High-risk AI obligations under the EU AI Act take effect on August 2, 2026. If your organization provides or deploys a high-risk AI system in the EU on that date, the obligations in Article 16 (and the supporting articles 9-15 and 17) apply.
Penalties under the Act go up to €35 million or 7% of global annual turnover, whichever is higher, for the most serious breaches (use of prohibited AI practices). Penalties for breaches of Article 16 obligations and for non-compliance with high-risk requirements scale up to €15 million or 3% of global turnover. Penalties for supplying incorrect information to authorities scale up to €7.5 million or 1%.
This roadmap covers Article 16 obligations & gives a 90-day plan for organizations that have not yet started.
Providers of general-purpose AI models have separate obligations under Articles 51-55, with different timing. This roadmap focuses on Article 16 (the obligations on high-risk AI providers).
Article 16 places six categories of obligation on providers of high-risk AI systems:
A quality management system in compliance with Article 17, covering policies, procedures, and instructions for design, development, testing, validation, & post-market monitoring.
Technical documentation per Annex IV before the system is placed on the market or put into service. Coverage includes a general description of the AI system, design choices, training & testing data, validation procedures, performance metrics, risk management, & post-market monitoring plans.
Automatic recording of events ('logs') over the lifetime of the system, sufficient to ensure traceability of the system's functioning and to identify situations that may result in the AI system presenting a risk or in substantial modifications.
A conformity assessment procedure before placing the system on the market — either internal control (Annex VI) or third-party assessment (Annex VII), depending on the system's classification.
Immediate corrective action where a high-risk AI system is non-compliant; reporting of serious incidents to market surveillance authorities; cooperation with regulators.
Registration of the system in the EU database for high-risk AI systems before placing it on the market or putting it into service.
Articles 9-15 and 17 spell out the substantive requirements (risk management, data and data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity, and quality management) that the Article 16 obligations require providers to meet.
This roadmap assumes a provider with a high-risk AI system already deployed (or near-deployed) and no formal Article 16 program in place. It targets a defensible position by August 2, 2026 — not a perfect program. Where the gap is large, the priority is producing the artifacts the Act requires; perfection comes in the months after.
Identify in-scope systems. List every AI system that may fall under Annex III. For each, classify provider vs. deployer, intended purpose, and EU market exposure.
Designate the accountable owner. Named accountable executive for EU AI Act compliance. AI governance committee with cross-functional representation.
Run an Article 16 gap assessment. For each in-scope system, score against the six Article 16 obligation categories and against Articles 9-15 and 17. Identify the top three gaps to close.
Stand up the logging architecture. If logs do not yet capture inputs, outputs, decisions, and exceptions sufficient for traceability, this is the longest-lead-time work; start in week one.
Engage a conformity assessment partner if the system requires third-party assessment. Notified bodies have a queue.
Technical documentation per Annex IV. Draft the documentation for each in-scope system. Annex IV is the canonical structure.
Quality management system per Article 17. Document policies, procedures, and instructions. Where ISO/IEC 42001 or ISO 9001 already exists, extend rather than replace.
Risk management documentation per Article 9. Risk identification, risk analysis, risk evaluation, risk treatment, residual risk acceptance.
Data governance per Article 10. Training, validation, and test data quality requirements; bias detection; data lineage.
Human oversight per Article 14. Operator interfaces, override capabilities, training for human overseers.
Internal validation against the documentation. Tabletop exercise of the technical documentation, the QMS, and the incident response plan.
Conformity assessment. Internal control (Annex VI) or third-party (Annex VII) — whichever applies.
EU database registration. Register the high-risk AI system in the EU database before market placement.
Executive sign-off. Accountable executive signs the Article 16 readiness pack.
Post-market monitoring activated. Article 17 obligations continue beyond launch — monitoring metrics, incident reporting workflow, corrective action register.
SMEs and startups have proportionate caps under Article 99. Member states implement the penalties; some divergence in enforcement intensity is expected during the first year.
Article 16 obligations overlap meaningfully with:
most heavily on quality management, risk, & lifecycle. Implementing ISO 42001 produces a substantial portion of the evidence Article 16 requires.
The four functions (Govern, Map, Measure, Manage) cover the substantive requirements behind Article 16.
Relevant where the high-risk system uses LLMs; supports the cybersecurity obligations under Article 15.
The EU AI Act distinguishes providers (those who develop a high-risk AI system or place it on the market under their own name) from deployers (those who use a high-risk AI system under their authority). The obligations are different, and getting the classification wrong is a common early mistake.
carry the full Article 16 obligation set: quality management, technical documentation, logging, conformity assessment, corrective action, registration. Providers are also responsible for post-market monitoring under Article 17.
Some organizations are both — they deploy an externally-developed system internally while providing a downstream system to customers. Map your AI portfolio carefully; the obligation set differs by system, not by organization.
If you provide a high-risk AI system, you must:
Each obligation links to the substantive requirements in Articles 9-15: risk management, data & data governance, technical documentation, record-keeping, transparency to deployers, human oversight, accuracy / robustness / cybersecurity. The obligations are the entry points; the substantive requirements are what compliance looks like in practice.
If you are reading this guide and have not yet started:
Inventory in-scope
systems within 14 days. Provider vs. deployer for each. Annex III classification.
Designate the
accountable executive and AI governance committee within 30 days.
Run the Article 16 gap assessment within 45 days.
Stand up the logging architecture project within 60 days. This is the longest-lead-time work; start it before the rest.
Engage a notified body for any system requiring third-party conformity assessment within 60 days. Queue depth is real.
The August 2, 2026 deadline is short. Programs that are not in motion by mid-2026 are unlikely to reach a defensible position by the deadline.
