Commission shifts high-risk dates while August 2026 transparency obligations remain in focus
Editorial disclosure: This report was prepared with AI assistance and reviewed against the European Commission’s primary-source materials by the ZiaSign editorial team.
The European Commission says a political agreement reached on May 7, 2026 changes the implementation sequence for parts of the EU AI Act. Under the timeline described by the Commission, rules for AI systems used in certain high-risk areas—including biometrics, critical infrastructure, education, employment, migration, asylum, and border control—will apply from December 2, 2027. Rules for high-risk systems integrated into regulated products such as lifts or toys will apply from August 2, 2028.
At the same time, the Commission’s AI Act overview continues to identify August 2026 as the start of the Act’s transparency rules. For legal, procurement, privacy, and AI-governance teams, that means the headline is not “compliance has been postponed.” The dates and obligations now need to be separated carefully by system category and role.
| Milestone | Commission’s current description | Contract-team implication |
|---|---|---|
| February 2, 2025 | Prohibited-practice and AI-literacy obligations began applying | Existing vendor controls should already address prohibited uses and responsible user training |
| August 2, 2025 | Governance rules and obligations for general-purpose AI models began applying | Customers need evidence and cooperation clauses from relevant model providers and downstream vendors |
| August 2026 | Transparency rules come into effect | Contracts should allocate responsibility for notices, machine-interaction disclosure, and marking or labelling covered AI-generated content |
| December 2, 2027 | Commission says rules for systems in certain high-risk areas will apply under the political agreement | Buyers and vendors gain transition time, but should use it to validate classification, documentation, controls, and audit evidence |
| August 2, 2028 | Commission says product-integrated high-risk rules will apply | Product manufacturers and embedded-AI suppliers need a longer conformity and evidence roadmap |
The legal position depends on the final applicable legislation, the system’s classification, and each party’s role. Businesses should verify the latest official text and obtain legal advice rather than relying on a summary or a contract template alone.
The Commission’s current AI Act overview says the transparency rules come into effect in August 2026. These rules address situations where people should know that they are interacting with AI and where certain AI-generated or manipulated content requires disclosure or labelling.
This matters for contracts because transparency is rarely controlled by one party. A model provider may supply technical signals; an application vendor may design the user experience; and a customer may determine the deployment context and final communication to users. If the agreement simply says “vendor will comply with the AI Act,” the operational handoffs can remain undefined.
A better contract identifies who must:
Require the vendor to describe the system’s intended purpose, deployment limitations, model dependencies, and known classification assumptions. The agreement should require notice before a change that could alter the system’s regulatory classification or risk profile.
Do not assume “vendor” and “customer” map neatly to statutory roles. State which party performs each operational responsibility and require cooperation if facts later change the legal role allocation.
Define responsibility for chatbot notices, synthetic-content marking, deepfake disclosures, user-facing explanations, and evidence that required notices were presented. Include acceptance criteria for the relevant product surfaces.
Set a schedule for technical documentation, instructions for use, model or system cards where relevant, risk records, testing summaries, logging capabilities, and supporting evidence required for audits or regulator requests.
AI products can change through model swaps, fine-tuning, retrieval updates, safety-policy changes, and new subprocessors. Require advance notice for material changes and a reassessment path when the change affects intended purpose, accuracy, oversight, data use, or transparency.
Specify which party creates and retains logs, how long they are available, what identifiers are included, and how logs can be exported for investigations. Logging obligations should be reconciled with privacy, security, confidentiality, and data-minimisation requirements.
Document where human review is mandatory, who has authority to pause or override the system, and how high-impact or anomalous outcomes are escalated. Contractual service levels should never turn a missed review deadline into automatic approval.
Define notification windows, severity criteria, evidence preservation, root-cause support, and responsibility for regulator communications. Avoid wording that prevents either party from meeting a mandatory reporting deadline.
Require visibility into critical upstream providers and flow down the controls needed to support the customer’s obligations. Address what happens when an upstream model, hosting provider, or training-data practice changes materially.
Include a remediation process, suspension rights for material compliance risk, transition assistance, evidence export, and termination rights where the system cannot lawfully or safely be used for the contracted purpose.
The transition should be used to improve evidence and operating controls—not to pause preparation.
ZiaSign’s earlier EU AI Act vendor contract checklist provides a broad clause-review framework. This report addresses the new timeline information and the immediate distinction between August 2026 transparency duties and later high-risk dates described by the Commission.
Teams using the earlier checklist should refresh its deadline assumptions while retaining the underlying controls for documentation, human oversight, auditability, incident response, and change management.
This report summarises public regulatory information for operational planning. It is not legal advice. Verify the final applicable legal text, guidance, system classification, and jurisdiction with qualified counsel.
EU AI Act enforcement begins in 2026. Learn how to update vendor AI clauses quickly using compliant workflows, AI-powered CLM, and e-signatures.
As the EU AI Act takes effect, legal teams using AI for contract review face new compliance and enforceability risks. Learn how to adapt safely.