The EU AI Act entered into force on 1 August 2024. The first provisions — the prohibitions on unacceptable-risk AI systems — became applicable on 2 February 2025. On 2 August 2025, the rules governing general-purpose AI models took effect. On 2 August 2026, the obligations for high-risk AI systems become enforceable. That is eleven weeks from today. The organisations treating this as a compliance checkbox are building liability at exactly the moment they should be building capability.
What the Act actually requires is not well understood in most boardrooms. What it will cost to be unprepared is not modelled in most risk registers. What it means for the competitive dynamics of AI adoption in Europe over the next five years is not yet visible to most strategy teams. All three deserve attention before August.
What the Act Actually Requires
The EU AI Act establishes a risk-tiered framework. At the top: prohibited systems — AI applications that present unacceptable risks to fundamental rights, safety, and democratic processes. These include social scoring systems, real-time biometric surveillance in public spaces (with narrow exceptions), AI systems that exploit psychological vulnerabilities to manipulate behaviour, and systems that infer sensitive characteristics from biometric data. These are not theoretical prohibitions. They are already illegal. Any organisation operating such systems in the EU has been in violation since February 2025.
Below that: high-risk AI systems. This is the category that becomes fully enforceable in August 2026, and it is substantially broader than most legal teams have communicated to their boards. High-risk AI includes systems used in critical infrastructure, education and vocational training, employment and human resources (including CV screening, performance monitoring, promotion and termination decisions), essential services (credit scoring, insurance risk assessment), law enforcement, border control, administration of justice, and democratic processes. The list is not exhaustive. It is a starting point.
For high-risk systems, the obligations are substantial: conformity assessments before deployment, technical documentation, human oversight mechanisms, accuracy and robustness requirements, logging and traceability of automated decisions, transparency to affected persons, registration in an EU database. These are not soft obligations. Non-compliance with high-risk AI rules carries fines of up to €30 million or 6% of global annual turnover — whichever is higher.
The Boardroom Misunderstanding
The most common misunderstanding encountered in boardroom conversations about the EU AI Act is the assumption that it primarily affects AI companies — the Googles, Microsofts, and OpenAIs of the world — rather than the enterprises deploying their models. This is incorrect. The Act applies to both providers (who develop AI systems) and deployers (who put them into use). A bank that deploys a third-party credit-scoring AI model is a deployer under the Act. A manufacturer that uses a vendor's AI system to make HR decisions is a deployer. A healthcare organisation that integrates an AI diagnostic tool is a deployer. The obligations on deployers are less extensive than those on providers, but they are real, they are enforceable, and they begin in August 2026.
The second misunderstanding is scope creep in the opposite direction: the assumption that the Act covers all AI. It does not. Most AI applications — recommendation algorithms, search tools, spam filters, AI-assisted content creation, predictive analytics for internal use — fall into the minimal or limited risk categories. For these, the Act requires transparency disclosures (users must know when they are interacting with AI) but no conformity assessment, no registration, no formal oversight mechanism. The compliance burden for the majority of enterprise AI deployments is manageable. The problem is that most organisations have not done the categorisation exercise that would allow them to distinguish their minimal-risk systems from their high-risk ones.
The third misunderstanding is timeline compression. Because the Act's provisions are phased, many boards have concluded that August 2026 is still far away and that compliance can be addressed in Q3. The conformity assessment process for a single high-risk system — which requires technical documentation, risk assessment, human oversight design, accuracy and robustness testing, and registration — typically takes four to six months for an organisation doing it for the first time. An organisation beginning that process in July 2026 will not be compliant by August 2026. The board conversation that should have happened in Q1 is overdue.
The Competitive Dimension Nobody Is Discussing
The framing of the EU AI Act as a regulatory burden misses the competitive dynamic it creates. Organisations that build robust AI governance frameworks in 2026 gain three advantages that extend well beyond compliance.
First, procurement advantage. Public sector bodies and large enterprises subject to their own compliance requirements will increasingly prefer AI vendors and partners who can demonstrate Act-compliant governance. The ability to provide documentation of conformity assessments, human oversight mechanisms, and audit trails becomes a commercial differentiator in B2B and B2G markets. This is already visible in procurement processes across financial services and healthcare in the Netherlands and Germany.
Second, trust infrastructure. The Act's transparency requirements — disclosure when users interact with AI, explanation of automated decisions that affect individuals — create a documented basis for the trust relationships that AI-mediated services require. Organisations that build these capabilities as compliance obligations end up with trust infrastructure that has commercial value beyond the compliance context. The ability to explain an AI-driven credit decision to a customer who asks is not just a regulatory requirement; it is a retention tool.
Third, governance maturity. Organisations that go through a rigorous AI inventory, risk categorisation, and conformity assessment process discover their AI landscape with a clarity that most boards do not currently have. The majority of large enterprises cannot today answer the question: what AI systems are operating within our organisation, and what decisions are they influencing? The Act's compliance process forces the answer. The answer, when it arrives, typically reveals deployments that legal and risk teams were not aware of — and that require immediate attention regardless of the Act.
The Dutch Enterprise Situation
Dutch enterprises are in a specific position. The Netherlands has a high density of financial services, logistics, agriculture-tech, and professional services firms that are deployers of AI at scale. Many of these firms have been early adopters of AI-assisted processes — credit assessment, fraud detection, supply chain optimisation, HR screening — that fall clearly within the high-risk categories. The Dutch Authority for Digital Infrastructure (RDI) has been designated as the national market surveillance authority for the Act, with coordination with the Dutch Data Protection Authority (AP) on data-related provisions.
The AP has been active. Its 2025 enforcement actions against organisations using automated decision-making without adequate transparency or oversight have previewed the enforcement posture that will apply under the Act. Organisations that have already received AP guidance or enforcement action on automated decision-making are at elevated risk of Act non-compliance — because the same practices that drew AP attention are precisely those the Act targets.
The RDI is currently building its enforcement capacity. The expectation within the Dutch regulatory community is that the first high-risk AI enforcement actions under the Act will focus on the highest-impact use cases: credit scoring, insurance risk assessment, and employment decisions. These are sectors where the Netherlands has significant enterprise activity and where automated decision-making is widespread.
What the Board Must Decide Before August
Three decisions. Not a checklist — decisions, with authority and accountability assigned.
Decision one: the AI inventory. Who is accountable for producing a complete inventory of AI systems operating within the organisation, classified by risk category under the Act? This is not a legal function deliverable. It is a cross-functional effort requiring input from IT, operations, HR, finance, and legal. The inventory cannot be produced by any single function working alone, because AI deployment is distributed across functions and the business owners of those deployments are not always visible to central IT or legal. Assign a cross-functional lead with board-level mandate. Set a six-week deadline. Review the output at board level before August.
Decision two: the high-risk response. For each system categorised as high-risk: what is the compliance path? Options are: (a) undergo conformity assessment and register — the full compliance route; (b) modify the system to remove the high-risk classification — sometimes possible through design changes that add human decision authority or narrow the system's scope; (c) discontinue the system — the correct answer for any system where the compliance cost exceeds the operational value, which is more common than organisations expect. Each high-risk system needs an explicit board decision on which path to take. Delegating this to legal without board oversight creates accountability risk.
Decision three: the governance architecture. Who owns AI governance going forward? Not for the Act specifically — permanently. The Act is the first iteration of a regulatory framework that will evolve. The EU's AI Office is already developing further guidance. Member states are building enforcement capacity. The organisations that build internal AI governance functions in 2026 are positioned to navigate an evolving landscape. The organisations that treat the Act as a one-time compliance event will face the next regulatory development without the institutional capacity to respond. Appoint an AI governance lead — whether a Chief AI Officer, a committee, or a designated function within an existing role. Give them authority and resources. Review their work quarterly.
The ZeroForce Perspective
The EU AI Act is the most significant regulatory event for enterprise AI adoption in Europe since GDPR. GDPR's early implementation history is instructive: the organisations that built genuine data governance capability in 2018 — not minimal compliance, but real institutional understanding of their data landscape — outperformed those that treated it as a legal checkbox. Not because the regulator rewarded them, but because the process of understanding your data landscape makes you better at using it.
The same logic applies here. The organisations that use the Act's compliance requirements as a forcing function to understand their AI landscape, build governance infrastructure, and design human oversight into their automated systems will enter 2027 with capabilities their competitors are still scrambling to build. The compliance burden is real. The competitive advantage for those who complete it seriously is also real.
Eleven weeks is not much time. The board conversation about who owns this, what the inventory process looks like, and what the high-risk response will be needs to happen before summer holidays, not after.
Bronnen / Sources: European Commission EU AI Act full text and implementation timeline (Official Journal of the EU, July 2024); Dutch Authority for Digital Infrastructure (RDI) market surveillance mandate announcement (2024); Dutch Data Protection Authority enforcement actions on automated decision-making (2025); KPMG EU AI Act compliance survey (Q1 2026); Deloitte AI regulatory readiness benchmark (March 2026); European AI Office guidance documents (2025–2026).