The AI Act is not a proposal any more. It is law. And most companies still cannot tell you whether it applies to them.
I see it every week. Leaders who use AI every single day in their executive meetings, with no idea what the European regulation changes for them. Not incompetence. Nobody has translated it for them. This is a text of hundreds of pages, and it was not written to be read by a CEO on a Friday night.
So let me translate it. No legal jargon, nothing exhaustive. Just what your leadership team needs to understand and decide in the next few weeks.
What the AI Act actually changes for you
The regulation sorts AI systems into four risk tiers. That single idea drives the whole text. And it is simpler than your lawyers make it sound.
Unacceptable risk: subliminal manipulation, social scoring, mass facial recognition. Banned since February 2025. If you are doing this, you already know.
High risk: this is where most companies land without realising it. If you use AI to recruit, screen candidates, rate employees, decide on credit, sort insurance claims or support a medical diagnosis, you are in this tier. The obligations are heavy: technical documentation, risk management, human oversight, traceability.
Limited risk: chatbots, content generators, deepfakes. Transparency duty. The person has to know they are dealing with a machine.
Minimal risk: spam filters, spell checkers, internal translation tools. No specific constraint.
The question to put on the table Monday morning: which tier do the AI tools you already use fall into? An HR director at an industrial group asked me exactly that last month. Thirty minutes of inventory, and we found a CV pre-screening tool sitting squarely in the high risk tier. Nobody in the building knew.
Article 4: the one nobody saw coming
Everybody talks about high risk systems. Almost nobody talks about Article 4. And Article 4 is the one that will hit the most companies, the fastest.
Article 4 requires a minimum level of AI literacy from anyone who uses an AI system. Not just developers. Not just data scientists. Anyone. The sales rep working a CRM with predictive scoring. The assistant summarising meetings with an AI tool. The finance director generating budget scenarios.
Penalties start on 2 August 2026.
Most executives have still never sat down with their leadership team to define an AI strategy. Meanwhile, plenty of companies have proudly signed a responsible AI charter. Signing a charter is not the same thing as building skills. You ticked a box. You did not train anyone.
A CEO I work with took this seriously back in April. He ran an AI literacy assessment across his 120 employees. The result: 14% reached a baseline level. Everyone else was flying blind. He kicked off a training plan with a six-week runway. Tight, but doable.
If you want the training side of this, who to train, what to document, how to sequence it, that is what we build with clients here: AI training for executives.
The fines are real
This is not GDPR-lite. The numbers were set to hurt on purpose.
Banned practices: up to 35 million euros or 7% of annual worldwide turnover. Whichever is higher.
High risk systems: up to 15 million euros or 3% of worldwide turnover.
False or misleading information supplied to authorities: up to 7.5 million euros or 1% of turnover.
And there is more. Leaders can be personally on the hook. If your leadership team deploys a high risk system without the required safeguards, it is not only the company that is exposed. It is the person who signed off on the deployment.
Most CEOs now say they want AI governance to sit at board level. Very few boards actually have a dedicated AI function. The intent is there. The structure is not.
The four decisions your leadership team has to make now
Not a six-month plan. Four decisions, inside the next two weeks.
1. Inventory every AI use case. Not a six-month audit. A round the table at your next leadership meeting. Each director lists the AI tools running in their patch. Chatbots, text generators, scoring, automation. All of it. You will be surprised by what surfaces.
2. Classify the risk tiers. For each use case, work out whether it is minimal, limited or high risk. You do not need a consultancy. The AI Act grid is public and readable. Anything touching HR, credit, health, education or biometrics is high risk.
3. Define what is allowed and what is not. Write an internal policy. Not a 40-page charter. One page that says what people can and cannot do with AI. Your teams need clarity, not literature.
4. Assign the governance. Who owns the topic in the leadership team? Who is accountable for compliance? Who approves new use cases? If nobody is named, nobody will do it. It really is that simple.
Compliance as a competitive advantage
I know what you are thinking. More regulation, more cost, more drag. Turn it around.
Companies that structure their AI governance now are building three things their competitors will not have.
Client trust. In regulated sectors, banking, insurance, healthcare, being able to prove your AI systems are compliant is becoming a selection criterion. An insurer I work with won a tender in March by putting its AI governance policy in the bid. The competitor did not.
Access to public contracts. Public bodies and administrations will write AI Act compliance into their tender specs. The ones who are ready take the contracts. The others wait.
Talent. AI profiles, data scientists, ML engineers, AI product managers, want to work somewhere that takes ethics seriously. Clear governance is a strong signal.
Compliance is not a cost. It is a filter that separates the serious from the improvisers.
Frequently asked questions
Does the EU AI Act apply to my company?
If your company uses, builds or deploys an AI system in the European Union, yes. The AI Act covers every sector, and it reaches companies headquartered outside the EU when their AI systems are used inside it. A customer service chatbot or a CV screening tool is enough to put you in scope. Article 4 on AI literacy applies to anyone using an AI system, with no exemption for size or industry.
What are the EU AI Act deadlines?
Banned practices have applied since February 2025. Obligations for general purpose AI models have applied since August 2025. The Article 4 AI literacy duty has applied since February 2025; the digital omnibus adopted in June 2026 softened it (measures to take, no guaranteed level) but kept it in place. General penalties land on 2 August 2026. Obligations on high risk systems were pushed back to December 2027.
Who owns AI compliance in the leadership team?
There is no single right answer. What matters is that one member of the leadership team owns it. In smaller and mid-sized companies it is often the CEO or the CFO. In large groups it tends to be the Chief Data Officer or the general counsel. The point is to assign the responsibility clearly instead of letting it float between IT and legal.
Do we need an AI data protection officer?
The AI Act does not require an AI DPO the way the GDPR requires a data protection officer. It does require clear governance with assigned responsibilities for high risk systems. In practice, companies deploying AI in HR, finance or healthcare are better off naming an AI lead who coordinates compliance, training and the register of use cases.
Want to structure your AI governance before the AI Act deadlines bite? AI x Leaders works with executives who want to turn compliance into an advantage.
Get in touch →