On 2 August 2026 — now 83 days away — the EU AI Act's Chapter III provisions on high-risk AI systems move from transition period into full application. The deadline was set at the time of the regulation's publication in the EU Official Journal and has not moved. What has moved is the compliance readiness of organisations subject to it. For Swiss companies that supply, deploy, or operate AI-enabled products in the EU market, the August 2 date is as operationally relevant as it is in Frankfurt or Amsterdam: the Act's extraterritorial reach, combined with the market access consequences of non-compliance, applies regardless of where the provider is headquartered.
What "High-Risk AI" Actually Means Under Annex III
The AI Act's Annex III defines eight categories of AI systems classified as high-risk. Classification is based on the sector and use case, not on whether the system has previously caused harm. Three categories are directly relevant to common Swiss enterprise AI deployments.
AI used in employment, HR, and workforce management — including recruitment screening, candidate evaluation, and performance assessment — is high-risk. Swiss HR technology vendors and enterprises using automated tools for hiring or employee management with EU-based operations are in scope. AI used in access to essential private services, including creditworthiness assessment and insurance risk profiling, is high-risk. Swiss banks and insurers using algorithmic underwriting, automated credit scoring, or AI-assisted fraud detection for EU customers are in scope. Biometric identification systems used in contexts covered by the Act are high-risk, with exceptions applying to some law enforcement uses already covered under separate legislation.
The classification trap that organisations fall into is assuming that "high-risk" means "has caused problems." It does not. A system that has operated without incident for five years in a regulated domain becomes subject to the Act's full compliance requirements the moment it falls under Annex III and is deployed in or toward the EU market. Past performance does not affect classification.
The Swiss Position: Market Access as Enforcement Vector
Switzerland is not an EU member state and is not party to the EEA in a way that makes the AI Act directly applicable under Swiss domestic law. This creates a common misreading: Swiss companies assume the regulation is not their problem. It is, for a straightforward commercial reason.
The AI Act applies to any provider that places a covered AI system on the EU market, regardless of where that provider is established. A Swiss AI company selling its products to EU-based businesses is a provider placing systems on the EU market. A Swiss holding company whose EU subsidiary deploys a covered AI system is an EU-established operator and is directly in scope. The enforcement mechanism is not a Swiss regulatory sanction — it is market exclusion. EU national market surveillance authorities can prohibit non-compliant high-risk AI systems from being placed on the market and require withdrawal of systems already deployed. For Swiss AI vendors with EU revenue exposure, this is an existential commercial risk, not a regulatory footnote.
The maximum financial penalty for violations involving high-risk systems is €30 million or 6% of global annual turnover, whichever is higher. For prohibited AI practices, the ceiling rises to 7%. Neither figure applies to Swiss entities through direct Swiss regulatory action, but both apply through EU market surveillance proceedings against EU-established subsidiaries or through proceedings against EU importers of Swiss AI products who then face liability under the Act.
What Must Be in Place by August 2
The AI Act's Articles 9 through 17 establish the compliance obligations for high-risk AI systems. Each has a preparation timeline that organisations tend to underestimate.
Technical documentation under Annex IV is the most labour-intensive requirement. The technical file must cover the system's intended purpose, general design logic and architecture, training data governance including data provenance and quality measures, performance metrics disaggregated across relevant demographic groups, risk management methodology applied during development, cybersecurity threat modelling, monitoring and human oversight mechanisms, and a post-market monitoring plan. This is not a management summary. It is an engineering artifact that requires input from development, data science, legal, and compliance teams. Organisations that have not started this documentation and expect to complete it in June or July will find the timeline insufficient.
Conformity assessment is required before a high-risk AI system is placed on the market or put into service. For most Annex III systems, a self-declaration conformity assessment (internal control) is permitted. For certain systems — including those subject to third-party certification under existing EU harmonised standards — a notified body assessment is required. Identifying which pathway applies and, if a notified body is needed, securing a slot and completing the assessment, must happen now: notified body capacity is constrained across the EU.
EU AI Act database registration must occur before deployment. The EUAIA DB is operational and accepting registrations as of 2026. Swiss companies operating through EU subsidiaries must register through their EU-established entity. Registration requires the technical documentation to be substantially complete first.
Human oversight mechanisms under Article 14 require that high-risk AI systems be designed to allow effective human monitoring, the ability to override automated outputs, and the technical capability to interrupt system operation. For automated financial decisioning systems in Swiss banking, this means documented escalation procedures, defined authority levels for human override, and demonstrated technical controls — not just a policy statement.
◆ Key Takeaway
The three compliance actions that cannot be time-compressed are technical documentation, conformity assessment, and EUAIA DB registration — each depends on the previous. Organisations that have not initiated technical documentation for their high-risk AI systems by mid-May will not be compliant by August 2. The deadline is fixed. The preparation time is not.
FINMA, DORA, and the Documentation Gap
Swiss financial institutions subject to FINMA Circular 2023/1 already maintain operational risk documentation covering algorithmic systems, ICT risk assessments, and technology governance frameworks. DORA-scope entities have parallel ICT risk management documentation obligations under the regulation's Articles 5–16. Neither framework generates the specific documentation artifacts required under the AI Act.
FINMA Circular 2023/1's risk identification requirements for algorithm-driven decisions overlap conceptually with AI Act Article 9 risk management. The documentation format, level of technical specificity, and required content differ. The Annex IV technical file requires training data governance details and demographic performance disaggregation that FINMA risk documentation does not demand. DORA's ICT third-party risk requirements can be usefully aligned with AI Act supply chain documentation for systems built on third-party AI components, but DORA compliance does not substitute for AI Act conformity assessment.
The practical consequence: Swiss financial institutions that have fulfilled their FINMA and DORA documentation obligations have a structural head start on AI Act compliance. They have governance frameworks, risk assessment methodologies, and documentation habits in place. They do not have compliant AI Act technical files unless they have done additional work specifically for the Act. Assuming that FINMA compliance implies AI Act compliance is the most common preparedness gap in Swiss financial sector AI deployments.
- Inventory every AI system deployed or supplied — classify each against Annex III categories and document the classification decision with supporting reasoning.
- Begin Annex IV technical documentation immediately for each high-risk system; target completion by 15 July to allow time for review, conformity assessment, and registration before August 2.
- Determine the conformity assessment pathway for each system — self-declaration or notified body — and if a notified body is required, engage one now to secure availability.
- Register high-risk systems in the EU AI Act database through your EU-established entity; this requires completed technical documentation and cannot be done in parallel with it.
- Implement and document Article 14 human oversight mechanisms for every automated decisioning system in scope — this requires both technical controls and procedural documentation.
- Map existing FINMA Circular 2023/1 and DORA ICT documentation against AI Act Articles 9–17 requirements to identify specific gaps rather than assuming coverage.
- Establish a post-market monitoring system and a serious incident reporting procedure for deployed high-risk systems, as required under AI Act Article 72 from the date of full application.
The organisations that will face enforcement action in Q3 2026 are not those that were unaware of the August 2 deadline. They are the ones that knew about it and underestimated the documentation burden, assumed their existing regulatory compliance covered it, or deferred action until it was too late to complete the conformity assessment cycle. The AI Act's full-application date creates a sharp accountability moment that EU market surveillance authorities have been preparing for. Swiss companies supplying AI to European markets should be preparing with equal seriousness.