|

Preparing for EU AI Act Enforcement: A 100-Day CISO Action Plan

ByODA3 Institute

Target Audience: Executive Brief → CISOs, Board; Technical Report → Compliance Officers, Engineers
Category: Regulatory / Compliance (Paired Report Set recommended)
Evidence Tier: Secondary Verified (EU AI Act text, Omnibus amendments)

Executive Summary

August 2, 2026 is 100 days from this publication. On that date, the EU AI Act’s full enforcement regime begins for high-risk AI systems (Annex III) and General-Purpose AI (GPAI) providers (Chapter V). The Digital Omnibus package extended some deadlines (high-risk Annex III now December 2027, sectoral now August 2028), but critical obligations remain on August 2, 2026.

This article provides: What obligations are NOT extended (August 2, 2026) | Week-by-week 100-day action plan | Technical controls requiring implementation | Documentation requirements for audit readiness

The Omnibus Package: What Changed (and What Didn’t)

As detailed in Blog #5, the European Parliament adopted its negotiating position on the Digital Omnibus package, proposing deadline extensions.

Extended Deadlines (NOT August 2, 2026)

Obligation Category New Deadline Original
High-risk Annex III systems (biometrics, critical infrastructure, education, employment, law enforcement) December 2, 2027 August 2, 2026
EU sectoral product safety regimes (medical devices, radio equipment) August 2, 2028 August 2, 2026

NON-Extended Deadlines (STILL August 2, 2026) – CRITICAL

Obligation Applies To Penalty
GPAI provider obligations Providers of general-purpose AI models (Chapter V) Up to €15M or 3% turnover
Prohibited AI practices (Art. 5) Any organization using prohibited AI Up to €35M or 7% turnover
Transparency obligations AI systems interacting with humans, generating content Up to €7.5M or 1.5% turnover
Notified Body designation Member States must have designated bodies Not applicable to enterprises
Governance structure AI Office, AI Board, advisory forum operational Not applicable

 

IMPORTANT: Organizations that rely on the Omnibus extensions for high-risk systems may miss GPAI obligations and prohibited practices that remain enforceable on August 2. Do not treat the Omnibus package as a blanket extension.

August 2, 2026: Non-Negotiable Obligations

For GPAI Providers (Chapter V, Art. 53-55)

Obligation Technical Implementation
Technical documentation Downstream providers must receive model documentation (training data sources, capabilities, limitations)
Copyright compliance Training data copyright disclosures (Art. 53(1)(c))
Training data summary Publicly available summary of training data sources (Art. 53(1)(d))
Systemic risk assessment Models with systemic risk (Art. 51) must perform risk assessment (Art. 55)

 

For Prohibited AI Systems (Art. 5)

Prohibited Practice Deadline What to Do
Subliminal manipulation beyond person’s awareness August 2 Cease use immediately
Exploitation of vulnerable groups August 2 Cease use immediately
Social scoring by public authorities August 2 Cease use immediately
Real-time biometric identification in public spaces (with narrow exceptions) August 2 Cease use or demonstrate exception

For Transparency Obligations

Requirement Applies To Implementation
Disclose AI interaction AI systems interacting with humans Pre-chat notification; vocal disclosure for voice
Content provenance AI-generated deepfakes Watermarking, metadata
Emotion recognition notification Emotion recognition systems Disclosure before use

100-Day Action Plan: Week by Week

Weeks 1-4: Inventory and Classification

Week Action Deliverable
1 Inventory all AI systems (per Blog #6) AI system register
2 Classify inventory against EU AI Act categories: Prohibited (Art. 5) → High-Risk (Annex III) → Limited → Minimal Risk classification matrix
3 Identify GPAI models (including open-source if commercially deployed) GPAI register
4 Identify prohibited AI practices (if any) Remediation plan for prohibited systems

 

Weeks 5-8: Remediation and Implementation

Week Action Deliverable
5 Remediate prohibited AI systems (cease use or modify) Prohibited system elimination
6 Implement GPAI technical documentation Documentation package for downstream providers
7 Implement transparency controls (disclosure, watermarking) Operational transparency mechanisms
8 Conduct training for relevant teams Training records

 

Weeks 9-12: Documentation and Testing

Week Action Deliverable
9 Prepare technical documentation for high-risk systems (even if extended—start now) Documentation ready for 2027 deadline
10 Test transparency controls (user disclosure, watermark detection) Test results, issue remediation
11 Conduct internal audit of August 2 compliance Audit report, findings
12 Remediate audit findings Corrective action plan

 

Weeks 13-14: Final Readiness

Week Action Deliverable
13 Final compliance verification Sign-off from legal/compliance
14 Prepare enforcement response plan Internal procedures for regulator inquiries

 

Technical Controls Required by August 2

For GPAI Providers

Control Implementation Priority
Model documentation generation Automated documentation pipeline (model cards, data sheets) SHALL
Copyright compliance Training data provenance tracking SHALL
Public summary of training data High-level disclosure (not full dataset) SHALL
Systemic risk monitoring If systemic risk threshold met (Art. 51) SHALL

For Transparency

Control Implementation Priority
AI disclosure Pre-interaction notification (chat, voice, video) SHALL
Content watermarking Cryptographic or statistical watermarking SHALL
Metadata embedding C2PA, content credentials SHOULD

Documentation Requirements

GPAI Technical Documentation (Art. 53)

Document Content Audience
General description Model architecture, parameters, intended use Downstream providers
Training data Sources, curation methodology, copyright compliance Regulators, providers
Evaluation results Performance benchmarks, limitations, risks Downstream providers
Energy consumption Training compute, carbon emissions Regulators, public

 

Transparency Documentation

Document Content
Disclosure mechanism description How users are informed of AI interaction
Watermarking methodology Technical approach for content provenance
Testing results Watermark detection rates, false positives

 

Enforcement Preparedness

What to Expect

Timeline Enforcement Activity
August 2, 2026 Member States can begin enforcement; AI Office operational
August-December 2026 Initial enforcement likely focused on most egregious violations (prohibited AI, lack of transparency)
2027 High-risk system enforcement begins (December 2)

Likely Enforcement Priorities (First 6 Months)

Priority Why
Prohibited AI practices (Art. 5) Highest penalties, clear violations
GPAI transparency (training data disclosures) Easy to verify, many models non-compliant
Deepfake watermarking absence High visibility, consumer protection concern

 

Preparing for Regulator Inquiries

Request Type Preparation
Technical documentation access Have documentation ready in EU official language
Training data summary Pre-drafted public summary
Transparency mechanism demonstration Live demo environment
Incident reports (if applicable) Incident log, remediation evidence

📌 Notably Absent

The Omnibus package is still under negotiation (Trilogue begins April 28, 2026). Final deadlines may differ from the European Parliament’s proposed position. Organizations should monitor Trilogue outcomes but plan for the most conservative scenario (August 2 for high-risk systems) and adjust if extensions are finalized.

No EU AI Act enforcement actions have occurred as of April 2026 (enforcement begins August 2). Penalty estimates are based on GDPR analogues and EU AI Act text, not actual enforcement.

The Bottom Line: 100-Day CISO Checklist

By August 2, 2026, you must have:

# Requirement Status
1 Prohibited AI systems eliminated
2 GPAI technical documentation ready
3 Training data copyright compliance documented
4 Transparency controls operational
5 Internal audit completed

Do not wait for Omnibus finalization. Assume August 2 deadlines stand. Plan for high-risk systems under extended deadlines (December 2027) but begin documentation now.

The 100 days start today. Every week of delay increases enforcement risk.

ODA3 Institute