Full Enforcement: August 2026 — Act Now
Compliance Guide · EU AI Act

EU AI Act 2026:
What SAP Enterprises Must Do
to Stay Compliant

Full enforcement starts August 2026. Penalties reach 7% of global turnover. This is the definitive guide for SAP teams — risk classification, compliance obligations, GDPR interaction, and a 90-day action plan to get compliant fast.

June 18, 2026 13 min read SAVI AI Compliance Team Legal · Compliance · Governance
Aug 2026
Full high-risk AI enforcement
7%
Max penalty of global turnover
€35M
Max fine for prohibited AI practices
90 days
To get compliant with this guide
⚠️

Enforcement Timeline: No More "We're Working On It"

The EU AI Act (Regulation 2024/1689) is not a future proposal — it is law. Prohibited AI practices have been banned since February 2025. High-risk AI system obligations are enforceable from August 2026. EU member state market surveillance authorities are actively building their enforcement capacity. Enterprises using AI in HR decisions, credit assessment, or safety-critical operations need to be compliant now — not "soon."

What Is the EU AI Act? A Plain-English Summary

The EU AI Act is the world's first comprehensive legal framework governing artificial intelligence. Passed by the European Parliament in March 2024 and published in the Official Journal of the EU on 12 July 2024, it creates a risk-tiered regulatory framework — the higher the risk of an AI system to individuals and society, the stricter the obligations placed on organisations that deploy it.

The Act applies to:

Even if your company is headquartered outside the EU, the Act applies if your AI systems affect people in the EU — employees, customers, or citizens. Think of it as the GDPR of AI — and take it equally seriously.

Key distinction: The EU AI Act focuses on what the AI does (its risk to people), while GDPR focuses on what data the AI processes. Both apply simultaneously for most enterprise AI deployments. A high-risk AI system that processes personal data must comply with both regulations.

The 4 Risk Tiers — Where Does Your SAP AI Land?

Every AI system under the EU AI Act falls into one of four risk categories. Understanding your tier is Step 1 of compliance:

Tier 1 — Prohibited

Unacceptable Risk — Banned Outright

AI systems that pose an unacceptable risk to fundamental rights. Banned since February 2025.

  • Real-time biometric surveillance in public spaces
  • Social credit scoring systems
  • AI that manipulates behaviour subliminally
  • Emotion recognition in workplaces/schools
Penalty: Up to €35M or 7% global turnover
Tier 2 — High Risk

Significant Obligations Apply

AI in critical infrastructure, HR decisions, credit assessment, education, law enforcement. Full compliance required by August 2026.

  • AI making or assisting HR/employment decisions
  • AI in credit/financial access decisions
  • AI in safety-critical manufacturing systems
  • AI for essential service access
Penalty: Up to €15M or 3% global turnover
Tier 3 — Limited Risk

Transparency Obligations Only

AI systems that interact with people (chatbots, deepfakes). Must be disclosed as AI.

  • AI chatbots and virtual assistants
  • AI-generated content
  • Emotion recognition (non-workplace)
Penalty: Up to €7.5M or 1.5% global turnover
Tier 4 — Minimal Risk

Voluntary Code of Conduct

The vast majority of AI systems. Compliance is voluntary best practice, not mandatory.

  • Invoice processing AI
  • Supply chain optimisation AI
  • Most finance automation use cases
  • Spam filters, search ranking
No mandatory obligations

How Your SAP AI Applications Are Classified

The most important question for any SAP enterprise: which of my existing and planned AI deployments are high-risk? Here is our classification guide for common SAP AI use cases:

SAP AI Use Case SAP Module Risk Classification Reason
AI CV Screening & Recruiting SAP SuccessFactors Recruiting High Risk Employment decisions affecting workers — Annex III(4)
AI Performance Evaluation SAP SuccessFactors Performance High Risk Influences promotion/dismissal decisions — Annex III(4)
AI Attrition Prediction SAP Workforce Analytics High Risk May influence employment decisions — Annex III(4)
AI Credit Limit Assessment SAP SD / Credit Management High Risk Financial access decision — Annex III(5)
AI Safety Systems in Manufacturing SAP PM / EHS High Risk Safety-critical infrastructure — Annex III(2)
Invoice Processing Automation SAP FI / MM Minimal Risk No decision affecting individuals directly
GR/IR Reconciliation AI SAP MM / FI Minimal Risk Internal financial data matching only
Demand Forecasting AI SAP IBP Minimal Risk Operational planning, no individual impact
Financial Close Automation SAP FI / Controlling Minimal Risk Internal financial operations
AI Procurement / P2P SAP MM / Ariba Minimal Risk Business-to-business transactions
Joule Conversational AI (informational) SAP Joule Limited Risk Chatbot — transparency obligation applies
AI Fraud Detection SAP FI / GRC Limited Risk May impact individuals if used for adverse decisions

Important nuance: Classification is context-dependent. An AI that suggests a candidate shortlist but is always overridden by a human is lower risk than one that automatically filters out candidates. If your AI makes a decision rather than a recommendation — and that decision affects a person — it is more likely high-risk. When in doubt, treat it as high-risk and document accordingly.

5 Core Compliance Obligations for High-Risk SAP AI

If any of your SAP AI deployments fall into the high-risk category, you must meet all five of these obligations before August 2026:

1

Data Governance & Quality Management

High-risk AI systems must be trained and operated on data that is relevant, representative, free of bias, and appropriately protected. You must document your training data sources, apply data quality checks, and detect and address data bias before deployment.

SAP relevance: SAP Master Data Governance (MDG) and SAP Data Intelligence Cloud provide the data quality layer. Ensure HR AI training data doesn't contain historical biases from pre-AI hiring decisions.
  • Document all data sources used for AI training and operation
  • Implement bias detection and mitigation processes
  • Apply data quality rules before data enters AI models
  • Establish data governance policies covering AI data lifecycle
2

Technical Documentation

Before deploying any high-risk AI system, you must create and maintain technical documentation covering the AI system's purpose, design, risk management measures, testing results, and monitoring approach. This documentation must be kept up to date throughout the system's lifecycle.

SAP relevance: SAP AI Launchpad on BTP provides model cards and deployment documentation. Supplement with a formal AI System Documentation Register maintained by your AI CoE.
  • Create an AI System Record for each high-risk deployment
  • Document intended purpose, technical specifications, and known limitations
  • Record risk assessment methodology and mitigation measures
  • Maintain a change log for every model update or parameter change
3

Transparency & User Information

People affected by high-risk AI decisions must be informed that AI is being used. If the AI makes or significantly influences a decision about them (hiring, credit, access to services), they have the right to know and — in many cases — to request a human review of that decision.

SAP relevance: SuccessFactors AI-assisted recruiting must notify candidates. Add disclosure language to application forms, interview confirmation emails, and any automated rejection notifications.
  • Add AI disclosure notices to all affected employee/customer touchpoints
  • Implement a "request human review" process for AI-influenced decisions
  • Train HR and line managers on how to explain AI recommendations
  • Update privacy notices and employee handbooks to cover AI use
4

Human Oversight & Control

High-risk AI systems must be designed so that qualified humans can effectively monitor, understand, intervene in, and override the AI's outputs. "Effective" oversight means humans must have time, authority, and capability to meaningfully review decisions — not just rubber-stamp AI recommendations under deadline pressure.

SAP relevance: Design your SAP workflow approval steps so reviewers receive explainability information alongside the AI recommendation — not just the recommendation itself. SAP AI services can surface SHAP-value explanations to reviewers.
  • Design "human-in-the-loop" approval steps for all high-risk AI decisions
  • Provide reviewers with explainability data (why did the AI recommend this?)
  • Set confidence thresholds — low-confidence AI outputs must route to human review
  • Ensure reviewers have authority to override without penalty
5

Accuracy, Robustness & Continuous Monitoring

High-risk AI must maintain its declared performance levels throughout its operational life. You must implement continuous monitoring for accuracy degradation, data drift, and unexpected behaviours — with automatic alerts and remediation processes when performance drops below thresholds.

SAP relevance: SAP AI Launchpad and SAVI AI dashboards provide model performance monitoring. Set up automated alerts when key metrics (precision, recall, F1) drop more than 5% from baseline — this triggers a mandatory model review.
  • Define key performance metrics and minimum acceptable thresholds for each AI system
  • Implement automated monitoring with alerting for performance degradation
  • Schedule quarterly model reviews and annual full conformity assessments
  • Maintain a model incident log for unexpected AI behaviours

EU AI Act Penalties: Why Compliance Is Non-Negotiable

Violation TypeMax Fine (higher of)Examples
Prohibited AI practices €35 million or 7% global turnover Deploying real-time biometric AI, social scoring, emotion recognition in workplace
High-risk AI non-compliance €15 million or 3% global turnover Missing documentation, no human oversight, inadequate transparency to users
Incorrect/misleading information €7.5 million or 1.5% global turnover Providing false conformity assessment results to authorities

For a company with €5 billion in global revenue, a 3% penalty for high-risk AI non-compliance is €150 million. The compliance investment to avoid this is a fraction of that cost — and delivers the added benefit of more trustworthy, better-governed AI that employees and customers trust.

EU AI Act + GDPR: How They Work Together for SAP

Many SAP AI applications process both structured ERP data and personal data about employees, customers, or suppliers. When personal data is involved, both GDPR and the EU AI Act apply simultaneously. Here's how they interact:

Where GDPR Applies

Where EU AI Act Applies

The Dual Compliance Checklist for SAP HR AI

SuccessFactors AI — GDPR + EU AI Act Combined Checklist

GDPR lawful basis documented for all HR AI processing
Data subject access request process updated for AI decisions
Data Protection Impact Assessment (DPIA) completed
EU AI Act Technical Documentation Register created
Candidate/employee AI disclosure notices deployed
Human review process documented and tested
Bias testing completed on recruiting AI training data
Model performance monitoring configured with alerts
Data residency confirmed within EU for personal data
Vendor agreements updated to include EU AI Act clauses

Your 90-Day EU AI Act Compliance Roadmap

Don't try to solve everything at once. This phased plan takes you from unassessed to audit-ready in 90 days:

1
Weeks 1–2: AI Inventory & Risk Classification

Map Every AI System You Deploy

You cannot comply with what you haven't catalogued. Create a comprehensive inventory of every AI-powered feature in your SAP landscape.

  • List all SAP modules using AI features (Joule, ML Foundation, custom BTP models)
  • Include third-party AI tools integrated with SAP (SAVI AI, RPA tools, analytics AI)
  • Apply the 4-tier risk classification to each system
  • Prioritise the high-risk and limited-risk systems for immediate action
2
Weeks 3–5: Gap Analysis Against Obligations

Identify What's Missing for Each High-Risk System

For each high-risk AI system, assess compliance against all 5 obligation pillars and document the gaps.

  • Run a gap analysis checklist against the 5 pillars above
  • Assess existing documentation, monitoring, and oversight processes
  • Interview AI system owners and business process teams
  • Produce a gap report with prioritised remediation actions for each system
3
Weeks 6–8: Remediation — Quick Wins First

Close the Highest-Priority Gaps

Focus on the gaps that are legally obligatory and can be addressed quickly — documentation, disclosure notices, and human oversight workflows.

  • Create Technical Documentation records for each high-risk AI system
  • Add AI disclosure language to employee and customer-facing communications
  • Design and implement human-in-the-loop approval workflows in SAP
  • Configure model performance monitoring dashboards on SAP BTP
4
Weeks 9–11: Data Governance & Bias Testing

Address the Harder Technical Requirements

Data quality and bias testing require more time but are critical for high-risk HR and credit AI systems.

  • Conduct bias audits on HR AI training datasets
  • Implement data quality gates in SAP Data Intelligence or MDG
  • Run fairness testing across protected characteristics (gender, age, nationality)
  • Document bias mitigation measures and residual risk acceptance
5
Weeks 12–13: Review, Test & Maintain

Validate Compliance and Establish Ongoing Governance

Compliance is not a one-time project — it's an ongoing programme. Set up the governance structures to keep you compliant as AI systems evolve.

  • Conduct a compliance walkthrough with legal and compliance teams
  • Test human override processes with real scenarios
  • Establish an AI Governance Committee with quarterly review cadence
  • Add EU AI Act compliance to your vendor assessment framework for all new AI purchases

Good news for most SAP finance teams: Invoice processing, GR/IR reconciliation, demand forecasting, financial close, P2P automation, and treasury AI are minimal-risk under the EU AI Act. If your SAP AI is limited to finance and supply chain operations with no direct impact on individual employment or credit decisions, your compliance burden is relatively light — focused on transparency disclosures for any conversational AI and voluntary best-practice governance.

Frequently Asked Questions

When does the EU AI Act come into full force?
The EU AI Act entered into force on 1 August 2024. Prohibited AI practices applied from February 2025. High-risk AI system obligations — the most significant for SAP enterprises — are fully enforceable from August 2026. General-purpose AI model rules applied from August 2025. If your organisation uses SAP AI in EU operations, full compliance for any high-risk applications must be achieved by August 2026.
Which SAP AI applications are classified as high-risk under the EU AI Act?
Under Annex III, SAP AI applications likely classified as high-risk include: AI used in HR decisions (CV screening, performance evaluation, attrition prediction), AI that influences credit or financial access decisions (customer credit limits, payment terms), and AI in safety-critical manufacturing processes (EHS systems). Finance automation AI (invoice processing, GR/IR, demand forecasting) and supply chain AI typically fall into the minimal-risk or limited-risk categories.
What is the difference between EU AI Act and GDPR for SAP enterprises?
GDPR governs the processing of personal data — it applies whenever AI processes data about identifiable individuals (employees, customers). The EU AI Act governs the risk profile and governance of the AI system itself — it applies based on what decisions the AI supports, regardless of whether personal data is involved. SAP enterprises typically need both: GDPR compliance for any AI touching personal data, and EU AI Act compliance for the risk classification and governance of each AI system.
What are the penalties for EU AI Act non-compliance?
Penalties are tiered: prohibited AI practices — up to €35 million or 7% of global annual turnover (whichever is higher). High-risk AI non-compliance — up to €15 million or 3% of global annual turnover. Providing incorrect information to authorities — up to €7.5 million or 1.5% of global annual turnover. For a €5 billion revenue company, 3% equals €150 million — making compliance investment far cheaper than the alternative.
Does the EU AI Act apply to SAP enterprises outside the EU?
Yes — the EU AI Act has extraterritorial reach similar to GDPR. It applies to any AI system placed on the EU market or used in the EU, regardless of where the deployer is headquartered. US, UK, or Asian enterprises using SAP AI to serve EU customers, process EU employee data, or operate EU facilities must comply. Assess your exposure through your EU-facing operations and include EU AI Act obligations in your global AI governance framework.
Does SAP BTP AI Core help with EU AI Act compliance?
Yes, partially. SAP BTP AI Core provides EU data residency options, role-based access controls, audit logging, and model versioning — all of which support EU AI Act compliance. However, the platform alone does not make you compliant. You still need to complete the risk classification, write Technical Documentation, implement human oversight mechanisms, conduct conformity assessments for high-risk systems, and train your teams. The platform provides the technical foundation; governance is your responsibility.
What is the 'human-in-the-loop' requirement under the EU AI Act?
For high-risk AI systems, the Act requires that humans can effectively oversee the AI, understand its outputs, intervene when needed, and override or stop the system. Effective oversight means reviewers must have the capability, authority, and time to meaningfully review AI recommendations — not just rubber-stamp them. Design SAP approval workflows so that AI decisions affecting workers or significant financial outcomes include explainability data and give reviewers genuine authority to override.
SA
SAVI AI Compliance & Governance Team

SAP AI compliance specialists tracking EU AI Act implementation across enterprise deployments in manufacturing, financial services, retail, and life sciences. This guide is for informational purposes and does not constitute legal advice — consult qualified legal counsel for your specific compliance programme.

Need Help Assessing Your SAP AI Compliance?

SAVI AI's compliance-ready platform includes built-in audit trails, human oversight workflows, EU data residency, and model performance monitoring — designed to meet EU AI Act obligations from day one. Book a compliance assessment with our team.