
The EU AI Act and large enterprises: 2026 timeline, obligations and sanctions
Practical update on application deadlines and obligations for high-risk systems, notably in financial and legal services.
2026 marks full application of AI Act obligations for high-risk systems. For large enterprises, notably in finance, insurance and legal services, this means effectively deploying a risk management system, complete technical documentation and a proportionate human oversight mechanism.
Sanctions reach €35m or 7% of global
Sanctions reach €35m or 7% of global turnover for the most serious breaches. Beyond the amount, the burden of proof is the real weight: the business must demonstrate, at any moment, the conformity of its systems, the quality of training data and the robustness of evaluations.
Sanctions reach €35m or 7% of global turnover for the most serious breaches.
Three workstreams structure 2026 compliance
Three workstreams structure 2026 compliance: inventorying systems used (including those supplied by third parties), qualifying their risk level under the AI Act, and articulating governance with existing frameworks (GDPR, DORA, NIS2). A siloed approach mechanically leads to non-compliance.
Key takeaways
- 01For large enterprises, notably in finance, insurance and legal services, this means effectively deploying a risk management system, complete technical documentation and a proportionate human oversight mechanism.
- 02Beyond the amount, the burden of proof is the real weight: the business must demonstrate, at any moment, the conformity of its systems, the quality of training data and the robustness of evaluations.
- 03A siloed approach mechanically leads to non-compliance.
Published on
20 May 2026
Section
Regulation
Rackham Limited
Take this further
A confidential conversation with the Rackham team to translate these questions into your organisation.
Start the conversation →Related articles
Continue reading →
Law & AI
Google's agentic AI and legal liability: who bears the risk when the agent gets it wrong?
Google's new AI agents (I/O 2026) act without direct human supervision. What liability chain applies to the business that deploys them?

Compliance
AI Overviews in Europe: compliance, IP and the risk of misinformation
As Google's AI summaries roll out in France, what obligations apply to businesses embedding these tools in their processes?

Data & AI
Gemini Omni and sensitive data governance: when multimodal AI crosses boundaries
Gemini's ability to process text, image, audio and video in a single flow raises questions of data classification and protection.