Buy Now
Free Reference · 2026

AI Compliance Deadlines & Documentation Reference - 2026

Five frameworks. Three upcoming deadlines. One reference sheet.

This page is an informational reference, not legal advice or a compliance determination. Dates, enforcement timelines, and rule status can change. Review the linked primary sources and consult qualified legal counsel before relying on this page for compliance decisions.

Try the Free Classifier Download PDF ↓
June 30, 2026
Colorado SB 24-205
August 2, 2026
EU AI Act Annex III
January 1, 2027
CPRA ADMT

NYC LL144 and Illinois AIVIA/HB 3773 - already enforced

Colorado SB 24-205
June 30, 2026
Status: Active law. Prepare for the existing law as written.
Who's Affected

Developers and deployers of high-risk AI systems used in consequential decisions (employment, housing, lending, healthcare, education, legal services, essential government services, insurance) affecting Colorado consumers.

Documentation Areas
  • Risk management policy and program (NIST AI RMF or ISO 42001 aligned)
  • Impact assessment per high-risk system (within 90 days of effective date, then annually)
  • Consumer pre-decision notice (AI involvement disclosed before consequential decision)
  • Consumer adverse-action notice (with explanation and appeal option)
  • Public website statement (types of high-risk systems deployed and discrimination risk management)
  • AG discrimination discovery notice (within 90 days of discovering algorithmic discrimination)
  • Annual impact assessment review and update
Penalty reference
Colorado Consumer Protection Act penalties apply, including civil penalties that can reach up to $20,000 per violation. Enforcement is by the Attorney General, with a 60-day cure period in the AI Act framework. Penalty amounts and enforcement outcomes depend on the facts, enforcement authority, and applicable legal analysis.
Affirmative Defense
Compliance with NIST AI RMF or ISO 42001 creates rebuttable presumption.
EU AI Act - Annex III High-Risk Systems
August 2, 2026
Status: Active regulation (entered into force August 1, 2024). Digital Omnibus proposal could delay to December 2027 - not yet adopted. Treat August 2 as binding.
Who's Affected

Providers and deployers of AI systems in Annex III domains (biometrics, critical infrastructure, education, employment, essential services/credit scoring, law enforcement, migration, justice/democracy) serving EU users - regardless of where your company is headquartered.

Documentation Areas
  • Annex IV technical documentation (9 sections: system description, design specs, data requirements, human oversight, predetermined changes, validation/testing, risk management, standards mapping, post-market monitoring)
  • Risk management system (Article 9)
  • Data governance procedures (Article 10)
  • Conformity assessment (self-assessment or third-party per Annex VI/VII)
  • EU database registration (Annex VIII fields)
  • Post-market monitoring plan (Article 72)
  • Serious incident reporting protocol (Article 73)
  • CE marking and EU declaration of conformity
  • Transparency disclosures (Article 50 - applies to all AI, not just high-risk)
Penalty reference
Up to €35M or 7% of global turnover for prohibited practices. Up to €15M or 3% for high-risk non-compliance. Penalty amounts and enforcement outcomes depend on the facts, enforcement authority, and applicable legal analysis.
CPRA ADMT (California)
January 1, 2027
Status: Regulations effective January 1, 2026. Risk assessment compliance begins January 1, 2026. Submission deadlines are phased: April 1, 2028 / 2029 / 2030 depending on annual revenue.
Who's Affected

Any CCPA "business" (for-profit, doing business in CA, meeting revenue/data volume thresholds) using automated decision-making technology for "significant decisions" (financial/lending, housing, education, employment, healthcare) affecting California consumers.

Documentation Areas
  • Pre-use consumer notice (purpose, how ADMT works, outputs, alternative process)
  • Opt-out mechanism (or documented exception: human appeal, admission/hiring, work allocation)
  • Consumer access rights response procedures
  • Risk assessment report (purpose, impacts, safeguards, governance signoff)
  • Risk assessment 3-year review cycle with 45-day material change updates
  • Annual metrics compilation and disclosure (if processing PI of 10M+ consumers)
  • Anti-dark pattern UI testing documentation
  • Executive management attestation for risk assessment submissions
Penalty reference
Standard CCPA enforcement - up to $7,500 per intentional violation. Penalty amounts and enforcement outcomes depend on the facts, enforcement authority, and applicable legal analysis.
Key Nuance
ADMT = computation + personal information + replaces or substantially replaces human decision-making. Advertising is explicitly excluded. Human involvement (3-part AND test) can take you out of scope.
NYC Local Law 144
Already Enforced
Status: Active DCWP enforcement. Effective July 5, 2023.
Who's Affected

Employers and employment agencies using automated employment decision tools (AEDTs) for hiring or promotion decisions in New York City.

Documentation Areas
  • Annual independent bias audit (selection rate and impact ratio by race/ethnicity and sex)
  • Published bias audit summary on employer's website
  • Candidate notice (at least 10 business days before AEDT use)
  • Data type disclosure (what data the AEDT collects and analyzes)
  • Alternative process disclosure (how candidates can request alternative selection)
  • Records retention for bias audits (minimum 4 years under DCWP rules)
Penalty reference
$375–$1,500 per violation (first offense: $500). Each day of non-compliance with notice = separate violation. Each person not notified = separate violation. Penalty amounts and enforcement outcomes depend on the facts, enforcement authority, and applicable legal analysis.
Illinois AI Employment Laws (AIVIA + HB 3773)
Already Enforced
Status: Both laws active. AIVIA: January 1, 2020. HB 3773: January 1, 2026.
Who's Affected

AIVIA - any employer using AI to analyze video interviews in Illinois. HB 3773 - any employer using AI for employment decisions (screening, evaluation, discipline, termination) in Illinois.

Documentation Areas (AIVIA)
  • Pre-interview notice (AI analysis disclosed before interview)
  • Applicant consent (affirmative consent required before AI analysis)
  • Video deletion process (within 30 days of applicant request)
  • AI provider certification records
Documentation Areas (HB 3773)
  • Notice to employees and applicants when AI is used in employment decisions
  • Prohibition on using AI in a way that results in unlawful discrimination based on protected characteristics
Documentation Areas (Both)
  • Demographic data collection and reporting to IDCEO - applies only when an employer relies solely on AI video interview analysis to determine whether an applicant receives an in-person interview
  • Bias monitoring measures
Penalty reference
Enforced through Illinois Human Rights Act and Illinois Department of Labor. Civil penalties vary. Penalty amounts and enforcement outcomes depend on the facts, enforcement authority, and applicable legal analysis.
Cross-Framework Insight

Many of these frameworks require overlapping documentation. A single AI system used in hiring may raise review questions across multiple frameworks. The core artifacts - system description, risk assessment, notice mechanisms, bias controls - overlap significantly. The challenge is mapping one set of documentation to five different legal frameworks with different terminology and citation requirements.

Screen selected frameworks that may be relevant for review in 2 minutes.

Free multi-framework screener - no signup needed.

Take the Free Screener →

Need to produce the actual documentation?

Berly helps organize AI system records, supporting evidence, review notes, and exportable documentation packages across selected AI governance frameworks.

Learn More →

AI Documentation Crosswalk →