EU flips high-risk timer
The EU put high‑risk AI compliance on a new timeline in March 2026, signaling changes to disclosure, audit, and governance deadlines and stoking debate over whether rules will be eased or reinforced for business readiness. That reset has direct implications for audit trails, provenance, and compliance-by-design requirements in enterprise GenAI stacks. (medium.com)
The Council’s mandate sets fixed new application dates: 2 December 2027 for stand‑alone high‑risk AI systems and 2 August 2028 for high‑risk AI systems embedded in products. (consilium.europa.eu) The Commission missed a 2 February 2026 deadline to publish guidance on how to determine and comply with high‑risk classifications and said it was integrating feedback ahead of a final draft expected in March/April 2026. (iapp.org) The Council text explicitly ties the delayed application to the completion of harmonised standards and tools and empowers the Commission to “stop the clock” until those standards are available, a shift the Commission had earlier framed as an adjustment of up to 16 months. (consilium.europa.eu) (euractiv.com) Providers are required under the Council position to register AI systems in the EU high‑risk database even when they consider those systems not to be high‑risk, and the Council added an obligation for the Commission to publish guidance to minimise compliance burdens for economic operators. (consilium.europa.eu) Operational requirements that will still apply include a mandatory post‑market monitoring system that must be documented as part of the technical file and a Commission template that must be adopted six months before an obligation’s entry into application. (ai-act-service-desk.ec.europa.eu) (aiact.algolia.com) Traceability requirements force platform changes: automatically generated logs must be retained for at least six months and broader technical documentation must be kept for 10 years after placing a high‑risk AI system on the market, while serious incidents must be reported within 15 days (with two‑day and ten‑day accelerations for widespread incidents or death). (ai-act-service-desk.ec.europa.eu 1) (ai-act-service-desk.ec.europa.eu 2) (ai-act-service-desk.ec.europa.eu 3) The enforcement regime remains heavy‑tailed: breaches of prohibited practices carry administrative fines up to €35,000,000 or 7% of worldwide annual turnover, and other operator obligations (including those of providers and deployers) can trigger fines up to €15,000,000 or 3% of turnover. (ai-act-service-desk.ec.europa.eu) With the Commission’s guidance and harmonised standards now gating the new dates, engineering roadmaps must map concrete platform deliverables—automated logging retention, post‑market monitoring pipelines, registration flows, and incident‑reporting hooks—against the Council’s December 2, 2027 and August 2, 2028 milestones. (consilium.europa.eu)
