Back to journal
Regulation20 May 20262 min read

The EU AI Act and large enterprises: 2026 timeline, obligations and sanctions

Practical update on application deadlines and obligations for high-risk systems, notably in financial and legal services.

2026 marks full application of AI Act obligations for high-risk systems. For large enterprises, notably in finance, insurance and legal services, this means effectively deploying a risk management system, complete technical documentation and a proportionate human oversight mechanism.

02

Sanctions reach €35m or 7% of global

Sanctions reach €35m or 7% of global turnover for the most serious breaches. Beyond the amount, the burden of proof is the real weight: the business must demonstrate, at any moment, the conformity of its systems, the quality of training data and the robustness of evaluations.

Sanctions reach €35m or 7% of global turnover for the most serious breaches.

03

Three workstreams structure 2026 compliance

Three workstreams structure 2026 compliance: inventorying systems used (including those supplied by third parties), qualifying their risk level under the AI Act, and articulating governance with existing frameworks (GDPR, DORA, NIS2). A siloed approach mechanically leads to non-compliance.

Key takeaways

  • 01For large enterprises, notably in finance, insurance and legal services, this means effectively deploying a risk management system, complete technical documentation and a proportionate human oversight mechanism.
  • 02Beyond the amount, the burden of proof is the real weight: the business must demonstrate, at any moment, the conformity of its systems, the quality of training data and the robustness of evaluations.
  • 03A siloed approach mechanically leads to non-compliance.

Published on

20 May 2026

Section

Regulation

Signed

Gérald Faure

Rackham Limited — Dublin office

Rackham Limited

Take this further

A confidential conversation with the Rackham team to translate these questions into your organisation.

Start the conversation