Boardroom

De EU AI Act Klok Tikt: Wat Elke Europese Bestuurder Voor Augustus Moet Regelen

11 May 2026 Open Access
Met minder dan honderd dagen tot de EU AI Act-handhavingsdatum van 2 augustus 2026 heeft de Europese AI-autoriteit haar eerste inspectiemechanismen aangekondigd. Veel bestuurders onderschatten wat er nog gedaan moet worden. Dit is de concrete checklist.
Listen to this brief
~2 min · TTS
De EU AI Act Klok Tikt: Wat Elke Europese Bestuurder Voor Augustus Moet Regelen
Camiel Notermans
Founder & CEO, ZeroForce

The most dangerous place a European boardroom can occupy right now is the comfortable middle ground between awareness and action. Executives who know the AI Act exists, have assigned it to a working group, and expect a compliance report before summer have not solved the problem — they have scheduled it. The August 2026 deadline for core deployment obligations is not a finishing line. It is the first inspection window of a decade-long regulatory regime, and the organizations that treat it as a project milestone rather than a governance transformation are building their AI futures on a foundation that will not survive scrutiny.

What makes this moment genuinely dangerous is not the complexity of the regulation. It is the persistence of a category error that runs from IT departments straight into the boardroom: the belief that AI Act compliance is a technology question. It is not. It is an organizational governance obligation that happens to involve technology. The distinction is not semantic — it determines who owns the problem, what decisions require board-level authority, and why delegating this to a CTO without structural mandate is not efficient leadership. It is deferred liability.

The Development: What the August Deadline Actually Means

The precision of the August 2026 deadline has been lost in the noise of general AI regulation discourse. Prohibitions on biometric mass surveillance, social scoring, and manipulative systems targeting vulnerable groups entered into force in February 2025. What August marks is categorically different: base deployment obligations for providers and deployers active in the EU market, combined with mandatory implementation of AI literacy measures for employees. The EU AI Office has been explicit that inspectors will request evidence of training in practice — not policy documents filed in compliance folders. An organization that presents clean documentation in September but cannot demonstrate a functioning competency framework has not achieved compliance. It has created a paper trail that leads directly to an enforcement conversation.

For high-risk applications — HR decision-making, credit assessment, education, law enforcement, critical infrastructure — additional obligations around conformity assessment, risk management documentation, human oversight, and incident reporting apply. The preparation window for those categories is not approaching. It is closing. Organizations waiting for the final enforcement wave will pay twice: the fine first, then the emergency implementation. That is not misfortune. It is a strategic choice with entirely predictable consequences, made in full view of the regulatory calendar.

Three failure patterns are emerging with consistency from early consultation rounds with the EU AI Office. The first is conflating AI use with AI deployment: an organization running Microsoft Copilot or Salesforce Einstein is a deployer under the law, not an end user, and carries registration, documentation, and oversight obligations accordingly. The second is delegating AI Act compliance to the IT function. High-risk classifications are determined by what a system functionally does within a specific business context — not by the underlying technology stack. An HR system with a recommendation module may qualify as high-risk; a customer service chatbot almost certainly does not. That determination requires process knowledge, not code review. The third failure is treating AI literacy as a one-time e-learning module. The EU AI Office requires a continuous competency framework. Organizations that deploy a module in June and claim compliance in August face a materially elevated risk of a negative inspection outcome.

Business Implications: Who Wins, Who Loses, and When

For the CFO, the first calculation is the cost of inaction. Fines under the AI Act reach €35 million or seven percent of global annual turnover for the most serious violations. But in financial services and healthcare — the sectors the EU AI Office has indicated it will prioritize in the third quarter — the reputational damage from a public inspection outcome exceeds the direct financial penalty in virtually every scenario. The relevant question is not whether the risk is real. It is whether it appears on the agenda of the next board meeting, and who is accountable if it does not.

For the CHRO, the implication is uncomfortable but unambiguous: if your organization uses AI in recruitment, performance assessment, or promotion decisions, you are the deployer of a potentially high-risk system. The obligation for human oversight is not a formality — inspectors ask how that oversight is operationally embedded, who holds responsibility, and how escalation functions in practice. A process description without demonstrable execution is not a compliance answer. It is an invitation for a deeper investigation.

For the CTO, the role has shifted structurally. Technical architecture decisions are now governance decisions with legal consequences. The system inventory — including AI functionality embedded in SaaS packages never formally procured as AI — is not an IT deliverable. It is a cross-functional responsibility requiring board-level ownership and mandate. Organizations that complete four concrete steps in the next thirty days build a defensible position: a full system inventory including embedded AI, a formal classification as user, deployer, or provider for each system, a functional high-risk assessment grounded in business process context, and the appointment of an AI compliance owner with primary mandate and dedicated budget — not as a secondary responsibility attached to an existing role. Organizations in financial services, healthcare, and HR that defer these steps are not managing risk. They are accumulating it.

ZeroForce Perspective

The boardroom instinct is to frame compliance as a brake on innovation velocity. In the context of the AI Act, that framing is not just incomplete — it is strategically inverted. Organizations building their AI governance architecture now are simultaneously constructing the infrastructure for safe, scalable AI operations in an era where those operations will become progressively more autonomous. Compliance by design is not more expensive than compliance by enforcement. It is faster, less disruptive, and generates the audit trail that increasingly sophisticated customers, investors, and regulators demand as proof, not promise.

The Zero Human Company thesis sharpens this urgency considerably. As AI systems assume more autonomous decision-making authority, governance maturity becomes the regulatory permission structure for scale. The organizations cleared to operate AI at full operational depth in 2027 and beyond will be those that demonstrated structural compliance readiness in 2025 and 2026 — not those that optimized for short-term deployment speed. August is the first test of that readiness. The organizations that understand this are already building. The rest will pay twice: once for the violation, and again for the distance they will need to close.

Further Reading

How does your organization score on AI autonomy?

The Zero Human Company Score benchmarks your AI readiness against industry peers. Takes 4 minutes. Boardroom-ready output.

Take the ZHC Score →
📩 Daily Briefing

Get every brief in your inbox

Boardroom-grade AI analysis delivered daily — written for corporate decision-makers.

Free

Choose what you receive — all free:

No spam. Change preferences or unsubscribe anytime.