The EU AI Act created board obligations — the briefing just never arrived

Most boards treated AI as a technology decision. Handed it to IT. Flagged it for legal. Put it on next year’s agenda and moved on. That felt responsible. It isn’t.

The EU AI Act makes AI a board responsibility. Not a department responsibility. Not a vendor responsibility. Yours. Since February 2025.

This piece draws on the EU AI Act and on copyright legislation. Both are in effect. Both are moving. Sources at the bottom.

Here is what every board needs to know.

1. Training your people is a legal obligation

This is not something to include in next year’s planning cycle. It has been law since February 2025.

→ If your organization uses AI, in any form, for any purpose, you are required to ensure that everyone who works with it understands how it functions, where it fails, and what the risks are.

And yes, that probably includes employees using their personal ChatGPT account to write a report or analyse a document. The tool is personal. The obligation is not.

The regulator can ask for documentation of who was trained, on what, and when. If that documentation does not exist, your organization is already non-compliant.

Later in this piece, I describe what your board and people actually need to learn.

2. Your vendor contract doesn’t cover you

OpenAI, Microsoft, Google, and the AI feature quietly built into your CRM, your HR platform, your marketing software. They all have their own legal obligations as the organizations that build these tools. You have yours as the organization that uses them. Those are not the same. One does not cover the other.

→ When something goes wrong, the regulator comes to you. Not to your vendor.

There is a second trap most boards do not see. The moment your IT team adapts a system, trains it on your data, or uses it outside its original purpose, you are no longer just a user. You become legally the organization that built it. With all the obligations that come with that.

Your vendor signed a contract. You signed up for the liability.

3. Your HR tools are probably high-risk

The recruitment software that screens applications before your HR manager sees them. The system that supports performance reviews. The tool that tracks productivity or predicts absence. The EU AI Act classifies all of these as high-risk by default.

→ High-risk does not mean illegal. It means you have strict obligations: human oversight, logging, transparency, and a formal assessment of the impact on people’s rights, before you use it.

Some tools cross a different line entirely. Lie detection in job interviews. Emotion recognition software on the work floor. Those are not high-risk. They are forbidden. Before you roll out any AI system that touches your people, you are required to involve them. Employees have the right to know. You do not get to decide that on their behalf.

4. If you use AI, you have to say so

Your customers have the right to know when they are talking to a machine. The EU AI Act makes it your obligation to tell them.

Any customer-facing chatbot must identify itself as AI. Deepfakes must be visibly marked. Fully AI-generated content must be labeled. AI-assisted content is a grey area. When in doubt, disclose.

→ These obligations apply from August 2026. For some, they apply already.

This is not a legal footnote. It hits brand trust, customer relationships, and liability at the same time. And when your organization gets it wrong, you do not get to manage that story. The regulator tells it.

5. What your AI writes, anyone can copy

Pure AI output has no copyright protection. That proposal. That report. That campaign. If a human did not meaningfully shape it, it is not yours. Anyone can take it, use it, publish it. You have no legal claim.

There is a second risk most boards do not see coming. If your AI tool trained on someone else’s copyrighted work and your output looks too similar, you can be sued for infringement. Even though you did not write a word of it.

→ Most organizations are producing work they think they own but legally cannot protect.

For extensive reports, make sure a human shaped the final output, save the chats, and name that person as the responsible author.

A note on this point: copyright sits outside the EU AI Act. It is governed by separate legislation. It belongs in this piece because it is a direct consequence of how most organizations use AI today.

The cost of getting this wrong

The fines are bigger than GDPR. Up to € 35 million or 7% of global annual turnover, whichever is higher. They add to any fines for your GDPR exposure. One incident, two regulators, two bills.

The full enforcement machinery is still being built. National authorities are being set up and harmonized standards are not yet final. But the fines regime has been active since August 2025. The law is not waiting for governments to catch up.

Roll out AI without proper process and your own people can stop you.**** Employees have the right to formally object to AI systems that affect their work. One complaint to the regulator is enough to trigger an investigation. If your company has more than 50 employees, your Works Council has the legal right to block the deployment entirely, after you have paid for it and announced it.

When something goes wrong, your customers and employees will not hear it from you first. Transparency obligations mean the regulator tells the story. You do not get to manage that narrative.

Where to start: being compliant

Awareness is not compliance. Knowing the risks is not the same as managing them.

• Start here. Make a list of every AI tool your organization uses. Not what IT approved. What people actually use. ChatGPT on personal accounts. The AI feature inside your CRM. The recruitment software your HR team bought last year. Every tool.
• For each one, ask three questions. Does it make decisions about people? Does it process personal or confidential data? Was it ever adapted or fine-tuned for your specific needs? The answers tell you where your risk sits.
• Then go to your legal team, not with “are we compliant?” but with “here are our tools, here is what they do, what do we need to put in place?” That is a conversation legal can actually work with.

That is step zero. Most boards have not taken it yet.

Where to start: the training question

The legal obligation to train your people is covered in point one. Three things your board and people need to be trained on.

• Learn to talk to machines This is not about writing a better prompt. It is about understanding how to give AI clear, structured instructions.
• And how to break your own work processes into steps that AI can actually execute. Once you can do that, agents and automation follow naturally. Not as a technology project. As a logical next step.
• Bias and ethics, the lines you cannot see Bias is not hypothetical. It’s happening in tools organizations are already using. Every AI system learned from human data. Which means every AI system carries human bias. You will not see it. Your employees will not flag it.
• But when your hiring tool quietly filters out women, or your customer model disadvantages certain postcodes, you are responsible.
• Ethics sits right next to it. Digital manipulation. Exclusion by algorithm. Personalization that exploits rather than serves.
• Data safety: know what goes where There is a fundamental difference between using Copilot inside your Microsoft environment and using ChatGPT, Claude, or Gemini. Internal tools keep your data inside your walls. External tools may use what you give them. Customer data. Financial projections. Legal documents.
• Most employees do not know the difference. Most boards have not set a policy.

This is trainable. Not in a one-day workshop. In a structured program that builds understanding for those who works with AI every day.

→ If you want to know what both starting points look like for your organization, get in touch.

Press enter or click to view image in full size

Sources and notes

This piece draws on two legal frameworks: the EU AI Act and copyright legislation. For other regions, different rules may apply.

What I do is translate the legal parts that matter to the board. I am not a lawyer. For anything specific to your organization, talk to your legal department.

One more thing. The law is already in effect, parts of it since February 2025. And it keeps moving. The Digital Omnibus agreement of May 2026 is the most recent example: a significant shift in deadlines that happened with little public notice.

By the time most organizations hear about a change, it has already taken effect. A yearly legal update is not enough. This needs to be on your agenda throughout the year.