“EU AI Act 2026: a technical checklist for Spanish CTOs”

Key takeaways

• 2 August 2026 activates Annex III (high-risk), Article 50 (transparency), Commission enforcement powers over GPAI, and the general penalty regime — no official extension confirmed.
• The first step is classifying every system into one of four buckets: prohibited / high-risk / GPAI / minimal. Classification drives everything else.
• A high-risk system requires technical documentation (Annex IV), quality management, documented human oversight, log retention, and an EU declaration of conformity before market.
• Transparency (Art. 50) also applies outside high-risk: chatbots labelled as such, synthetic content marked, deepfakes disclosed, classification or emotion-recognition systems notified.
• Penalties reach 7 % of global turnover for prohibited practices and 3 % for high-risk obligation breaches. GPAI can reach 15 M€ or 3 % of turnover.

Calendar: what enters into force on 2 August 2026

Regulation (EU) 2024/1689 has been in force since 1 August 2024 with staggered application. Key dates for a 2026 CTO:

• 2 February 2025 (past): prohibited practices (Art. 5) and AI literacy obligations (Art. 4).
• 2 August 2025 (past): GPAI obligations, governance, notified national authorities.
• 2 August 2026: general application — Annex III high-risk systems not embedded in sectoral legislation, Article 50 transparency, Commission GPAI enforcement, the general penalty regime in Chapter XII.
• 2 August 2027: high-risk systems embedded in sectorally regulated products (Annex I).

The Commission has held the 2 August 2026 date despite industry pressure for an extension; AI Office consultations assume the current calendar.

Classification: is your system high-risk, GPAI, or minimal?

Once a year the platform team must inventory every AI system in use or development and apply this decision tree:

1. Is it a prohibited practice (Art. 5)? Subliminal manipulation, social scoring, real-time biometric ID in public spaces outside exceptions, criminal-prediction profiling, indiscriminate face scraping, emotion inference in workplace or education. If yes: stop — cannot be offered in the EU.
2. Is it GPAI? A model trainable with broad autonomy, integratable into downstream systems (typically LLMs and multimodal models). If yes: Chapter V obligations (documentation, copyright, technical sheet). If additionally “systemic risk” (training compute ≥10²⁵ FLOP), reinforced obligations.
3. Is it high-risk (Annex III)? Remote biometric ID, critical infrastructure, education/training affecting access, employment (selection, evaluation), essential private services (credit, insurance), law enforcement, migration and asylum, justice and democratic processes.
4. Annex I product integration (medical devices, toys, lifts, etc.): sectoral regime plus AI Act add-ons.
5. Anything else: minimal-risk bucket. Only Art. 50 applies if relevant.

Obligations by category — checklist

High-risk (Annex III):

• Documented quality management system.
• Training, validation, and test data with governance policies (Art. 10).
• Complete technical documentation (Annex IV), updated before market placement.
• Automatic lifecycle logs (Art. 12) — minimum 6 months retention, often more.
• User-facing transparency and instructions for use.
• Effective human oversight — not a disclaimer in the manual but a person with real intervention capacity.
• Robustness, accuracy, and cybersecurity (Art. 15) — including documented adversarial tests.
• Conformity assessment (internal or via notified body depending on the applicable annex).
• EU declaration of conformity and CE marking.
• Registration in the EU database (Art. 71).

GPAI (non-systemic):

• Technical documentation of model and training data (Art. 53.1).
• Copyright compliance policy (Art. 53.1.c).
• Detailed training-data summary using the AI Office template.
• Cooperation with authority on request.

GPAI with systemic risk:

• All of the above plus model evaluation, systemic risk management, serious-incident reporting to the AI Office, reinforced cybersecurity.

Minimal risk:

• Only Art. 50 if applicable. Voluntary adherence to a code of practice is recommended.

Annex IV technical documentation

For high-risk systems the dossier must include at least:

• General description of the system, intended purpose, and deployment environments.
• Design specifications: architecture, algorithmic decisions, optimisation metrics.
• Data information: provenance, labelling, detected biases and mitigations.
• Post-market monitoring and maintenance processes.
• Performance metrics by demographic subgroup where relevant.
• Logs and version traceability.
• Risk evaluation and mitigation plan — kept updated, not static.

We keep this dossier as a Git monorepo with a model_card.yaml per system, validated by a schema in CI. The same structure serves internal audit and a potential notified-body external audit.

Transparency (Art. 50): which labels are mandatory

Even when not high-risk, Art. 50 may apply:

• Systems that interact with natural persons (chatbots, assistants): the user must know they are interacting with an AI — unless obvious from context.
• Synthetic content (text, image, audio, video) generated or manipulated by AI: must be machine-verifiably marked. C2PA, invisible watermarks, signed metadata are standard technical options.
• Deepfakes: clear disclosure that content is artificially generated or manipulated.
• Emotion-recognition or biometric-categorisation systems: notification to the affected persons.

Article 50 compliance is not optional from a technical standpoint: the mark must be machine-detectable, not just a legal note.

Penalties and the GPAI regime

Caps:

• Prohibited practices (Art. 5): up to €35 M or 7 % of global turnover from the previous year — whichever is higher.
• Other AI Act breaches: up to €15 M or 3 % of global turnover.
• Misleading information to authorities: up to €7.5 M or 1 %.
• GPAI: up to €15 M or 3 %, enforced by the Commission (not the national authority).

Spain designated AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) as the national authority, headquartered in A Coruña, operational since 2025. For specific sectors it can co-exist with AEPD (personal data) and other regulators.

Downloadable template and how to use it

Downloadable PDF template: a single form with the seven check blocks, evidence space per requirement, and a gap section with owner and target date.

How to use it:

1. Inventory your AI systems on a single sheet before opening the template.
2. Classify each into the applicable bucket (previous step).
3. For each high-risk or GPAI system, open a copy of the template and fill it in with legal, product, and platform teams.
4. Set a quarterly review schedule for the dossier.
5. Publish internally the list of systems with their compliance status — internal transparency is the first defence against audits.

For deeper coverage of operational governance for AI agents, see AI agents in the enterprise: governance and, historically, first GenAI regulations.

Reference sources are artificialintelligenceact.eu^[1] (consolidated text and explorative tools), the Commission’s AI Act Service Desk^[2], and the AEPD guide on GenAI and GDPR^[3] (intersection with personal data protection).

1. artificialintelligenceact.eu
2. AI Act Service Desk
3. AEPD guide on GenAI and GDPR