Twelve weeks until the dust settles
A Tuesday morning at a mortgage firm with 32 employees. An adviser is working through a complex file and pastes three paragraphs of client data into ChatGPT to get a summary faster. That saves four minutes. And it costs you something you cannot see right now.
On 2 August 2026, that invisible something becomes legally real. The European AI Act starts enforcing then. The fines become active. The Dutch Data Protection Authority and the ACM get teeth. For most owner-directors in our corner, that is no reason to panic, but it is the moment when a question you could put off until now can no longer be postponed.
What actually changes on 2 August
From 2 August 2026, the European AI Office has full enforcement powers. It can request information from providers of AI models, mandate mitigation measures and impose fines. The heaviest fine, up to 35 million euros or 7 percent of global annual turnover, applies to prohibited AI practices under Article 5 (think social scoring or manipulative emotion detection). For other violations, such as insufficient documentation or working with a GPAI model that is itself not compliant, a lower tier applies, up to 15 million euros or 3 percent of global annual turnover.
An important nuance, because this is where much of the panic comes from. The heavy obligations (technical audits, model documentation, certification) apply to high-risk AI, so AI in healthcare, recruitment, credit scoring and critical infrastructure. A 30-FTE mortgage firm using ChatGPT rarely falls into that category. In most cases you are not a provider, you are a deployer.
What does change for you as a deployer
Three things become concrete. First, you need to know which AI tools are running within your organisation, including the tools nobody officially purchased. Second, you need to be able to demonstrate that the providers of those tools are themselves compliant with the AI Act. Third, your employees need to know how they are allowed to use the tools, with which data and with which data never.
On paper that sounds simple. In practice it rarely is. Ask around on any working day which AI tools are active internally at your firm. Chances are the list is longer than you think and that a few of those tools appear in no contract or policy anywhere.
The question the law asks is the same question you should be asking yourself
Which AI do we use, who is responsible, which client data passes through it, and what happens if a tool drops out or makes a mistake. That is not a legal exercise. That is operational hygiene, and it should have been done long ago, independent of Brussels.
For professional-services firms specifically, this weighs more heavily than for other sectors. A mortgage adviser, estate agent, insurance firm or accountant processes sensitive personal data by definition. Citizen service numbers, financing files, claims, purchase agreements, valuation data. If that data has been outside the building via an unofficial ChatGPT prompt, that is not an AI experiment, that is a GDPR incident in the making.
Where the law and practice meet
At the intersection of the AI Act and operational work sits the AI audit. Not as a legal product, but as a baseline. An audit answers three questions at once in 14 days. Which AI tools are running at your firm, official and unofficial. What is the risk of each of them, both legally and operationally. And, usually the pleasant surprise, where is the time saving you are currently missing.
An example we see often. A mortgage firm processes 60 financing requests per day. The advisers use three different AI tools on their own initiative to summarise files. Nobody on the management side knows which ones. An audit brings that into view, classifies the risk per tool, scraps two tools that are not GDPR-proof, and identifies which four processes can almost immediately free up 50 to 100 hours per month if you set them up officially and under control.
What comes after the audit
The audit is not the final stop. It is the inventory from which three paths follow. Option one, you get to work on the roadmap yourself, small steps, your own pace. Option two, you have us implement the first use case as a five-to-eight-week project, see also our page on AI Software. Option three, an AIOS engagement in which we stay connected as a structural partner and keep developing the AI layer underneath your organisation.
Which path you choose depends on your company stage and on what the audit surfaces. But without that baseline, every subsequent decision remains a gut-feel gamble. AI that works in your field starts with knowing what is running at your firm.
The first step
Enforcement starts in twelve weeks. That is enough time to do an audit, process the report and pick up the first priority. Not enough to put it off for another quarter.
Fourteen days from the interview day, a fixed price, a report with 8 to 15 scored opportunities, a priority list and a follow-up proposal. Eight to ten hours of time investment on your side. After that you know what is running, where the risk sits and which three processes should be tackled first.
