The 118-Day Window: EU AI Act technical standards land — and so do the watermark rules.

Top alert · The 118-day window opens

The European Commission released the final technical standards (TS-2026/04) for High-Risk AI systems on Wednesday. The standards are now binding for the 2 August 2026 certification deadline, leaving exactly 118 days for in-scope deployers to assemble a conformity-assessment file or face administrative penalties of up to €35,000,000 or 7% of global turnover, whichever is greater (Article 99(3) EU AI Act).

In-scope use cases — recruitment, credit scoring, employee monitoring, education ranking, biometric categorisation — are unchanged from the December 2025 draft, but two technical requirements did tighten:

Article 52 — Transparency. AI-generated text exposed to natural persons in customer-service contexts must carry a persistent, machine-readable provenance signal (C2PA-compatible) by the certification deadline. The "ephemeral chat" carve-out has been removed.

Annex IV §3(e) — Logging. Conformity files must include 12 months of model-decision logs, not 6 as previously drafted. Logs must be exportable in JSON-LD within 72 hours of a regulator request.

For Bureau-tier subscribers, a fully-mapped conformity checklist (the "118-Day File") is published in the archive this morning.

Cross-jurisdictional · The de-facto US standard

California's SB-1047 v2 received Governor signature on 18 April. Within ten days, three states introduced near-verbatim mirror bills — a familiar pattern that historically converges within two legislative sessions. Treat the table below as a leading indicator of a de-facto national floor for frontier-model deployers.

The Illinois bill is the most consequential for HR-tech buyers: it imports the EU AI Act's prohibited-practice list into US state law and grants a private right of action.

The shadow-AI clarification

A discreet 12 April clarification from the European Data Protection Board (EDPB Opinion 04/2026) confirms what many in-house counsel feared: when an employee pastes confidential data into an unsanctioned consumer-grade model, the employer remains the controller under GDPR Article 24, and the breach-notification clock begins on the date the employer "knew or should have known."

Translation: a single shadow-AI incident now creates joint exposure under both GDPR (up to 4% of turnover) and the AI Act (up to 7%). Sanctioned-tool catalogues and data-loss-prevention tooling have moved from "hygiene" to "regulatory necessity."

Your 5 actions this week

1. Inventory. Stand up a 7-day discovery sprint to enumerate every AI tool currently in use across HR, marketing, and engineering. Output: a single spreadsheet, owner per row.
2. Watermarking. Confirm your customer-service stack supports C2PA provenance signals. If you ship AI-generated images, validate against the C2PA 2.0 specification.
3. Vendor diligence. Issue a one-page "AI Act Article 25" deployer questionnaire to every AI vendor in the inventory. We provide a template in the Bureau archive.
4. Sanctioned-tool catalogue. Publish an internal list of approved AI tools and a clear escalation path for new-tool requests. Pair with DLP coverage.
5. Board memo. A 1-page memo to your board: "What changed this week, what we are doing about it, what it costs." Template in the archive.

Bottom line

Compliance is no longer a legal hurdle — it is a procurement advantage. Enterprise buyers in regulated sectors are now contractually requiring suppliers to demonstrate AI Act conformity before signing. Every week your team is ahead of the curve is a week your sales team can use it.

---

Next week · The UK's "Pro-Innovation" framework after the May regulator papers — and why it is converging with Brussels faster than Westminster admits.

Editorial intelligence — not legal advice. Cite primary sources before acting.