Insights
7 min read

EU AI Act: what a board must have settled before August 2026

The EU AI Regulation reaches full application on 2 August 2026. These are the decisions the board cannot delegate — and the realistic timeline to make them.

  • Topics:
  • EU AI Act
  • AI Governance
  • Compliance

Regulation (EU) 2024/1689 on Artificial Intelligence reaches full application on 2 August 2026. By then, high-risk AI systems must comply with the full text, general-purpose models will already be twelve months under supervision, and the enforcement regime will operate at cruising altitude — up to 7 % of global annual turnover for the most serious infringements of Article 5.

What follows is not a summary of the text. It is the minimum agenda for a board that wants to reach the summer of 2026 without reopening the debate.

The decision only the board can take: where the organisation sits in the risk pyramid

The Regulation classifies AI systems into four levels. The line between "high risk" and the rest is not technical; it is regulatory, and it depends on use, not on the underlying model.

| Level | Regulatory treatment | Typical examples | Key board obligation | |---|---|---|---| | Unacceptable (Art. 5) | Banned | Subliminal cognitive manipulation; general-purpose social scoring; biometric categorisation by ethnicity or religion | Confirm the organisation operates no system at this level | | High risk (Annex III) | Heavy regulation, CE marking | Credit scoring; HR selection systems; biometric identification; critical infrastructure management | Inventory, conformity assessment, documented human oversight | | Limited risk (Art. 50) | Transparency obligations | Chatbots, deepfakes, emotion recognition systems | Labelling and end-user notice | | Minimal risk | Free regime | Spam filters, video-game AI, simple recommendations | Voluntary best practices |

A credit-scoring system trained on a trivial model is high risk. An internal writing assistant trained on GPT-5 may well be minimal risk. The operational consequence is that the system inventory cannot be maintained by IT alone: it requires matching business use against regulatory classification, and that is a compliance exercise, not an architectural one.

The question the board must be able to answer at any meeting from September 2025 onward:

How many high-risk systems does the organisation operate, who approves them for deployment, and where are the conformity assessments documented?

If the answer is "IT is looking at it" or "we're not sure," the organisation is behind.

What the Regulation formally requires of the board (without naming it)

The AI Act does not include a "corporate governance of AI" chapter as DORA does. But cross-reading three articles, an implicit mandate on the management body emerges:

  1. Article 9 — Risk management system across the system lifecycle. This is only defensible if integrated into the organisation's general risk framework, which the board approves.
  2. Article 17 — Documented quality management system, comparable to ISO 9001 but specific to AI. Requires assignment of responsibilities up the chain of command.
  3. Article 26 — Deployers' obligations: human oversight, post-market monitoring, operating records. The magnitude of this responsibility cannot be pushed down to middle management.

Combined with the general duty of care of Article 225 of the Spanish Companies Act (and its European equivalents), the Spanish board has a clear obligation to know, supervise and be able to account for AI Act compliance.

The template question for the committee or board

If an organisation is going to do only one thing this semester on AI matters, it should be this: make the AI Act a standing agenda item, at least quarterly, with three invariant sections:

  • Updated inventory of systems, classified.
  • Compliance status of high-risk systems.
  • Serious incidents or near-misses since the last meeting (Article 73).

This is not bureaucracy. It is the only way that, come 2 August 2026, the board can sign the accounts with the reasonable confidence that the organisation is not operating a banned system unknowingly or a high-risk system without CE marking.

The three recurring mistakes I see on Spanish boards

1. Confusing AI governance with internal usage policy. Policies on "which tools employees may use" are useful but they are not AI governance. Governance begins when the organisation produces or deploys systems that affect third parties.

2. Assuming compliance is the supplier's responsibility. A bank using a third-party scoring model remains the deployer-responsible. Article 26 is explicit. The supplier answers for its part; the deployer does not escape.

3. Treating the AI Act as a project. It is not. It is a permanent regime. Whoever frames it as a 2026 sprint will find themselves in 2027 with a live system and no mechanism to keep it alive. The architecture must support continuous operation from day one.

Practical recommendation for the first meeting

If the board has not yet addressed the AI Act as a formal item, I suggest starting with three written questions to management, with a one-month deadline:

  1. How many high-risk AI systems are we deploying today, per the Annex III classification?
  2. Who is the internal AI Act compliance owner, and to whom do they report?
  3. What quantified sanction risk have we identified in the base case and in an adverse scenario?

The answers determine whether the organisation has an operational problem, a governance problem, or both. In any of the three cases, the summer 2026 clock runs all the same.