EU AI Act from August 2026: What SAP Business AI Users Must Document

Q: Does the EU AI Act apply if SAP acts as our processor?

Yes. The EU AI Act addresses the deployer. As deployer, you remain responsible for risk classification, human oversight, and documentation, regardless of SAP's role as processor.

The EU AI Act imposes strict requirements on high-risk systems. SAP brings certifications (ISO/IEC 42001, SOC 2), but documentation, risk analysis, and human oversight remain with the customer. Where SAP Business AI use cases fall in scope, what documentation is mandatory, and which governance moments are due before August 2026.

1. Timeline and Scope

On 2 August 2026, the EU AI Act becomes fully applicable to high-risk AI systems. What many organisations underestimate: that date is not the start of a transition period. It is the end of one. Full enforcement applies from that day forward.

The milestones: the regulation entered into force in August 2024. Prohibitions on unacceptable AI practices have applied since February 2025. Rules for general-purpose AI models follow from August 2025. Full applicability for high-risk AI systems begins on 2 August 2026 (Source: European Commission, AI Act Regulatory Framework).

Geographically: any organisation operating SAP Business AI use cases in the EU, or processing data relating to EU residents, falls within scope. Companies headquartered outside the EU that deploy systems in the EU, or whose outputs affect EU citizens, are also addressed (Source: Holland & Knight, EU AI Act Compliance Deadline April 2026).

The EU AI Act distinguishes four risk categories: prohibited, high-risk, limited risk, and minimal risk. For SAP Business AI users, the high-risk classification represents the decisive governance moment.

2. What Counts as High-Risk in SAP Use Cases

Not every AI function in SAP Business AI is high-risk. What matters is the use case you are covering, not the tool you are using.

The EU AI Act classifies as high-risk systems deployed in the following areas:

HR and personnel decisions: Automated applicant screening, performance evaluation, and candidate prioritisation. In SAP SuccessFactors, this applies directly to AI-assisted recruiting and performance management features. Anyone using Joule for candidate selection or evaluation support is operating in high-risk territory.

Credit scoring and financial decisions: AI-assisted credit assessments, automated lending decisions, and risk-based pricing fall into the high-risk category. In SAP Finance contexts, this covers AI features embedded in credit management or risk steering.

Critical infrastructure and supply chain: Procurement AI that steers supply chains or prioritises constraints can fall into the high-risk category depending on industry context. The same applies to supply chain AI in safety-relevant sectors.

Worker management: Systems that automate working time, task assignment, or performance monitoring are subject to the same stringent requirements.

The governance moment here sits before go-live, not after: use-case classification must be completed before productive AI functions are brought into operation. Organisations already running productive use cases perform the classification retroactively.

Sources: European Commission, AI Act Regulatory Framework; SAP Trust Center, How SAP aligns with the EU AI Act.

3. What SAP Certifications Cover and What They Do Not

SAP was among the first global vendors to obtain ISO/IEC 42001 certification for AI management systems. In addition, SAP publishes regular SOC 2 Type II reports and holds ISO 27001 for information security management.

These certifications provide substantial evidence of SAP's obligations as a provider. They cover SAP's AI governance processes, roles and responsibilities on the vendor side, controlled deployment of SAP products, monitoring at infrastructure level, and transparency requirements vis-à-vis regulators.

What they do not cover: your own deployer obligations.

The EU AI Act draws a clear line between provider and deployer. SAP is the provider. Your organisation is the deployer. As deployer, you are responsible for risk classification of your use cases, technical documentation of your own systems, human oversight in productive processes, and logging at the application level.

SAP's certifications support you as evidence of the platform's quality. They do not replace your own documentation. This governance moment cannot be delegated (Source: SAP Trust Center).

4. What You as a Customer Must Document

For high-risk AI systems, the EU AI Act requires complete technical documentation before the system goes into operation. The following seven items form the core requirements for SAP Business AI deployers:

1. Use-Case Register with Risk Classification Every productive AI use case is recorded and classified. For each use case: description of the function, affected data categories, high-risk assessment with justification. This register is the foundation for all subsequent obligations.

2. Technical Documentation of the AI System Architecture of the components deployed (which SAP AI features, which foundation models via GenAI Hub), data flow from input through to decision output, models used and their limitations. SAP provides system-level documentation via Trust Center. The application level is yours to document.

3. Risk Management System Identification of potential risks (faulty decisions, bias, unintended outputs), assessment of likelihood and impact, and defined mitigation measures. The risk management system is not a one-off document. It is an ongoing process.

4. Human Oversight Concept Who monitors AI-assisted decisions, and on what basis? At which outputs does a human intervene without exception? How is a decision recorded when a human departs from the AI recommendation? The EU AI Act requires human oversight not as a formality, but as demonstrable control. A governance moment that must be operationalised, not just written down.

5. Logging and Audit Trails Audit logs for all productive AI decisions in the high-risk domain. Retention periods defined. BTP configuration for logging activated. This governance moment sits in the technical configuration, not only in policy documents.

6. Transparency Towards Affected Individuals Anyone subject to an AI decision must be informed of that fact. For HR use cases, including applicant screening and performance evaluation, this is a direct statutory requirement. How you operationalise this transparency is part of the documentation.

7. Emergency Shutdown Procedures For every high-risk use case, a procedure for immediate system deactivation is documented. Who decides, how is it escalated, and which processes run manually in the interim? This governance moment is operational and organisational.

Source: SAP Insider, Sapphire 2026 AI Agent Guardrails.

5. Sector-Specific Additional Requirements

The EU AI Act is the base layer. For regulated industries, sector-specific requirements apply on top, and in some cases they are stricter.

Finance: BaFin and EBA Financial institutions in Germany and the EU are additionally subject to BaFin and EBA requirements. These demand a standalone AI use-case inventory for all AI systems in credit and risk management. Explainability of AI decisions is mandatory, not optional. DORA (Digital Operational Resilience Act) adds its own operational resilience standards and incident reporting obligations for AI services in critical systems. For SAP Finance AI, every governance moment in the credit management process carries documentation obligations.

Pharma and Life Sciences GxP validation is a prerequisite for AI components used in regulated manufacturing processes or quality assurance. Organisations using SAP AI features in pharmaceutical supply chains must verify whether those components can be GxP-validated. SAP does not provide a generic sector certification for this: the burden of proof lies with the customer.

Public Sector Government bodies and public contracting authorities in Germany operate under BSI requirements. For AI services in cloud environments, the BSI C5 attestation is the reference framework. SAP Business AI on BTP can use the C5 attestation as a basis; application-level compliance remains with the operator.

In all three sectors: documentation obligations under the EU AI Act are not replaced by sector-specific frameworks. They are supplemented by them.

6. Before August 2026: Concrete Governance Moments

Three months before the deadline, the action required is structured:

Governance Moment 1: Build the Use-Case Inventory Record all productive SAP Business AI use cases. For each: active or not, high-risk yes or no, documentation status. A simple register is sufficient as a starting point. Organisations that do not yet know which AI features are in use start with an inventory of activated Joule skills, SuccessFactors AI features, and GenAI Hub connections.

Governance Moment 2: Clarify Deployer Obligations For each high-risk use case: who is responsible internally? What documentation is missing? By when is human oversight defined and operational? This governance moment requires alignment between IT, Compliance, and the business functions using AI features.

Governance Moment 3: Build Ongoing Governance EU AI Act compliance is not a one-off project. Risk management, logging, and human oversight are ongoing governance tasks. Organisations that build this layer now have a governance structure that covers future AI rollouts as well. SAP's AI Agent Hub (Q3 2026 GA) can serve as an operational tool here.

FAQ

Does the EU AI Act apply if SAP acts as our processor? Yes. The EU AI Act addresses the deployer, meaning the organisation that brings an AI system into operation and uses it. Whether SAP acts as technical processor or controller is a data protection question and is separate from AI Act liability. As deployer, you remain responsible for risk classification, human oversight, and documentation.

SAP holds ISO/IEC 42001. Is that sufficient evidence of our compliance? No. SAP's certification demonstrates SAP's provider-side processes. Your deployer obligations, including use-case classification, technical documentation, and human oversight at the application level, must be documented and evidenced by you. SAP's Trust Center documents are a useful starting point for system descriptions, but they do not substitute for your own governance documentation.

What happens if we are not fully documented by 2 August 2026? The EU AI Act provides for fines of up to 30 million euros or 6 percent of global annual turnover for high-risk systems without complete documentation. More significant than the fine level: supervisory authorities can prohibit use of a non-compliant system. Organisations that can present a structured, traceable documentation register by August 2026 are in a substantially stronger position than those with no governance layer in place.

Which SAP tools support compliance documentation? SAP's AI Agent Hub (Q3 2026, based on LeanIX) provides discovery, verification, and observability for AI agents and is designed primarily as a compliance instrument. BTP audit logs are configurable and cover the logging obligation at infrastructure level. For application-level documentation and the risk management system, there is no SAP standard tool. That responsibility lies with the customer.

Sources: European Commission, AI Act Regulatory Framework; SAP Trust Center, How SAP aligns with the EU AI Act; Holland & Knight, U.S. Companies Face EU AI Act's August 2026 Compliance Deadline; SAP Insider, Sapphire 2026 AI Agent Guardrails.