The EU AI Act, End to End: What Boards Actually Need to Decide

The EU AI Act reads as if it were written to intimidate. Hundreds of articles, annexes, recitals, overlapping authorities. For a board or a general counsel, though, the regime resolves into a short list of decisions, and most of the bulk is detail hanging off those decisions.

The first is classification. Every system you build or deploy falls somewhere: prohibited, high-risk, limited-risk with transparency duties, or effectively unregulated. Nothing else can be settled until this is, because the obligations differ in kind between tiers, not merely in degree.

For high-risk systems, the substance gathers into eight pillars: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy and robustness, and the quality-management system that holds them together. These are not a menu. A high-risk system needs all eight, evidenced.

General-purpose AI sits on its own track. Foundation-model providers carry distinct duties around documentation, transparency, and, for the most capable models, systemic-risk obligations. If you build on top of these models, their compliance posture becomes part of yours.

Enforcement is real and tiered. Prohibited uses sit at the top of the penalty scale, up to 35 million euro or 7% of global annual turnover, with high-risk breaches and information failures below. National authorities are moving from designation to operation, which changes the probability of contact for anyone operating at scale.

The harder truth is that AI Act compliance does not stand alone. It intersects with the GDPR, with sectoral financial and product rules, and with employment law, and treating it as a separate silo creates gaps at exactly the seams regulators examine.

So where should leadership spend its attention? Five actions carry most of the value: complete a portfolio classification, stand up governance with real executive ownership, close the documentation and data-governance gaps on high-risk systems, map the regulatory intersections, and put literacy and oversight in place for the people who run these systems.

Our whitepaper, EU AI Act Compliance Intelligence, walks the whole regime at this altitude and ends with the roadmap. The goal is not to fear the Act, but to build AI the organisation can stand behind.