The European Union’s AI Act entered into force in August 2024, with a staggered implementation timeline that has allowed the regulation’s requirements to arrive in phases. The prohibitions on unacceptable-risk AI systems — social scoring, real-time biometric surveillance in public spaces, and similar categories — took effect in February 2025. The General Purpose AI provisions, which apply to foundation model providers, took effect in August 2025. The requirements for high-risk AI systems — the most operationally significant category for the broadest range of technology companies — take effect in August 2026.
That deadline is now approximately 90 days away. The compliance preparation that most operators have done is not proportionate to the requirements that will apply in 90 days. The gap between what the AI Act requires of high-risk AI systems and what the majority of operators have documented, assessed, and implemented is large enough to create significant legal and operational exposure for companies that have assumed they have more time or a narrower obligation than they actually do.
What Counts as High-Risk AI: The Scope That Many Operators Are Misreading
The AI Act’s high-risk AI system categories are defined in Annex III of the regulation, and the scope is broader than the examples that most technology press has focused on. High-risk AI systems include AI used in: biometric identification and categorisation (beyond the prohibited real-time surveillance cases), critical infrastructure management, education and vocational training (AI that determines access to education or evaluates students), employment and workers management (AI used for recruitment, task allocation, performance monitoring, or termination decisions), access to essential private services and benefits (including credit scoring, insurance risk assessment, and benefit eligibility), law enforcement, migration and asylum management, and administration of justice.
Many operators who have read the high-risk list and concluded they are not covered are making one of three errors. The first is assuming that only the most obviously sensitive applications — law enforcement, biometric surveillance — are in scope. The second is assuming that because their product is not primarily marketed as an AI product, the AI components embedded in it are not covered. The third is assuming that being a third-party AI provider rather than the entity deploying the AI means the high-risk obligations do not apply to them. All three assumptions are incorrect.
On the third point specifically: the AI Act distinguishes between providers (entities that develop or deploy AI systems) and deployers (entities that use AI systems under their own authority). High-risk obligations fall on both, with different specific requirements. A company that integrates an AI hiring tool into its HR software is a deployer of a high-risk AI system and has obligations under the Act regardless of who built the underlying model. A company that builds and licenses a credit risk model to banks is a provider of a high-risk AI system and has obligations that include conformity assessment before the system can be placed on the market in the EU.
What High-Risk AI Compliance Actually Requires
The substantive requirements for high-risk AI systems under the AI Act are enumerated in Chapter III of the regulation and include several categories that require significant operational investment to satisfy.
Risk management system. High-risk AI systems must have a documented risk management process that is continuous — not a one-time assessment — throughout the system’s lifecycle. The risk management documentation must identify and analyse known and foreseeable risks, estimate and evaluate these risks, adopt suitable risk management measures, and be tested throughout development and post-deployment. The continuous nature of this requirement means it is not satisfiable by a pre-launch risk assessment; it requires an ongoing process with defined roles, responsibilities, and review cycles.
Data governance. Training, validation, and testing data for high-risk AI systems must meet quality criteria regarding relevance, representativeness, and freedom from errors. Operators must document what data was used, how it was processed, and what bias examination and mitigation was conducted. This requirement has retrospective implications: systems that were trained before the AI Act took effect may need data governance documentation that was not created at the time of training.
Technical documentation. A technical documentation package must be prepared before the system is placed on the market or put into service. The content requirements are extensive — general description, development process, capabilities and limitations, accuracy metrics, human oversight measures, cybersecurity architecture, and more. The documentation must be maintained and updated when the system changes. The documentation must be available to national competent authorities on request.
Transparency and human oversight. High-risk AI systems must be designed to allow the humans who use or monitor them to understand the system’s outputs, detect and correct malfunctions, and intervene or interrupt the system. The transparency requirement extends to the natural persons affected by the system’s decisions: they must be informed that a high-risk AI system is being used to make decisions about them, in some cases, and must have access to meaningful explanations of those decisions.
Accuracy, robustness, and cybersecurity. High-risk AI systems must achieve an appropriate level of accuracy for their intended purpose, must be resilient to errors and inconsistencies, and must be protected against attempts to alter their behaviour by third parties. The cybersecurity requirement is particularly relevant for systems that are connected to external data sources or that receive user-provided inputs.
The Conformity Assessment Question
For many high-risk AI systems, the AI Act requires a conformity assessment before the system can be placed on the EU market. For most Annex III categories, providers can conduct self-assessment — evaluating their own compliance with the requirements and maintaining a technical file. For AI systems in the biometric identification category and AI systems that are safety components of products covered by existing EU product safety legislation, third-party conformity assessment by a notified body is required.
Self-assessment does not mean light-touch assessment. The self-assessment process must demonstrate compliance with each of the high-risk AI system requirements, must be documented in the technical file, and must result in an EU Declaration of Conformity that the provider signs and retains. The Declaration of Conformity is the mechanism by which the provider attests that the system complies with the AI Act; it creates direct legal liability for false attestation.
The practical implication of the self-assessment route is that internal legal, engineering, and compliance teams need to have assessed the system against the AI Act requirements, created the required documentation, and signed the Declaration of Conformity before August 2026. For organisations that have not yet started this process, 90 days is a tight timeline to complete a meaningful conformity assessment across all high-risk AI systems, particularly if the organisation has multiple systems in scope.
What GDPR Enforcement History Predicts About AI Act Enforcement
The EU AI Act will be enforced by national competent authorities, with the European AI Office playing a coordinating role. The enforcement pattern is likely to follow the GDPR trajectory: initial period of limited active enforcement while national authorities build capacity, followed by escalating enforcement as that capacity matures and as political pressure to demonstrate the regulation’s effectiveness increases.
GDPR’s enforcement trajectory showed that the largest penalties came not immediately after the regulation took effect but two to four years later, when national data protection authorities had developed the investigative capacity to pursue complex cases. The same trajectory should be expected for the AI Act — but the lesson from GDPR is not that early non-compliance is risk-free. The lesson is that the enforcement risk compounds over time as national competent authorities build expertise, as early enforcement actions create precedent, and as competitors who chose to comply early use the compliance posture as a competitive differentiator in enterprise procurement.
The fines under the AI Act are significant: up to €35 million or 7% of global annual turnover for violations related to prohibited AI practices, and up to €15 million or 3% of global annual turnover for violations related to high-risk AI system obligations. The higher percentage-of-turnover figure means that large companies face larger absolute fines than small companies for the same compliance failure, creating a revenue-weighted incentive structure similar to GDPR’s.
The Specific Risk for Web3 and Crypto Operators
Crypto and Web3 operators may believe they are outside the AI Act’s scope because their operations are often structured outside the EU or because the regulation appears designed for traditional technology products. This belief is likely incorrect for operators with EU users, EU-based employees who are supervised by AI systems, or EU-based smart contract interactions.
The AI Act’s extraterritorial reach — like GDPR’s — extends to providers and deployers whose systems affect natural persons located in the EU, regardless of where the provider or deployer is established. A DeFi protocol that uses AI-based risk models to determine lending limits for EU-based users is likely operating a high-risk AI system under the AI Act’s financial services provision. A centralised crypto exchange that uses AI for KYC/AML screening of EU-based customers is operating AI in the law enforcement-adjacent category. The regulatory analysis required to confirm scope is not trivial, and operators who have not conducted it are operating with unknown compliance exposure.
The evolution of AI identity verification in particular is a category where AI Act scope questions are live: Know Your AI and behavioural verification systems used to authenticate users at the point of transaction may constitute high-risk biometric AI if they use biometric data or biometric categorisation. The legal analysis is genuinely uncertain in some cases — the AI Act’s definitions are being interpreted by national competent authorities whose published guidance is not yet comprehensive — but the appropriate response to uncertain scope is not to assume out-of-scope; it is to document the analysis and the basis for any scope exclusion claim.
What Operators Should Do in the Next 90 Days
For operators who have not yet conducted a systematic AI Act compliance assessment, the 90-day horizon requires prioritisation rather than completeness. The most important actions in roughly priority order:
First, conduct a scope assessment: identify all AI systems in use or under development that could fall within the Annex III high-risk categories, and conduct a documented legal analysis of whether each system is in scope. The output of this assessment determines what compliance work is actually required; doing it first avoids investing resources in compliance for systems that are not in scope while ensuring that actually-in-scope systems are identified.
Second, for confirmed high-risk AI systems, begin technical documentation preparation immediately. The documentation requirement is the most time-consuming to satisfy because it requires inputs from engineering, data science, legal, and operations — cross-functional alignment that takes time to organise even if all parties are available and cooperative.
Third, assign internal accountability: the AI Act’s human oversight requirements and the Declaration of Conformity signing requirement mean that specific individuals within the organisation need to take ownership of AI Act compliance. Diffuse accountability produces diffuse compliance; the regulation’s requirements are specific enough that they need owners.
Fourth, engage with the legal analysis of your specific fact pattern rather than relying on general commentary. The AI Act’s implementation is generating a body of national authority guidance and academic analysis that is specific to product categories and business models. General “the AI Act requires X” summaries are useful for orientation but insufficient for compliance planning. The guidance published by the European AI Office and national competent authorities is the authoritative source.
FAQ
When do the EU AI Act’s high-risk AI requirements take effect? August 2026 — approximately 90 days from this writing. The regulation entered into force in August 2024 with a staggered implementation. Prohibited AI practices took effect in February 2025; GPAI provisions in August 2025; high-risk AI system requirements in August 2026.
What makes an AI system “high-risk” under the EU AI Act? High-risk AI systems are those listed in Annex III of the regulation, including AI used in: biometric identification, critical infrastructure, education access decisions, employment decisions (hiring, monitoring, termination), credit and insurance risk scoring, law enforcement, and immigration. The scope is broader than most commentary suggests and includes B2B software that enables deployers to use AI in these categories.
Who bears the compliance obligation — the AI developer or the company using it? Both, but with different obligations. Providers (developers) must satisfy pre-market requirements including technical documentation and conformity assessment. Deployers (companies using AI in their operations) must satisfy post-deployment requirements including human oversight measures, transparency to affected individuals, and ongoing monitoring. Being a deployer does not eliminate compliance obligations.
What is the fine for non-compliance with high-risk AI requirements? Up to €15 million or 3% of global annual worldwide turnover, whichever is higher, for violations of the high-risk AI system requirements. Violations of the prohibited AI practices provisions carry higher fines: €35 million or 7% of global turnover.
Does the EU AI Act apply to crypto and Web3 operators? Potentially yes, for operators with EU-based users or operations. The regulation has extraterritorial reach similar to GDPR — it applies to providers and deployers whose AI systems affect natural persons located in the EU, regardless of where the provider is established. DeFi protocols using AI risk models, centralised exchanges using AI for KYC/AML, and identity verification systems using biometric AI are all potential in-scope categories requiring legal analysis.
Sources
- EUR-Lex — Regulation (EU) 2024/1689: the EU Artificial Intelligence Act, full text
- European Commission — EU AI Act implementation timeline and guidance
- EU AI Act Explorer — High-risk AI systems: Annex III categories and obligations
- European AI Office — Enforcement preparation guidance for high-risk AI systems
- Linklaters — EU AI Act High-Risk AI Compliance Checklist: August 2026 deadline
