The high-risk obligations of the EU AI Act are due to apply from 2 August 2026, which is now about seven weeks away. At the same time, there is an active debate in Brussels about whether some of those obligations should be pushed back. A proposed package, often called the Digital AI Omnibus, has floated deferring parts of the high-risk regime toward 2027, and lawmakers reached a political agreement in May 2026 on revisions to the Act. None of that delay has been enacted into law, so as things stand today the August 2026 date is still the operative one.
That puts professional teams in an awkward spot. The deadline might move, or it might not, and the firms watching the news are understandably tempted to wait and see before investing in readiness. We think that is the wrong bet, not because we can predict what Brussels will do, but because the work the deadline asks for is worth doing regardless of which date it eventually lands on.
It is genuinely unclear whether the high-risk obligations will apply in August 2026 or slip into 2027. The Commission floated a deferral, the Parliament and Council have been negotiating, and the legal text has not been changed. Anyone telling you with certainty which way it goes is guessing. The honest position is that the date is contested and the current law still points at August 2026.
But a deadline is just a date. The thing the deadline points at, a defensible way of producing and reviewing AI-assisted work, does not get less important if the date moves by a year. A firm that treats the possible delay as permission to do nothing is not saving effort. It is postponing the same work into a smaller window later, while carrying the same risk in the meantime.
There are three reasons the wait-and-see approach tends to backfire. The first is simple: the delay may not happen. If a firm bets on 2027 and the date holds at August 2026, it has seven weeks to build a review and record-keeping capability that realistically takes months to embed into how a team actually works. That is not a position any professional services firm wants to be in when the penalties for high-risk non-compliance reach into the millions of euros or a percentage of global turnover.
The second reason is that the operational work takes time even when there is no deadline pressure. Building a habit where AI-assisted work is reviewed before delivery, sources are checked, and a named person signs off is a change in how people work, not a switch that gets flipped the week before a regulation applies. The firms that start now have time to find what fits their workflow and fix what does not, instead of bolting on a process under duress.
The third reason is the one that has nothing to do with regulation at all: clients are already starting to ask how AI-assisted work was checked, and that question is not waiting for a date in Brussels. The operational capability the EU AI Act pushes toward, a record of what was reviewed and who signed off, is the same capability a client expects when they challenge a deliverable. Build it for one and you have built it for the other.
Part of what makes the deadline feel daunting is a misunderstanding of what it asks for. For most professional teams using AI, the relevant obligations are not about certifying a model or proving a piece of software is safe. They are about how the team uses AI: meaningful human oversight before AI-assisted output is relied on, record-keeping that lets the work be reconstructed afterward, and the ability to show what was checked and by whom.
Those are operational requirements, not paperwork to be filed once and forgotten. A firm meets them by having a real review step with a named reviewer, by keeping a durable record of what that review covered, and by being able to produce that record on request. None of that depends on the exact calendar date the obligation formally applies. It is good practice the day before the deadline and the day after, whichever year the deadline turns out to be.
The most resilient response to a contested deadline is to stop treating it as a countdown and start treating it as a description of a capability worth having. That review layer is what Qonera is built for. It helps teams verify source quality, compare model outputs, flag unsupported claims, and record named sign off through a structured review and approval workflow before AI-assisted work is delivered. The tamper evident audit trail records who reviewed what and when, so the firm can produce the record whether the person asking is a client, a partner, or a regulator.
Qonera does not make a firm compliant, and no tool can: compliance is a determination about an organisation and its specific use of AI, not a feature you switch on. What a structured review workflow does is give teams the practical controls the EU AI Act pushes toward, so that whenever the obligations apply, the firm is already working the way they require rather than scrambling to retrofit a process. The published Conformity Assessment and Fundamental Rights Impact Assessment set out how we map the platform to the relevant articles.
Whether the high-risk obligations apply in August 2026 or are deferred into 2027, the underlying expectation is the same: teams using AI for work that matters should be able to show that the work was reviewed before it was relied on. That expectation is already arriving through clients, procurement questionnaires, and professional reputation, well ahead of any enforcement date. The firms that build the review capability now are not betting on a deadline. They are building something that holds up regardless of what Brussels decides, and that is the only bet in this situation that does not depend on guessing the outcome of a negotiation nobody controls.
This article is for general information only and does not provide legal advice. Regulatory timelines for the EU AI Act are subject to change, and the status described here reflects the position as understood at the time of writing. Organisations should consult qualified legal counsel about how the EU AI Act and its deadlines apply to their specific systems, workflows, and obligations.
Multi-model stress testing, Conflict Heatmap, tamper-evident audit trail, and structured sign-off, built for teams who need defensible AI output.