The Deadline
August 2, 2026 — high-risk AI system requirements under Annex III come into force. Penalties up to EUR 35M or 7% of global annual turnover for serious violations. Up to EUR 15M or 3% for non-compliance with high-risk obligations.
The 35M/7% tier covers prohibited practices (Article 5) — social scoring, untargeted facial-image scraping, manipulative dark patterns. The 15M/3% tier covers operational breaches: missing technical documentation, inadequate human oversight, failure to register in the EU database. A separate 7.5M/1% tier applies to false information supplied to authorities. National enforcement is by the AI Office plus Member State market-surveillance authorities. SMEs receive proportionality consideration but are not exempt.
CRM-Relevant High-Risk Categories
Hiring and recruitment algorithms. Credit scoring. Biometric identification. Essential services access. Educational assessment. If your CRM integrates AI for any of these, you’re in scope.
Specifically: lead-scoring models that effectively gate access to financial products fall under Annex III point 5b. Voice-bot identity verification that compares biometric voiceprints falls under point 1. Service routing that determines emergency response priority falls under point 5e. Sales forecasting and email summarization remain out of scope — the test is whether the system makes consequential decisions about natural persons.
Required Practices
Conformity assessments. Lifecycle documentation. Robust risk management. Meaningful human oversight of automated decisions. Audit trails. Technical documentation. Post-market monitoring.
Article 6-15 spell out the core obligations. Most CRM deployments use internal conformity assessment under Module A (Annex VI), no notified body required. Documentation must follow Annex IV’s twelve-section template covering intended purpose, system architecture, data governance, oversight design, accuracy metrics, and known limitations. Post-market monitoring (Article 72) requires a documented plan to collect performance data and report serious incidents within 15 days under Article 73.
Practitioner Action
Map your AI-touching workflows against Annex III categories. If any qualify, engage legal immediately. The August 2 deadline isn’t aspirational. Start the conformity work now — six months is tight for real documentation and process build-out.
Working sequence: inventory all AI systems by May; classify against Annex III by June; complete technical documentation and risk-management plans by July; register high-risk systems in the EU database (Article 71) and brief operations staff before August 2. Budget 200-400 person-hours per high-risk system for first-time conformity work. Vendors will provide some artifacts; you remain accountable as deployer for use-case-specific documentation.
Cost Considerations
Expect EUR 50K-EUR 200K in legal and consulting fees per high-risk system for initial conformity. Annual maintenance runs 20-30% of the initial cost. Cyber-insurance premiums are starting to require AI Act documentation — missing it raises premiums or voids coverage.
What to Do This Week
Schedule a 90-minute working session with legal, security, and your AI lead to produce a one-page Annex III mapping for every production AI system.
