In under two weeks, on 2 August 2026, most of the remaining obligations of the EU AI Act are due to begin applying. The date has generated a year of countdowns, a deferral debate in Brussels that has been argued but not enacted, and a fog of secondhand summaries. What it has generated less of is a plain answer to the practical question: for a professional team using AI in its work, what is actually different on August 3 compared to August 1?
The honest answer has two parts. Formally, the change is about high-risk AI systems: the obligations attached to providing and deploying them, oversight, record-keeping, transparency, risk management, move from published text to applicable law, with an enforcement regime behind them. Whether any given firm’s use of AI falls in scope is a genuinely legal question that depends on what the system does and how it is used, and it is exactly the question to put to counsel rather than to a blog post, ours included.
But the formal trigger understates what shifts. Regulatory dates change behavior well beyond their strict scope, because they reset what counts as a reasonable question. From August, a client asking “how is your AI-assisted work reviewed and recorded?” is not being avant-garde; they are echoing the law of the land’s general direction. Procurement templates absorb the vocabulary. Insurers and auditors update their questionnaires. The date functions as permission for everyone in your commercial orbit to ask the questions they were already curious about.
This is why the in-scope/out-of-scope debate, while legally essential, is commercially secondary for most professional teams. The expectations the Act codifies for high-risk systems, human oversight of AI output, records that can reconstruct what was done, transparency about AI involvement, incident handling, are becoming the general grammar of trustworthy AI use. Firms will be measured against that grammar by clients long before any regulator looks their way, and regardless of where their tools land in the risk taxonomy.
Two weeks is not enough time to become a different organization, and pretending otherwise produces the worst outcome: paper controls, written in a rush, describing a process nobody actually runs. A binder that says every output is reviewed, sitting on top of a workflow where nothing stops for review, is not readiness. It is documented non-compliance with your own policy, which is a strictly worse position than honesty about where you are.
The useful two-week move is smaller and real: pick the workflow that faces clients most directly, and make its review actual, a defined gate, a named reviewer, a record that writes itself. One workflow genuinely governed beats ten notionally covered, and it becomes the template the rest follow.
It is still possible parts of the high-risk regime get deferred; the omnibus discussions continue, and nothing here predicts Brussels. But notice what a deferral would not change: clients will still ask their questions, the grammar of oversight, records, and accountability will still be the standard your work is read against, and the firms that built the capability will still be the ones with the easy answers. August 2 was never really the point. It was the calendar making the direction legible.
Qonera exists so that the capability is something teams adopt rather than construct: grounded, cited answers, gated review with named sign-off, incident reporting, and a tamper evident audit trail inside one review and approval workflow. How the platform maps to the Act’s articles is published on the EU AI Act page. Whatever happens in Brussels this month, the work either has a review behind it or it does not, and after August 2 far more people feel entitled to ask which.
This article is for general information only and does not provide legal advice. Regulatory timelines for the EU AI Act are subject to change, and the status described here reflects the position as understood at the time of writing. Organisations should consult qualified legal counsel about how the EU AI Act and its deadlines apply to their specific systems, workflows, and obligations.
Multi-model stress testing, Conflict Heatmap, tamper-evident audit trail, and structured sign-off, built for teams who need defensible AI output.