responsibility applies.
  • Deployers of emotion recognition or biometric categorisation systems must inform exposed people, subject to exceptions and applicable law.

Full EU AI Act text on EUR-Lex · AI Act Service Desk timeline · European Commission AI Act overview · Council update on the May 2026 Omnibus agreement

The five gaps every AI agent team should scan first

The first useful scan should be small enough to run this week and concrete enough for legal, security, product, and engineering to act on.

These five gaps capture the largest EU AI Act exposure for most teams running AI in production.

1. AI systems found

Detect model calls, agent frameworks, workflow automations, AI endpoints, tools, workers, and provider dependencies.

2. Missing user disclosures

Find chatbots, copilots, assistants, auto-replies, and customer-facing agents without disclosure text or disclosure logging.

3. AI-generated content without labeling or review

Find generated emails, posts, documents, media, reports, and public-interest content without review, labeling, or publishing evidence.

4. Sensitive agent actions without approval

Find sensitive actions like refunds, payments, CRM updates, database writes, external API calls, and HR/finance/legal decisions without approval gates. Not all agent actions need human review - only the ones your policy marks as sensitive.

5. Missing audit trail

Find AI actions where prompt, model, input, output, tool call, reviewer, reason, timestamp, affected user, or final outcome is missing.

Full scanner checklist

ScannerTierWhy it mattersContro1 control to close the gap
AI System & Agent Inventory ScannerActiveYou cannot manage transparency or oversight for systems you have not mapped.AI Agent Registry with owner, department, tools, permissions, systems, environment, and risk flags.
AI User Interaction Disclosure ScannerActive - August 2, 2026Article 50 may require users to know when they interact with AI. Unlogged disclosure cannot be evidenced.AI Disclosure Logging with user/session, agent, disclosure text, timestamp, channel, and disclosure version.
Synthetic Content / AI-Generated Output ScannerActive / near-termAI-generated public content may need disclosure, labeling, or human review. Some machine-readable marking requirements for existing systems have a December 2, 2026 grace period under the provisional Omnibus.AI Content Governance with label required/not required, approval before publish, public-interest flags, synthetic media flags, and publishing audit trail.
Prohibited Practices ScannerActive - February 2, 2025Certain AI practices are already prohibited and should be escalated immediately if detected.Sensitive AI Use Escalation to legal, DPO/privacy, and governance owners with audit evidence.
GPAI Usage ScannerActive - August 2, 2025Provider, model, endpoint, region, API key usage, embeddings, image/audio/video models, fine-tuning, self-hosted models, and GPAI dependencies.AI Vendor & Model Registry with provider, model, purpose, data sent, owner, production/dev, customer-facing/internal, and risk category.
Human Approval Routing ScannerUpcoming when tied only to high-risk classificationSensitive agent actions still need traceable human review as an operating control, but high-risk AI Act obligations are not scored as overdue for August 2, 2026.Human-in-the-Loop Approval Routing with role, department, SLA, quorum, escalation, rejection reason, signed callback, and evidence packet.
AI Audit Trail ScannerActive evidence layerPolicies are not useful if evidence does not exist. Every AI action that matters needs a traceable, immutable record.Agent Decision Audit Trail: every AI action gets a timeline.
Annex III High-Risk Candidate ScannerUpcoming - December 2, 2027Recruitment, credit, education, employment, biometrics, essential services, and similar uses should be identified for legal classification.AI Act Transparency Readiness Report and owner-assigned high-risk candidate review.
Annex I Product-Embedded High-Risk ScannerUpcoming - August 2, 2028AI embedded in regulated products follows the later Annex I timeline under the provisional Omnibus.AI Act Transparency Readiness Report and product/legal owner review.
Compliance Evidence ExportActive / upcomingDetected systems, missing disclosures, missing approvals, missing logs, high-risk candidates, synthetic content flows, sensitive AI use, and recommended controls.AI Act Transparency Readiness Report for legal, compliance, security, and product owners.

Run the free gap scan

The Contro1 AI Act Gap Scanner is a coding-agent skill. Paste it into your code agent after signing up, and it will inspect the codebase in read-only mode before proposing any changes.

The scanner creates two artifacts: a human-readable Markdown gap report and a structured JSON inventory (contro1-ai-act-inventory.json) that you upload straight into your free Contro1 AI Registry.

  • It does not change code unless you explicitly approve implementation later.
  • It marks uncertain legal classification as unclear and asks for customer/legal confirmation.
  • It maps each gap to the relevant Contro1 control and writes the exact recommended fix into the JSON item for that gap.
contro1-ai-act-inventory.json
{
  "ai_systems_found": [],
  "missing_user_disclosures": [],
  "ai_generated_content_without_labeling_or_review": [],
  "agent_actions_without_human_approval": [
    {
      "name": "Code Deployment Agent",
      "tier": "upcoming",
      "effective_date": "2027-12-02",
      "article": "Annex III / Chapter III",
      "recommended_fix": "Create a Contro1 approval request before production deploys.",
      "contro1_control": "Human-in-the-Loop Approval Routing",
      "contro1_implementation": "Wrap the deploy tool call with risk_level, policy_trigger, action summary, target environment, reviewer requirement, and continuation.webhook_url."
    }
  ],
  "missing_audit_trails": [],
  "model_and_vendor_usage": [],
  "high_risk_candidates": [],
  "sensitive_ai_uses": [],
  "recommended_contro1_controls": []
}

Get a free report - and manage your team in one place

Get a free report of where your AI systems stand on active EU AI Act transparency work, and manage upcoming high-risk review tasks in one place. Free.

Create your free account

No credit card. Storing your inventory and tracking progress in Contro1 is free.

Run the scan skill

Copy the AI Act Gap Scanner skill and give it to your engineering team. Their code agent produces contro1-ai-act-inventory.json.

Upload the file here

Open your Contro1 AI Registry and upload the JSON. It becomes a prioritised checklist of every gap.

Track and assign

Instantly see every gap, follow your progress over time, and assign each task to a person on your team to handle.

Open your AI Registry

What this scan is not

This scan is not legal advice, a conformity assessment, or a certification that your organization is compliant with the EU AI Act.

It is an operational readiness scan. It helps engineering, product, security, and legal teams find the AI systems, transparency gaps, approval gaps, and missing evidence that are usually absent before a formal AI governance review.

Legal classification of high-risk AI systems depends on the intended use case, deployment context, sector, and applicable law. The scanner marks high-risk candidates and gives your legal or governance team the evidence they need to review them.

Fix these gaps with Contro1

EU AI Act readiness is not just a legal checklist. It is an operations problem.

Your teams need to prove which AI systems exist, who owns them, what they can do, when users were notified, when content was reviewed, when humans approved or rejected an action, and what evidence exists if something goes wrong.

Contro1 gives AI agents an operating standard: registry, disclosure logs, approval routing, escalation, signed callbacks, and audit evidence.

The goal is not to move legal classification into Contro1. Your governance and legal teams still own the policy. Contro1 makes the operational control path visible, routed, and auditable.

Run the free AI Act gap scan · Requests API reference · Webhooks reference

Frequently asked questions

Does every company need full high-risk AI compliance on August 2, 2026?

No. The EU AI Act has staged application dates and category-specific obligations. August 2, 2026 is when Article 50 transparency rules start to apply. Under the May 2026 Omnibus political agreement, high-risk Annex III obligations move to December 2, 2027 and Annex I product-embedded obligations move to August 2, 2028, pending Official Journal publication.

Does Contro1 provide EU AI Act legal certification for a company?

No. Contro1 provides operational controls and evidence for AI agent workflows. Legal compliance depends on the system, role, use case, jurisdiction, and governance program. Contro1 is not a conformity assessment tool and does not provide legal advice.

Do I need this if I only use OpenAI or Claude through an API?

Yes. The model provider may have its own obligations, but your organization still needs to know where AI is used, what data is sent, how users are informed, and what evidence exists around AI actions and decisions.

Do all agent actions need human approval?

No. Contro1 is designed to route only the actions your policy marks as sensitive: payments, refunds, publishing, account changes, HR decisions, legal or finance actions, database writes, or high-risk workflows. Low-risk actions can be logged as audit-only records without routing.

Can Contro1 classify our AI system as high-risk?

Contro1 can flag high-risk candidates based on use case signals found in the code, but your legal or governance team owns the final classification. The scanner marks candidates as upcoming review items unless it also finds an active Article 50, prohibited-practice, or GPAI gap.

What does the scanner change in my code?

Nothing during the scan. The skill operates in read-only mode first and produces Markdown and JSON artifacts. Implementation of any fix happens only after explicit approval from your team.

What happens after the scan?

You upload the JSON inventory into your free Contro1 AI Registry, assign owners, mark gaps, activate disclosure logging, define approval policies, and start producing evidence packets. Each gap in the checklist maps to a Contro1 control you can activate.