EU AI Act August Deadline: What Indian B2B Vendors Selling Into Europe Need Now

August 2, 2026 is when the full suite of obligations for high-risk AI systems under Annex III of the EU AI Act becomes enforceable, including for systems placed on the market before that date ([artificialintelligenceact.eu/implementation-timeline](https://artificialintelligenceact.eu/implementation-timeline/), [EU AI Act FAQ](https://ai-act-service-desk.ec.europa.eu/en/faq)). If you're an Indian software vendor selling AI-enabled products into EU clients — even one EU customer counts — that deadline is your deadline. The Commission's proposed Digital Omnibus may push some categories to December 2027, but no formal extension has been adopted as of May 2026. Plan to August. ## TL;DR — the action If your product does any of: employment screening / HR / candidate ranking, education access / grading, credit scoring, biometric identification, critical-infra control, law-enforcement support, migration triage, or justice / democracy — you're high-risk under Annex III. You need: a technical documentation pack (Annex IV), a risk management system, data governance evidence, human-oversight design, conformity assessment, and EU representative. Most Indian B2B vendors can ship the documentation in 6-10 weeks if they start now. ## Why this matters now You're 12 weeks from August 2. Two pressures combine. First, your EU customers are starting to ask for documentation as part of their deployer obligations — they cannot legally use your high-risk AI without your evidence that the system is conformity-assessed. Second, the EU AI Office is staffing up enforcement; the first published fines are expected in Q4 2026. Fast-followers in late 2026 will pay more for the same compliance work; you can lock it in cheaper now. ## The 8 Annex III categories — which one applies to you? If none of these apply, your AI system is "limited-risk" (transparency obligations only — e.g., "user must know they're talking to a chatbot") or "minimal-risk" (no specific obligations). Most Indian B2B AI tools fall into limited-risk; the painful, document-heavy obligations only apply to Annex III high-risk. ## The documentation pack EU buyers will ask for This is the Annex IV technical documentation, in plain English. Six items. ### 1. System description - What does the AI system do, in concrete terms? - The intended purpose, foreseeable use cases, and explicitly excluded uses. - The version, training date range, and deployment architecture. - Key inputs, outputs, performance metrics. Target: 4-8 pages. Most Indian vendors have ~30% of this in their product docs already. ### 2. Design specifications and architecture - High-level architecture diagram showing the data flow, model components, integration points. - The algorithmic choices (e.g., "transformer-based classifier with 220M params") with justification. - The "model card" — performance across demographic slices, known limitations. - Risk-management lifecycle showing how risks identified during design were mitigated. ### 3. Data governance evidence - Provenance of training data (sources, licenses, dates). - Data quality measures (deduplication, bias checks, completeness analysis). - Demographic representativeness analysis where applicable (especially for HR, education, credit, biometric systems). - Data minimisation and retention rules. This is where most teams stumble. EU AI Act expects you to demonstrate representativeness — not assert it. Plan for a 1-2 week data audit. ### 4. Human oversight design - How a human reviewer can intervene in the system's decisions. - The UI elements that show the user "this is an AI output." - The escalation path when the AI fails or is uncertain. - Training material for the customer's staff who will operate it. For an HR-screening product: this is "the customer's recruiter must be able to override an AI ranking and document the reason." For a credit-decisioning product: "the loan officer reviews and approves every AI-recommended decision; full reasoning trail logged." ### 5. Accuracy, robustness, cybersecurity - Test results across realistic conditions (edge cases, adversarial inputs, distribution shift). - Security measures protecting the model from poisoning, evasion, model extraction. - Resilience plan if a critical component fails. ### 6. Post-market monitoring plan - How you'll measure real-world performance after deployment. - The metrics you'll track for drift, bias, accuracy degradation. - The incident reporting process (you'll have to report serious incidents to authorities within 15 days). ## What the conformity assessment route looks like For Annex III high-risk systems, you have two paths. Path 1: Internal control (self-assessment). Available for most Annex III categories where the manufacturer (you) declares conformity based on internal evidence. Cheaper, faster — but the burden is on your documentation quality. Path 2: Third-party assessment (notified body). Required for biometric identification systems and a few other categories. Slower, more expensive — but your buyer gets stronger assurance. For most Indian B2B SaaS vendors with HR, education, or credit AI: Path 1 (internal control) is available and standard. The cost difference is roughly €15-50k (self-assessment with EU lawyer review) vs. €60-150k (third-party assessment with notified body). ## The 12-week readiness plan

• Week 1-2: Scoping — which of your AI features are Annex III? Which are limited-risk? Which are minimal? Write a 1-page determination memo per feature.
• Week 3-4: Risk management — set up the risk register, identify foreseeable misuse, document the mitigations.
• Week 5-7: Data governance — audit training data provenance, run representativeness analysis, fix the gaps.
• Week 8-9: Technical documentation pack — write the Annex IV docs against a template (we use the one from the EU AI Act service desk).
• Week 10: Human oversight design and customer training material.
• Week 11: Post-market monitoring plan, incident response runbook.
• Week 12: Internal conformity assessment, EU representative appointment, CE marking (for products where it applies), buyer-facing one-pager.

## A comparison: where you sit relative to obligations | Your system | Annex III risk class | Compliance burden | Typical cost (Indian vendor, 2026) | |---|---|---|---| | AI candidate ranking for EU recruiters | High (employment) | Full Annex IV docs + internal CA | ₹18-35 lakh | | AI grading for EU university | High (education) | Full Annex IV docs + internal CA | ₹18-35 lakh | | AI chatbot for EU retail (no decisions) | Limited | Transparency disclosure only | ₹1-3 lakh | | AI content recommendation for EU media | Limited | Transparency disclosure only | ₹1-3 lakh | | AI face-auth for EU bank | High + notified body | Full Annex IV + 3rd-party CA | ₹60 lakh - ₹1.2 crore | | AI translation for EU SMB customer | Minimal | None specific | ₹0 | ## The EU representative requirement If you don't have an EU establishment, you must appoint an authorised representative in the EU for AI Act purposes — a designated person/entity that interfaces with EU authorities on your behalf. Cost typically €4-12k/year through a law firm or specialist service provider. Required for high-risk systems; recommended for limited-risk if you sell B2B in regulated industries (finance, healthcare, public sector). ## The cheap path to readiness You don't need a Big-4 consulting engagement at €200-500k. Here's the lean stack we use for Indian B2B vendors: 1. Use the EU AI Act service desk templates — they publish official Annex IV documentation templates, free. 2. Hire one EU-qualified data protection lawyer for 8-15 hours of review — €1,500-3,000 total. They flag what your internal documentation misses. 3. Appoint an EU representative through a specialist — ICLP, AI Compliance Lab, Bird & Bird's monitored service. €4-12k/year. 4. Run an internal red-team exercise on bias and adversarial robustness — 2 engineer-weeks. Cheaper than buying tools. 5. Set up post-market monitoring with your existing observability stack — Datadog/Grafana plus a weekly review cadence. Don't buy a separate "AI monitoring" tool unless your scale demands it. Total realistic budget for a 50-100-person Indian B2B SaaS vendor with 2-3 Annex III systems: ₹18-35 lakh for the first time through. Subsequent products: ~30% of that, because the templates and processes carry over. ## Common mistakes Indian vendors make ### "We'll let our customer (the deployer) handle the documentation" You can't. Article 11 obligations sit squarely on the provider (you) — not the deployer. EU customers' procurement teams are starting to reject vendors who say "you handle the AI Act paperwork on your side." That answer ends the sale. ### Treating GDPR documentation as sufficient It isn't. GDPR is about personal data; the AI Act is about AI system integrity, accuracy, oversight. There's overlap (data governance, lawful basis) but the AI Act asks for things GDPR doesn't — performance across demographic slices, adversarial testing, post-market monitoring. Map the overlap; fill the gap. ### Waiting for the August 2 deadline to start Procurement cycles in EU enterprises run 3-6 months. If you can't show a buyer the Annex IV docs in June 2026, you'll lose the August renewal. Start now to capture summer deal cycles. ## Real example — a Bengaluru HR-tech vendor's path A 65-person Bengaluru HR-tech firm (~₹40 crore ARR, ~30% EU revenue) asked us to scope their AI Act readiness in March 2026. Their AI features: candidate ranking, interview transcription with sentiment scoring, "fit prediction" model. All clearly Annex III (employment). We ran a 9-week engagement: scope memo, risk register, data audit (caught a representativeness gap in their training set — they over-indexed on tech roles; we re-balanced), Annex IV documentation in their tone, customer-facing one-pager. Total cost to them: ₹22 lakh including the EU representative for year 1. Closed two delayed EU deals worth ~€480k ARR that had been blocked on "we need your AI Act compliance evidence." ## FAQ ### How does the EU AI Act apply to me if I'm an Indian vendor with no EU office? The Act applies based on where the AI system is placed on the market or used — not where your company is incorporated. One EU customer is enough to bring you in scope. The Act explicitly addresses "providers and deployers from third countries" (Article 2) and requires the EU authorised representative for non-EU providers of high-risk systems. ### What if I have only one EU customer for an Annex III system? You're in scope. The Act doesn't have a "small volume" exemption for high-risk systems. The minimum viable compliance — internal documentation, EU representative, transparent disclosure — must be in place. Some Indian vendors decide that one EU customer isn't worth the ~₹18-35 lakh cost and exit the EU market. That's a legitimate strategic call. ### Does an open-source LLM I integrate into my product count? If you integrate a general-purpose AI model and your product as a whole is Annex III, your product is the regulated system — not the upstream model. You inherit some documentation from the upstream provider (they have their own obligations from August 2, 2025), but you carry the application-level burden. ### What's the difference between "limited risk" and "high risk"? High-risk (Annex III): mostly decisions about people in employment, education, credit, biometrics, critical infra, etc. Limited risk: AI that interacts with humans but doesn't make consequential decisions about them (chatbots, content generation tools, deepfake-adjacent). Limited-risk obligations are mostly transparency: tell the user it's AI; label AI-generated content; disclose use of emotion recognition. ### Will the August 2 deadline actually slip? Maybe. The Commission's Digital Omnibus proposal (late 2025) suggested pushing some categories to December 2027, and the European Parliament voted in favour of delay. As of May 2026, no formal Council adoption. Don't bet your roadmap on the slip. The serious enforcement window opens within 2026 even if specific categories slide. ### Are there cheaper ways to get the EU representative? Yes. Specialised AI-Act-rep services (€4-12k/year) versus full law-firm representation (€20-50k/year). For most Indian SMB vendors, the specialised service is fine for the first 2-3 years — switch to law-firm rep when you start receiving regulator queries. ### What happens at year 2 — is this an annual cost? The Annex IV documentation needs updates when your system changes substantively. The post-market monitoring runs continuously. The EU representative is an annual fee. Realistic year-2+ cost for the same vendor: ~30% of the year-1 cost — call it ₹6-12 lakh/year ongoing. For our founder's running commentary on EU AI Act readiness for Indian software vendors, including a couple of in-flight engagements, see [Vivek Singh's blog](https://viveksinra.com/blog).