EU AI Act Full Enforcement (2 Aug 2026): What Businesses Using AI Must Have in Place

Last updated: 19 May 2026

On 2 August 2026 the EU AI Act reaches full enforcement, giving national authorities across every Member State, including Spain, complete investigatory and sanctioning powers over businesses that provide or deploy artificial-intelligence systems. For companies operating in or selling into the EU, the practical effect is stark: from that date, regulators can inspect premises, order corrective measures, withdraw non-compliant systems from the market, and impose fines that reach €35 million or 7 % of worldwide annual turnover.

With roughly eleven weeks remaining, this article serves as a deadline-driven compliance playbook, covering the EU AI Act full enforcement obligations businesses must meet, the provider-versus-deployer allocation of duties, the high-risk classification framework, Spain-specific governance considerations, and a week-by-week action plan designed for legal teams advising clients right now.

Executive Summary, the 2 August 2026 Deadline and What It Means

Regulation (EU) 2024/1689, commonly known as the AI Act, entered into force on 1 August 2024 with a phased implementation schedule. Earlier milestones, the prohibition of unacceptable-risk AI practices (February 2025) and transparency obligations for general-purpose AI models (August 2025), are already live. The final and most consequential phase lands on 2 August 2026, when the remaining provisions take effect, most critically the full obligations for high-risk AI systems and the activation of enforcement powers for national market surveillance authorities.

For businesses, the countdown creates a single, urgent compliance decision: identify every AI system in your organisation, classify each one, and ensure that the entity responsible, provider or deployer, has the documentation, processes, and contractual safeguards in place before regulators gain the authority to act.

Five immediate actions for counsel and compliance teams:

• Complete an AI inventory cataloguing every AI system the organisation provides, deploys, or procures.
• Flag high-risk systems by cross-referencing Annex III of the AI Act with your inventory.
• Assign a compliance owner for each flagged system and open a conformity-assessment file.
• Review supplier and customer contracts to confirm whether the business is legally the provider, the deployer, or both.
• Preserve logs and technical documentation that national authorities will expect to see during any inspection.

What “Full Enforcement” Changes on 2 August 2026

Before 2 August 2026, many AI Act provisions exist on the statute book but carry limited practical enforcement risk because national authorities have not yet been granted the full suite of powers. The date marks a structural shift: market surveillance authorities in each EU Member State will be empowered to conduct proactive and reactive inspections, request access to source code and training data under specific conditions, issue binding corrective orders, and impose administrative fines at the maximum tiers set out in the regulation. The European AI Office, housed within the European Commission, coordinates cross-border enforcement and retains direct supervisory competence over general-purpose AI models under Chapter V of the Act.

The timeline below summarises the phased enforcement milestones established by Regulation (EU) 2024/1689:

Industry observers expect the initial months after 2 August 2026 to see a wave of information requests and sectoral audits rather than headline fines, but the legal exposure is immediate and there is no grace period built into the regulation.

Who Enforces the AI Act, Governance and the Spanish Dimension

Enforcement under the AI Act operates at two levels. At the EU level, the European AI Office, established within the Commission’s Directorate-General for Communications Networks, Content and Technology, coordinates application, issues guidelines, and directly supervises obligations relating to general-purpose AI models. At the national level, each Member State is required to designate one or more market surveillance authorities responsible for monitoring compliance with the full range of AI Act obligations, including high-risk AI systems deployed or placed on the market within their territory.

Spain-Specific Enforcement Roles

Spain’s national enforcement landscape for the AI Act intersects with existing supervisory structures. The Agencia Española de Protección de Datos (AEPD) has historically played a prominent role in regulating data-driven technologies and is widely expected to coordinate closely with whichever body is formally designated as Spain’s national market surveillance authority for AI. As of the date of this article, practitioners should monitor Spain’s official gazette (Boletín Oficial del Estado) and AEPD announcements for the definitive designation and any accompanying implementing regulations. Counsel advising clients in Spain should treat the national enforcement structure as evolving and ensure that compliance documentation is sufficiently robust to satisfy whichever authority ultimately exercises jurisdiction.

Early engagement with legal specialists familiar with the Spanish regulatory environment is strongly recommended.

Which AI Systems Are “High-Risk”, Definition and Sector Examples

The AI Act’s heaviest obligations attach to high-risk AI systems, defined primarily through two routes: systems that function as safety components of products already subject to EU harmonisation legislation (Annex I) and standalone systems listed in Annex III of the regulation. The latter category is where most commercial businesses will encounter classification questions. Annex III organises high-risk systems by sector, and early indications suggest that national authorities will focus enforcement attention on the categories with the most direct impact on individuals’ fundamental rights.

For each high-risk system, the responsible entity must complete a conformity assessment, maintain comprehensive technical documentation, implement a quality management system, ensure human oversight mechanisms, and register the system in the EU database before placing it on the market or putting it into service.

Core Obligations for Providers and Deployers of EU AI Act Full Enforcement Businesses

Understanding who bears which obligations under the AI Act is essential, and frequently more complex than it first appears. The regulation draws a clear distinction between the provider (the entity that develops an AI system or has it developed and places it on the market or puts it into service under its own name or trademark) and the deployer (the entity that uses an AI system under its authority, other than for purely personal, non-professional purposes). A single business may occupy both roles simultaneously, for example, a bank that builds a proprietary credit-scoring model and also uses third-party fraud-detection AI.

Provider Obligations

Providers bear the primary burden of pre-market compliance. Their obligations include conducting or commissioning a conformity assessment for each high-risk system, producing and maintaining complete technical documentation covering system design, training data, performance metrics, and known limitations, establishing a quality management system (as detailed in Article 17 of the regulation), implementing post-market monitoring processes, and issuing clear instructions of use that enable deployers to fulfil their own obligations. Providers must also affix the CE marking where applicable and register high-risk systems in the EU database before market placement.

Deployer Obligations

Deployers must ensure that high-risk AI systems are used in accordance with the provider’s instructions, implement appropriate human oversight measures (staffed by individuals with the competence, authority, and tools to override or discontinue the system), maintain input data logs for the period specified by the regulation, carry out a fundamental-rights impact assessment where required, and inform affected individuals that they are subject to a high-risk AI system. Deployers should also verify that the provider has completed a valid conformity assessment before commencing use.

Contract Allocation, a Critical Step

Where provider and deployer are separate legal entities, the allocation of responsibilities must be reflected in enforceable contractual provisions. Key clauses should address: which party performs the conformity assessment and maintains the technical file, who bears responsibility for post-market monitoring and incident reporting, indemnification for regulatory fines arising from the other party’s non-compliance, data-access and log-retention commitments, and cooperation obligations during any market surveillance investigation. Counsel should review and amend existing supplier agreements well before 2 August 2026.

Obligations by Entity Type, Comparison

EU AI Act Penalties and Enforcement Mechanics

The AI Act establishes a tiered penalty structure designed to be effective, proportionate, and dissuasive. The maximum fines reflect the severity of the infringement:

• Up to €35 million or 7 % of total worldwide annual turnover (whichever is higher), for violations involving prohibited AI practices.
• Up to €15 million or 3 % of total worldwide annual turnover, for non-compliance with the obligations for high-risk AI systems (including failure to complete conformity assessments, inadequate technical documentation, or absence of a quality management system).
• Up to €7.5 million or 1 % of total worldwide annual turnover, for supplying incorrect, incomplete, or misleading information to national authorities or notified bodies.

Beyond financial penalties, national market surveillance authorities can order the withdrawal or recall of non-compliant AI systems, impose temporary or permanent bans on market placement, and require corrective action within specified timeframes. For businesses in Spain, enforcement actions are likely to follow administrative procedures governed by both the AI Act framework and national administrative law, meaning that procedural rights (including the right to be heard and judicial review) will apply, but delays in remediation should not be assumed to provide a buffer against penalties.

Territorial Scope and Cross-Border Reach

The territorial scope of the AI Act extends well beyond the borders of the EU. The regulation applies to providers placing AI systems on the EU market or putting them into service in the EU regardless of where the provider is established, deployers physically located within the EU, and, critically, providers and deployers based in third countries where the output of the AI system is used within the EU. This means that a US-based SaaS company whose AI tool is used by a Spanish customer to screen job applicants in Madrid falls squarely within the Act’s scope, as does a recruitment platform operated from Singapore that processes applications from EU residents.

Non-EU providers must appoint an authorised representative established in the Union before placing high-risk systems on the market. Counsel advising multinational clients should map every AI touchpoint that produces an output consumed within the EU and ensure that provider-deployer contracts address cross-border allocation of obligations, data-access requirements, and cooperation with EU enforcement authorities.

Practical First Step: Build an AI Inventory

The single most effective action any business can take in the weeks remaining before full enforcement is to build a comprehensive AI inventory. This is the foundational document from which every subsequent compliance step flows: risk classification, conformity assessment scoping, contract review, human-oversight mapping, and regulator-ready documentation. The inventory should capture, at a minimum, the following fields for every AI system in use or under development:

• System name and version, including vendor / internal project identifier.
• Provider identity, the legal entity responsible for development and conformity.
• Deployer identity, the business unit or entity operating the system.
• Functionality description, what the system does, its intended purpose, and decision scope.
• Data types processed, personal data categories, special-category data, volume.
• Affected user groups, employees, customers, members of the public, vulnerable groups.
• High-risk flag, preliminary Annex III classification (yes / no / under review).
• Contract reference, link to the supplier or licence agreement governing the system.
• Conformity assessment status, not started / in progress / completed / not applicable.
• Human oversight mechanism, description of who has override authority and how it is exercised.
• Log retention, location and duration of system logs and input data.

The likely practical effect of having a complete inventory is that it accelerates every downstream compliance workstream and provides the evidence base regulators will request first in any inspection. Counsel should request that clients populate this inventory within the first week and treat it as a living document subject to ongoing updates.

Recommended 11-Week Action Plan for Spain-Based or EU-Facing Businesses

With approximately eleven weeks between the date of this article and the 2 August 2026 full enforcement deadline, the following week-by-week action plan provides a realistic remediation timetable for businesses that have not yet commenced compliance work, or that need to close significant gaps.

• Week 1, AI inventory. Complete the inventory described above. Assign an internal project lead. Circulate a board-level memo notifying senior management of the deadline and regulatory exposure.
• Weeks 2–3, Risk classification and prioritisation. Cross-reference every inventoried system against Annex III high-risk categories. Engage external counsel where classification is ambiguous. Rank systems by enforcement risk (high-risk and public-facing first).
• Weeks 4–5, Conformity assessment initiation. For each high-risk system, open a conformity-assessment file. Where the business is the provider, begin compiling technical documentation and a quality management system per Article 17. Where the business is the deployer, send formal written requests to providers for conformity-assessment evidence, technical documentation, and instructions of use.
• Weeks 6–7, Contract review and amendment. Review every AI-related supplier and customer agreement. Insert or negotiate AI Act allocation clauses covering conformity, indemnification, data access, incident reporting, and cooperation with authorities. Prioritise contracts for high-risk systems.
• Weeks 8–9, Human oversight and operational controls. Designate qualified individuals for human oversight of each high-risk system. Document override procedures, escalation paths, and competence requirements. Establish input-data log retention policies.
• Week 10, Documentation and fundamental-rights impact assessment. Finalise technical documentation files, risk-assessment records, and (where required) fundamental-rights impact assessments. Ensure all records are stored in a format and location accessible to national authorities upon request.
• Week 11, Board sign-off and EU database registration. Present the compliance package to the board or governance committee for formal sign-off. Complete EU database registration for all high-risk systems. Confirm that authorised representatives are appointed for any non-EU provider entities. Conduct a final gap check.

This timetable is demanding but achievable if resources are allocated immediately. Businesses that began earlier compliance work can compress or skip completed stages. For those starting from a standing start, the priority is to get the inventory done in week one, everything else depends on it.

Templates and Client-Ready Outputs

To support counsel advising clients through the 2 August 2026 deadline, the following templates and outputs should form part of any compliance toolkit:

• Executive client memo. A one-page summary of the deadline, key obligations, maximum penalties, and recommended next steps, suitable for circulation to board members and C-suite executives. The memo should include the five immediate actions listed in the executive summary above, tailored to the client’s sector and AI footprint.
• Provider / deployer contract clause. A short-form clause allocating AI Act responsibilities between provider and deployer, covering: conformity-assessment responsibility, technical documentation access, post-market monitoring, incident notification timelines, indemnification for regulatory fines, and cooperation with market surveillance authorities. This clause should be incorporated into new and existing AI procurement agreements.
• Deployer operational checklist. A checklist for in-house teams covering: human oversight staffing, override procedure documentation, input-data log retention, fundamental-rights impact assessment completion, and employee notification where AI systems affect workforce decisions.
• AI inventory CSV template. A downloadable spreadsheet with pre-built columns matching the inventory fields described above, ready for population by the client’s IT, legal, and procurement teams. Find a technology lawyer who can assist with completing and reviewing the inventory for regulatory readiness.

Looking Ahead, EU AI Act Full Enforcement and Businesses in Spain

The 2 August 2026 enforcement deadline is not a theoretical risk, it is an operational reality that will reshape how businesses develop, procure, and deploy AI systems across every sector. For organisations operating in or selling into Spain, the convergence of EU-level obligations and national enforcement machinery creates a compliance environment that rewards early, structured action and penalises delay. The EU AI Act full enforcement framework for businesses demands that legal teams move past awareness and into execution: inventories completed, high-risk systems classified, conformity files opened, contracts amended, and human oversight mechanisms documented and staffed. The eleven-week window is narrow, but the steps are clear.

Engaging a specialist technology lawyer now provides the best opportunity to close compliance gaps before regulators gain the full authority to act.

Sources

1. European Commission, AI Act Policy and Governance
2. EUR-Lex, Regulation (EU) 2024/1689 (Artificial Intelligence Act)
3. ArtificialIntelligenceAct.eu, Summaries and Enforcement Pages
4. European Parliamentary Think Tank, Enforcement of the AI Act
5. Simmons & Simmons, Enforcement of the EU AI Act
6. EY, The EU AI Act: What It Means for Your Business