What changes on August 2, 2026
The AI Act became law in 2024 and is being phased in. The high-risk-system obligations under Article 6 plus Annex III begin to apply to workplace AI from August 2, 2026 — 24 months after entry into force. By that date, providers of high-risk employment AI must have a conformity assessment, technical documentation, post-market monitoring plan, transparency design, human oversight architecture, logging, and EU database registration in place. Deployers (the employer who switches the system on) must have transparency notices specific to the AI use, a human-oversight workflow that is not a rubber stamp, an audit trail, and works-council consultation where required.
The most expensive vendor mistake of 2026 will be products that bolted AI inferences on top of a screenshot tool, then discovered that the inference layer (productivity score, ranking, AI idle classification used by HR) drags the entire product into Annex III. The marketing copy that sold the AI feature is now the evidence the regulator reads. Penalty bands run up to EUR 35 million or 7% of global turnover for prohibited-AI violations and up to EUR 15 million or 3% for other significant violations — the exact figures depend on tier and entity size and are subject to revision in implementing regulations, so verify with counsel for your jurisdiction.
For deeper background on the prohibited-vs-high-risk split and the legacy-tool flip-over, see our companion piece on EU AI Act & employee time tracking compliance and the canonical landing page for our EU AI Act compliant productivity intelligence stance.
The 14-question framework, grouped
The 14 questions split into four anchor blocks. Score each pass / partial / fail. The math at the bottom of the page tells you what to do next.
Block A — Annex III scope & classification (Q1-3)
- Inventory of AI inferences. Has the vendor handed you a written list of every AI inference the product produces — productivity score, idle classification, ranking, shift allocation, anomaly detection, focus signal? Vague answers (“it's just analytics”) score fail.
- Annex III mapping per inference. For each inference, does the vendor name the specific Annex III category it sits in (recruitment, evaluation, performance monitoring, task allocation)? — or explain why it sits outside. No mapping = fail.
- Material-decision test. Where the vendor claims an inference is not high-risk, can they show that the output does not materially inform an employment decision? “A manager looks at it” is not a defence; the test is whether the output drives the decision in practice.
Block B — Article 5 exclusions (Q4-5)
- No emotion or affect inference. Has the vendor confirmed in writing that no feature infers mood, stress, engagement, or wellbeing from keystrokes, mouse jitter, webcam, or microphone — even if marketed as wellbeing or burnout signal? Article 5 is a prohibition, not a high-risk obligation; a single yes here is a halt.
- No social-scoring or manipulative ranking. Does the vendor exclude employee social-scoring (composite reputation scores across unrelated signals) and any nudge layer designed to manipulate behaviour without disclosure?
Block C — Provider documentation (Q6-9)
- Conformity assessment route. Has the vendor named whether they are running self-assessment or notified-body conformity, and where each high-risk inference sits in that process? A vendor who has not picked the route is behind schedule for an August 2 deployment.
- Technical documentation index. Is there a structured technical-documentation file covering training data sources, design choices, performance metrics, foreseeable misuse, mitigations, and post-market monitoring plan? Cite the table of contents at minimum.
- EU database registration status. For each high-risk inference, has the vendor registered or filed an intent-to-register entry in the EU database? Partial credit if the registration is on a credible Q2-Q3 2026 calendar.
- Logging policy. Does the vendor maintain activity logs sufficient to investigate incidents and detect performance drift, with documented retention and access? “Logs exist” without a policy = partial.
Block D — Deployer kit (Q10-14)
- Worker-notification template. Does the vendor ship a deployer-ready transparency notice you can localise per jurisdiction, sized for Article 13 and Article 26 obligations? Generic privacy-policy text does not satisfy this.
- Human-oversight workflow. Is there a documented oversight workflow with named roles, override authority, and review cadence — designed so the human review is meaningful and not a rubber stamp?
- Configurable monitoring defaults. Can each capture surface (screenshots, keystroke, webcam) be switched off per role / team / per feature, and is the off-state the default? “Configurable” without an off-default is partial.
- Works-council briefing pack. For deployments in Germany, Austria, Netherlands, France in scope industries, and similar jurisdictions, does the vendor ship a briefing pack you can take to the council? Skipping the council is the largest source of legal exposure in this category.
- Audit-trail export. Can the deployer pull a regulator-ready audit trail in under 30 minutes — capture, inference, oversight action, decision — for any worker-affecting decision in the last 12 months?
How buyers should score — the rubric primer
The scoring rubric is intentionally blunt. Vendors will offer to walk you through nuance. Resist that. The point of a 14-question scorecard is to remove the nuance and put each anchor on a pass / partial / fail line. Counsel handles the nuance after the scorecard, not before.
- Pass means written evidence with a date and an owner, viewable inside 24 hours of request. A slide deck is not evidence; the conformity-assessment summary file is.
- Partial means a credible delivery date inside Q2-Q3 2026 with a named owner and a progress milestone the vendor can show this quarter. “Roadmap” with no milestone = fail.
- Fail means no answer, an evasive answer, or an answer that contradicts the marketing copy. Fail on Article 5 (Q4) is a halt regardless of any other passes.
Run the scorecard with two reviewers: a CISO or DPO who can read the documentation, and a procurement lead who controls the contract. Score independently, then reconcile. Disagreements are usually about partial vs fail — not pass vs anything else — and that's the conversation to have on paper.
Expected scorecard band by vendor archetype
The table below summarises how five common workplace-monitoring archetypes typically score against the 14-question framework. It describes vendor-archetype defaults observed in product documentation and marketing material as of May 2026; specific deployments may vary by configuration choices. Verify the actual configuration with the vendor in writing, and verify your specific obligations with counsel for your jurisdiction.
| Vendor archetype | Surveillance default | Emotion inference (Article 5 risk) | Human-oversight workflow | Expected 14-Q band |
|---|---|---|---|---|
| Hubstaff (default install) | ON (screenshots, activity %) | No | Ad-hoc | At-risk (6-8 pass) |
| Time Doctor (default install) | ON (screenshots, app/URL capture) | No | Ad-hoc | At-risk (6-8 pass) |
| Teramind (default install) | ON (screen, keystroke, video) | Yes — behavioural / sentiment features (Article 5 exposure) | None / vendor-defined | Halt (any Q4 fail) |
| ActivTrak (default install) | ON (continuous activity capture) | Yes — productivity / focus inferences marketed as wellbeing (Article 5 exposure) | Ad-hoc | Halt or At-risk |
| gStride (default install) | OFF (capture off; outcome-signal default) | No — category excluded by design | Documented (named reviewer, override authority, audit trail) | Ready (12-14 pass) on the architecture; documentation work in progress against August 2026 |
Reading note. Archetype band describes the out-of-the-box configuration as advertised in vendor marketing, not a per-tenant audit. Customers can move their own deployment up the band by configuring capture to off, layering a human-oversight workflow, and amending the DPA — but the default is what regulators read first.
Verdict bands — what to do at each
| Verdict band | Scorecard pattern | What to do |
|---|---|---|
| Ready (12-14 pass) | Pass on all of Q4-5 and Q6-9; at most two partials in deployer kit | Proceed to deployment with works-council briefing. Set a Q4 2026 re-review. |
| Patchable (9-11 pass) | Pass on Q4-5; partials clustered in deployer-kit (Q10-14) | Conditional deployment with a 30-day patch plan. Hold renewal on patch completion. |
| At-risk (6-8 pass) | Pass on Q4-5; three or more fails across provider doc (Q6-9) | Parallel-track an alternate vendor. Do not renew past July 2026 unless the provider gap closes. |
| Halt (any Q4 fail, or <6 pass) | Article 5 fail, or scorecard shows the product was not built for the obligation | Replace the vendor. Build the migration plan now — August 2 is too close to drift. |
Halt is the verdict most CISOs are nervous about — it sounds dramatic. The honest framing: vendors that fail Article 5 in May 2026 have known about the prohibition since 2024. The fact that the feature still ships tells you what their roadmap priorities are. If your deployment continues into August 2026 with a halt-grade vendor, the regulator reads your contract as informed consent to a prohibited feature.
The migration question, briefly
If the scorecard says at-risk or halt, the next question is what replaces the vendor. The category that holds up under Annex III scoring is productivity intelligence — capture and inference separated, AI framed as recommendation to a human, no Article 5 features, deployer kit shipped with the product. gStride is built around that separation; the architecture and the readiness statement are documented at our EU AI Act solution page. Run the scorecard against gStride and any other shortlisted vendor with the same rubric — that's the only fair compare.
Related reading on the regulatory edges: GDPR-compliant employee monitoring for the data-protection layer beneath the AI Act, the alternative to keystroke tracking for the Article 5 swap, and the prohibited-vs-high-risk deep-dive in EU AI Act & employee time tracking compliance.
Score your vendor against the 14 questions
The interactive EU AI Act Vendor Scorecard runs in the browser. Pass / partial / fail per question, instant verdict band, emailed PDF for your buying committee. Free, no card.
Open the EU AI Act Vendor Scorecard See gStride's readiness statementFrequently asked questions
What is the EU AI Act August 2, 2026 deadline for vendors?
August 2, 2026 is when the high-risk-system obligations under the EU AI Act begin to apply to workplace AI that was already on the market. Workplace AI providers must have a conformity assessment, technical documentation, transparency notices, human oversight design, logging, post-market monitoring, and EU database registration in place by that date. Deployers (the employer) must have transparency notices to affected workers, human oversight workflow, and an audit trail in place. Verify the exact dates and staged enforcement timeline for your jurisdiction with counsel.
Which workplace AI vendors fall under Annex III high-risk classification?
Annex III lists AI used in employment for recruitment, evaluation, promotion, termination, task allocation, and monitoring or evaluation of performance and behavior. In practical terms, that catches productivity scoring, AI-driven idle classification used by HR, AI ranking used for promotion or termination decisions, AI shift allocation that materially affects compensation, and AI-driven anomaly detection routed into employment outcomes. A plain timer with a manual timesheet sits outside Annex III; an AI score sitting next to that timer typically does not.
What Article 5 prohibitions hit workplace AI vendors?
Article 5 bans certain AI uses outright. The workplace-relevant ones: emotion recognition in employment outside narrow safety and medical exceptions, manipulative or deceptive AI, and social-scoring of employees. Vendors that infer mood, stress, engagement, or wellbeing from keystroke cadence, mouse jitter, webcam, or microphone in an employment context fall in the prohibited tier, not just high-risk. A vendor reframing the feature as wellbeing or burnout does not change the classification. See the alternative to keystroke tracking for the non-inferring swap.
Does a vendor's GDPR DPA satisfy AI Act readiness?
No. A clean DPA is necessary but not sufficient. The AI Act layers AI-specific obligations on top of GDPR: a documented risk-management system, technical documentation of training data and inference behavior, logging sufficient to investigate incidents and detect drift, transparency notices specific to the AI use, human oversight design that is not a rubber stamp, post-market monitoring, and EU database registration for high-risk systems. A tool with a clean DPIA still has the AI Act layer to build. See GDPR-compliant employee monitoring for the GDPR baseline.
How should a CISO score a vendor with a partial AI Act readiness statement?
Score by evidence, not by intent. Ask for the written readiness statement, the conformity-assessment route (self-assessment or notified body), the EU database registration entry or planned registration date, the technical documentation index, and the deployer kit. If three or more anchors are missing or in progress without a credible Q3 2026 delivery date, that is a fail for any deployment that runs past August 2, 2026 — treat it as a parallel-track or replace-the-vendor decision, not a renewal.
What is the EU AI Act Vendor Scorecard and how does it work?
The EU AI Act Vendor Scorecard is an interactive 14-question evaluator. Each question maps to an Annex III, Article 5, provider-documentation, or deployer-kit obligation. Score each question 0/1/3/5 weighted across four blocks for a maximum of 70 points; the tool produces a verdict band (Ready, Patchable, At-Risk, Halt) with a recommended next step for procurement and counsel. No card, no gating — the score lands instantly so you can put it in front of the buying committee the same week. The companion resources hub lists the worksheet alongside the DPDP-side framework for India IT services firms serving EU clients.
Does works-council consultation count toward AI Act readiness?
Yes — in jurisdictions with works councils (Germany, Austria, Netherlands, France in scope industries, and similar), AI-based workplace monitoring is a consultation-required deployment under existing labour law on top of the AI Act transparency layer. A vendor that ships a works-council briefing pack with the configurability of each monitoring feature, the recommendation-not-decision framing, and the Article 5 exclusion list named in writing makes the council conversation faster. Skipping the council is the largest single source of legal exposure in this category and not a path readiness statements can paper over. Verify the specific consultation procedure with counsel for your jurisdiction.
This article describes the EU AI Act as it applies to workplace AI vendor selection as of May 2026, ahead of the August 2, 2026 high-risk-system enforcement date. Implementing regulations and guidance are still being finalised; verify specific obligations, deadlines, conformity assessment routes, registration scope, and penalty schedules with legal counsel for your jurisdiction. The 14-question scorecard is a buyer aid, not legal advice.