By PowerQuant | Updated June 2026 | Reading time: ~7 minutes
2 August 2026 is the date the bulk of the EU AI Act's high-risk obligations start to bite — including the obligations that apply to most HR-tech systems used by employers. If you are a Nordic HR-tech vendor, an in-house people-analytics team, or an HR director procuring AI tooling, this is the deadline that changes how you operate. Here is what the date actually triggers, what is and isn't in scope, and the one piece of moving regulatory machinery (the Digital Omnibus) you need to track.
The short version
From 2 August 2026, the high-risk AI obligations in Chapter III of the EU AI Act apply to systems in Annex III — which explicitly includes AI used for recruitment, candidate evaluation, work allocation, promotion and termination decisions, and performance/behaviour monitoring of workers.Both providers (who put the system on the EU market) and deployers (employers using the system) have their own obligation stacks. Most HR teams are deployers.Fines for non-compliance with high-risk obligations reach €15 million or 3% of global annual turnover, whichever is higher (Art. 99(4)).The Digital Omnibus provisional political agreement of 7 May 2026 proposes to push stand-alone Annex III applicability to 2 December 2027 (proposed; not yet adopted) — but until it is formally adopted and published in the Official Journal, 2 August 2026 is the binding date.What "Annex III HR" actually means
Annex III, point 4 ("Employment, workers' management and access to self-employment") is where most HR-tech sits. It covers AI systems intended to be used:
for recruitment or selection of natural persons — including to place targeted job ads, to analyse and filter applications, and to evaluate candidates;to make decisions affecting terms of work-related relationships, the promotion or termination of contractual relationships, to allocate tasks based on individual behaviour or personal traits, or to monitor and evaluate the performance and behaviour of persons in such relationships.That language sweeps in CV-screening tools, sourcing and matching engines, structured-interview scoring, workforce-management schedulers that assign shifts based on behaviour, performance-management dashboards driven by inference, and most monitoring/"productivity" analytics. If your tool produces a score, a ranking, a recommendation or a flag that informs a hiring, promotion, allocation, or termination decision, treat it as in scope until your legal analysis says otherwise.
What deployers must have in place by 2 August 2026
Article 26 is the deployer's checklist. By 2 August 2026, an employer using a high-risk HR AI system should be able to show all of the following:
Use according to instructions for use — the provider's documentation is followed; deviations are documented and risk-assessed.Human oversight — named, competent humans with the authority and tools to intervene, override, or stop the system (Art. 14 / Art. 26(2)).Input data governance — inputs are relevant and sufficiently representative for the intended purpose (Art. 26(4)).Monitoring and incident handling — operation is monitored; serious incidents and malfunctions are reported to the provider and, where applicable, to the market-surveillance authority (Art. 26(5), Art. 73).Log retention — automatically generated logs are kept for at least six months, unless EU or national law says otherwise (Art. 26(6)).Worker information — before putting the system into service in the workplace, deployers inform workers' representatives and affected workers that they will be subject to a high-risk AI system (Art. 26(7)).Transparency to affected persons — individuals subject to decisions made or assisted by the system are informed (Art. 26(11)), and have the right to a meaningful explanation of individual decisions under Art. 86.FRIA where required — a Fundamental Rights Impact Assessment under Art. 27 is performed before first use by certain deployers (notably public-sector bodies and those providing public services).EU database registration — where you are a deployer that is a public authority or acting on its behalf, register the system in the EU database (Art. 49(3)–(4)).On top of Article 26, do not forget that Article 4 (AI literacy) has applied since 2 February 2025. By August 2026 your AI literacy programme should be a year-and-a-half old and documentable — not something you start the week before.
What deployers must demand from providers
You cannot fulfil most of Art. 26 without artefacts from the provider. As a deployer, your procurement and vendor-management process needs to extract — and store — at least:
the instructions for use (Art. 13);a copy or summary of the EU declaration of conformity (Art. 47) and the CE-marking evidence;confirmation of EU-database registration by the provider (Art. 49);a description of the human-oversight measures the system supports (Art. 14);the technical and organisational measures relevant for your input-data and monitoring obligations.Vendor questionnaires that ask "are you AI Act compliant?" are worthless on their own. Ask for the specific artefacts above, and store them with the system in your inventory.
The Digital Omnibus wildcard
On 7 May 2026, EU institutions reached a provisional political agreement on a "Digital Omnibus on AI" that would, among other things, postpone the applicability of Annex III high-risk obligations — the Omnibus proposes a new date of 2 December 2027 (proposed; not yet adopted) for stand-alone Annex III systems. That deferral is not yet law. It takes effect only once the amending act is formally adopted by the Parliament and Council and published in the Official Journal. Until then, 2 August 2026 remains the binding date that your auditor, your enterprise customer's procurement team, and any national market-surveillance authority will hold you to.
A pragmatic stance: plan for 2 August 2026, but build your evidence so it can absorb a 16-month deferral without thrashing. The artefacts you need (AI inventory, Art. 4 literacy programme, Art. 26 procedures, Art. 47 conformity evidence stored against each system) do not change if the date moves. Only the enforcement window does.
What "ready" looks like for an HR-tech deployer
A live AI inventory listing every AI system used in the people lifecycle, with a classification (Annex III high-risk / limited-risk / minimal) and a provider/deployer designation.For each high-risk system: provider documentation pack (instructions for use, DoC, EU-database entry), a human-oversight design, named oversight role with training records, input-data governance notes, and an incident-and-malfunction procedure.An Art. 4 AI-literacy register: who in the organisation interacts with AI, what training they have received, when it was refreshed.A worker-information notice that has actually been delivered (works council/representatives consulted where applicable), with timestamps.FRIA performed and signed off where Art. 27 applies; otherwise a documented assessment of why it does not.Log-retention configured for ≥6 months and the storage location identified.If you have done none of this yet
Start with the inventory. Without a definitive list of which AI systems you operate and how they are classified, every other obligation is guesswork. From an inventory, the rest of the work — gap analysis, vendor evidence requests, human-oversight design — is mechanical.
Sources
EU AI Act (Regulation (EU) 2024/1689), Articles 4, 13, 14, 26, 27, 47, 49, 73, 86, 99 and Annex III.European Commission — AI Act Service Desk implementation timeline.European Commission — Digital Omnibus on AI provisional political agreement (7 May 2026; pending formal adoption and Official Journal publication).Ready to be audit-ready by 2 August 2026?
PowerQuant's Module 1 delivers an AI inventory, Article 4 literacy register and gap analysis in 5 working days — fixed fee, every claim cross-checked against EU AI Act text.
Start with M1 — 10.999 kr