Skarpix
Start gratis kartlegging
Blogg

The EU AI Act after 2 August 2026: what changes, what's already here

18 May 2026 · Skarpix

If you've been reading AI Act coverage in the trade press, you've probably seen "the AI Act takes effect in August 2026" cited as a single deadline. That phrasing is misleading. The AI Act phases its obligations across at least seven major dates between 1 August 2024 and 31 December 2030, and a lot of the regulation is already binding on Nordic businesses today.

This article walks the timeline as it actually applies, with a focus on what Nordic SMBs deploying or providing AI need to do before 2 August 2026, and what's already required regardless of the August date.

The timeline so far

  • 1 August 2024: The AI Act entered into force. No substantive obligations applied yet, but the clock started.
  • 2 February 2025: Prohibited AI practices (Article 5) became enforceable. Social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces (with narrow law-enforcement exceptions), and workplace and education emotion recognition are now banned with fines up to €35 million or 7% of global turnover. AI literacy obligations (Article 4) also became applicable: every provider and deployer must ensure that staff who operate AI systems understand them well enough to do so safely.
  • 2 August 2025: General-purpose AI (GPAI) model obligations under Chapter V kicked in. This includes transparency requirements, copyright compliance policies, and, for the largest GPAI models with systemic risk, additional evaluation and reporting requirements. Member states were also required to designate national competent authorities by this date.
  • 1 January 2026: Finland became the first member state with fully operational national-level AI Act enforcement powers. Other member states have followed at different paces.

The big one is still ahead.

What changes on 2 August 2026

The bulk of the remaining obligations, including most of the high-risk AI system regime, become applicable on 2 August 2026. This is the single most operationally demanding date in the AI Act calendar.

A "high-risk AI system" is defined by Article 6 and Annex III. The categories include AI used in:

  • Biometrics (where not prohibited under Article 5)
  • Critical infrastructure
  • Education and vocational training
  • Employment, workers' management, and access to self-employment
  • Access to essential services (credit scoring, public benefits, emergency services)
  • Law enforcement
  • Migration, asylum, and border control
  • Administration of justice and democratic processes

If you provide or deploy an AI system that falls into one of these categories, from 2 August 2026 you need to have in place: a documented risk management system, data governance covering training/validation/test data quality, technical documentation per Annex IV, automatic logging of operations, transparency for deployers, human oversight mechanisms, accuracy/robustness/cybersecurity safeguards, and, for providers, a conformity assessment plus CE marking before placing the system on the market.

There's one important asterisk: the obligations attached to Article 6(1), which classifies AI systems as high-risk by virtue of being safety components of products already regulated under EU harmonisation legislation (Annex I), are deferred to 2 August 2027.

The provider/deployer asymmetry

The AI Act distributes obligations unevenly between providers (who develop and put AI systems on the market) and deployers (who use them). For an SMB, you're almost certainly a deployer, possibly also a provider if you build your own systems on top of foundation models.

Deployer obligations are lighter but real: use the system according to the provider's instructions, ensure human oversight, monitor for malfunctions and report them, log operations (where the deployer controls logging), and conduct a fundamental rights impact assessment (FRIA) for high-risk uses in certain sectors.

Provider obligations are the heavy lift: the full conformity assessment, technical documentation, post-market monitoring, EU database registration, and so on.

If you fine-tune a GPAI model or "substantially modify" an AI system in a way that changes its intended purpose or risk profile, you may inherit provider obligations even for a system you didn't originally build. This is one of the most operationally fiddly parts of the act for downstream SMBs.

What to do before 2 August

If you're a Nordic SMB using or building AI, the short list before the August deadline:

  1. Inventory your AI systems. Every AI system you provide or deploy needs a clear answer to: what's its intended purpose, what risk tier does it fall into, are you provider, deployer, or both. An "AI register" doesn't need to be heavy; a one-row-per-system spreadsheet is enough at SMB scale.
  2. Re-check the prohibited practices. These have been enforceable since February 2025. Re-running this check is cheap and the downside of getting it wrong is severe.
  3. Run AI literacy training. Article 4 is broad and under-discussed. Many SMBs have staff using AI tools (coding assistants, content generation, customer support automation) with no formal training. A short structured session annually is a low-cost compliance baseline.
  4. For each high-risk system, build the documentation backbone. Risk management system, data governance summary, human-oversight design, logging plan. Provider obligations are heavier but every deployer also needs to be able to describe how oversight works.
  5. Check the GDPR overlap. Most AI systems processing personal data trigger both the AI Act and GDPR. Where both apply, both require impact assessments: under the AI Act, a FRIA; under GDPR, a Data Protection Impact Assessment. These can be consolidated but the legal frameworks are distinct.

AI Act ≠ GDPR

A persistent confusion in early AI Act coverage is treating it as "GDPR for AI." The two regulations layer rather than substitute. GDPR still applies to AI systems processing personal data; the AI Act adds requirements regardless of whether personal data is involved. A high-risk credit-scoring system processes personal data and is subject to both. A high-risk infrastructure-monitoring system may not process personal data at all but still falls under the AI Act.

Both regulations use the €35 million / percentage-of-turnover penalty structure, but the AI Act's percentage cap is 7%, higher than GDPR's 4%. AI Act fines are deliberately calibrated to bite.

How Skarpix can help

Skarpix's EU AI Act assessment walks you through the inventory, classification, and gap analysis steps for both provider and deployer roles. It produces a PDF report that can serve as the seed document for your AI register and as evidence for customer due diligence.

Start the AI Act assessment or read more at /ai-act.