EU AI Act Reference

EU AI Act Board Obligations
What Supervisory Boards Must Do

The EU AI Act (Regulation 2024/1689) is not only a technical standard for AI developers. It creates direct governance obligations for supervisory boards and boards of directors — with the first obligations already legally binding since February 2025.

EU AI Act 2024/1689
Updated June 2026
Plansix GmbH
Already in Force

Article 4 (AI Literacy) became legally binding on 2 February 2025. Organisations must ensure all staff — including board members — who work with AI systems have sufficient AI literacy for their role. There is no grace period remaining. Full high-risk AI obligations apply from August 2026.

Why the EU AI Act Creates Board-Level Obligations

The EU AI Act does not contain a chapter dedicated to boards. But boards carry obligations through three overlapping channels that, together, create a clear accountability structure.

Channel 1 — Direct application of Article 4. The AI Literacy obligation applies to any organisation that is a provider or deployer of AI systems. It requires ensuring that all staff "dealing with the operation and use of AI systems" have sufficient literacy. Board members who review AI strategy, challenge management on AI governance, or use AI-assisted tools in their oversight role are covered by this obligation. The organisation must demonstrate it has met this standard — which means documented AI literacy for its board, not only for technical staff.

Channel 2 — Organisational compliance obligations. Deployer obligations under Articles 26 and 29, and provider obligations under Articles 9, 10, 13, 14, 15, and 17, are legal obligations that fall on the organisation. National corporate governance law — in Germany and Austria, the GmbHG and AktG — already requires supervisory boards to oversee management's compliance with the organisation's legal obligations. EU AI Act compliance is a legal obligation. Boards that fail to supervise it are exposed under existing corporate law, not only under the AI Act itself.

Channel 3 — Board as governance approver. Several EU AI Act obligations require formal governance structures: a board-approved AI risk management system (Art. 9), a quality management system (Art. 17), and documented human oversight mechanisms (Art. 14). These are not policies that management can implement unilaterally — they require board-level approval and periodic board review to constitute genuine governance, rather than paper compliance.

Enforcement Timeline

1 August 2024
EU AI Act enters into force
Regulation (EU) 2024/1689 published in the Official Journal and in force. 24-month clock to full application begins. EU AI Office established.
In force
2 February 2025
Article 4 AI Literacy — legally binding
Chapter I (general provisions including Art. 4) and Chapter II (prohibited AI practices, Art. 5) become applicable. Organisations must have AI literacy measures in place now. No grace period.
Applies now
2 August 2025
GPAI model obligations + governance framework
Chapter V (General Purpose AI models — providers of foundation models and large language models), Chapter VII (AI governance), and penalty provisions (Chapter XII) apply. AI codes of practice finalised.
Applies now
2 August 2026
Full high-risk AI obligations — Annex I systems
All high-risk AI obligations apply: Articles 9 (risk management), 10 (data governance), 13 (transparency), 14 (human oversight), 15 (accuracy/robustness), 17 (quality management system), 26 (deployer obligations), 72 (post-market monitoring). Boards must have governance frameworks in place and be receiving regular compliance reporting.
12 months away
2 August 2027
Existing high-risk systems — Annex III
High-risk AI systems already in use before August 2026 (Annex III systems including HR AI, credit scoring, essential services AI) must comply. Companies using AI in hiring, HR management, or credit decisions have until this date to bring existing systems into compliance.
24 months away

The Key Articles — What Boards Must Oversee

Article 4
In force Feb 2025
AI Literacy
"Providers and deployers shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in."
Board obligation: Board members who review AI governance reports, challenge management on AI strategy, or use AI-assisted board tools are "dealing with the use of AI systems." The organisation must document that its board has completed role-appropriate AI literacy. A one-off briefing likely satisfies the minimum standard; a structured annual program with documented completion is best practice and the AMIVADIS D5 benchmark.
AMIVADIS D5 — Org Maturity & AI Literacy (12%)
Article 9
Applies Aug 2026
Risk Management System
"Providers of high-risk AI systems shall establish, implement, document and maintain a risk management system... The risk management system shall be a continuous iterative process run throughout the entire lifecycle of a high-risk AI system."
Board obligation: The board must approve the AI risk management system and receive periodic reporting on its operation. A risk management system that management has implemented but the board has never seen or approved does not constitute genuine governance. The system must be documented and maintained — board minutes should record its approval and review.
AMIVADIS D2 — Governance & Risk (15%)
Article 14
Applies Aug 2026
Human Oversight
"High-risk AI systems shall be designed and developed in such a way... that natural persons to whom human oversight is assigned are able to effectively oversee... and intervene on the operation of the high-risk AI system."
Board obligation: The board must ensure human oversight mechanisms exist and are operational — not just designed. Article 26 additionally requires deployers to designate specific persons responsible for oversight and ensure they are trained. The board should receive at least annual reporting that these designations are in place, staff are trained, and override protocols have been tested.
AMIVADIS D4 — Execution & Human Oversight (13%)
Article 17
Applies Aug 2026
Quality Management System
"Providers of high-risk AI systems shall put a quality management system in place... The quality management system shall address all aspects of the provider's compliance with this Regulation."
Board obligation: Companies that provide (not just use) high-risk AI — including SaaS companies whose products incorporate high-risk AI features — must establish a QMS. The board must approve this system and understand its scope. ISO 42001 certification provides a structured path to QMS compliance; the board should require management to report on QMS status at least annually.
AMIVADIS D2 — Governance & Risk (15%)
Article 26
Applies Aug 2026
Obligations of Deployers of High-Risk AI
"Deployers of high-risk AI systems shall: (a) implement human oversight measures... (b) ensure that input data is relevant... (c) monitor the operation... (d) inform the provider... (e) keep logs..."
Board obligation: Deployer obligations are comprehensive operational requirements. The board's role is not to execute them, but to ensure the governance structure requires management to do so — and that the board receives exception reporting when the system flags a failure. The board should specifically ask management to confirm which of its AI systems are classified as high-risk and what deployer compliance status each carries.
AMIVADIS D4 — Execution & Human Oversight (13%)
Article 72
Applies Aug 2026
Post-Market Monitoring
"Providers of high-risk AI systems shall establish and document a post-market monitoring system... The post-market monitoring system shall actively and systematically collect, document and analyse relevant data..."
Board obligation: Post-market monitoring is an ongoing operational obligation — not a one-time compliance exercise. The board should receive at minimum a quarterly summary of monitoring findings and any material incidents. AI systems that have drifted in accuracy, produced unexpected outputs, or generated user complaints are incidents that should reach the board unless a formal materiality threshold has been approved.
AMIVADIS D8 — Foresight & Defensibility (10%)

Provider vs. Deployer — Why the Distinction Matters

The EU AI Act draws a sharp line between organisations that provide AI systems and those that deploy them. The distinction determines which obligations apply — and most companies are deployers, not providers.

Provider
Develops or places AI on the market
A company that builds an AI system and sells it, licenses it, or embeds it in a product. Subject to the most comprehensive obligations: QMS (Art. 17), technical documentation, conformity assessment, CE marking for high-risk AI.
Examples: SaaS company with AI features in the product, AI startup, industrial equipment manufacturer with embedded AI, LLM provider.
Deployer
Uses AI under its own authority
Any company using an AI system in its own operations. Subject to deployer obligations: human oversight designation, monitoring, log retention, incident reporting (Art. 26, 29). Most companies with an AI program are deployers.
Examples: HR team using AI-assisted recruitment software, bank using credit scoring AI, hospital using diagnostic AI, any company using an AI SaaS tool in operations.

Many companies are both — they deploy third-party AI tools in their operations (deployer) and build AI features into their own product (provider). The board must understand which role the company plays and ensure governance structures match the corresponding obligations.

What Boards Must Be Able to Demonstrate

📋
AI literacy documentation for board members
Evidence that board members have completed structured AI education appropriate to their oversight role. Training records, agenda items from board sessions, or completion certificates from an AI literacy program.
Art. 4 — in force now
🗂
AI system inventory with risk classification
A register of all AI systems in use or provided, with EU AI Act risk tier classification (unacceptable / high-risk / limited / minimal). Board must have approved the classification methodology and seen the full inventory at least annually.
Art. 9 — Aug 2026
⚖️
Board-approved AI risk management system
A documented, operational AI RMS with board approval on record. Board minutes should reference approval and periodic review. The RMS must cover the full AI lifecycle — not just deployment.
Art. 9 — Aug 2026
👁
Human oversight designation and training records
Named personnel designated as AI oversight persons for each high-risk AI system, with training records and documented override protocols. Evidence that designation is current (not a name on a document that left the company).
Art. 14, 26 — Aug 2026
📊
Post-market monitoring reports to board
Evidence that post-market monitoring is operational and findings reach the board. At minimum: a summary monitoring report in the annual AI governance board review, plus escalation records for any material incidents.
Art. 72 — Aug 2026
🏗
Quality management system (providers only)
Organisations that provide high-risk AI systems must have a QMS. The board must have approved it and understand its scope. ISO 42001 certification is the most direct path to demonstrating QMS compliance.
Art. 17 — Aug 2026 (providers)

How AMIVADIS Measures EU AI Act Compliance

AMIVADIS does not replace a legal compliance review. It produces a measurement instrument that tells a board, at a glance, how far the organisation's AI governance posture is from the standard required by the EU AI Act — and where the specific gaps are.

AMIVADIS Dimension EU AI Act Article What It Measures
D2 — Governance & Risk (15%) Art. 9 · 13 · 14 · 17 RMS documentation and operation, QMS existence, AI inventory with risk classification, transparency measures, incident tracking
D3 — Data & Infrastructure (11%) Art. 10 AI-specific data governance, lineage documentation, bias monitoring, access controls
D4 — Execution & Human Oversight (13%) Art. 14 · 15 · 26 Human oversight mechanisms, testing protocols before deployment, performance metrics, incident response, compliance review process
D5 — Org Maturity & AI Literacy (12%) Art. 4 — in force now Role-based literacy program, board AI education, completion tracking, CoE structure
D8 — Foresight & Defensibility (10%) Art. 72 Post-market monitoring system, automated alerting, board-level AI threat briefings

The AMIVADIS Gold rating (60–79) is designed to indicate EU AI Act-compliant governance posture. Floor rules enforce this: Gold cannot be reached without minimum scores in D2 Governance (≥45), D3 Data (≥40), and D4 Execution (≥40) — the three dimensions that carry the heaviest EU AI Act obligations. A company with a Gold AMIVADIS rating has the governance structures in place to demonstrate compliance to a regulator, acquirer, or board audit committee.

Frequently Asked Questions

Does the EU AI Act apply to all companies or only large ones?
The EU AI Act applies to all organisations operating in the EU or placing AI systems on the EU market — there is no SME exemption for the core obligations. However, the Act includes proportionality provisions: SMEs and start-ups have reduced administrative burden for documentation and conformity assessment in some areas. Article 4 AI Literacy applies to all organisations without size threshold. High-risk AI deployer obligations (Art. 26) apply to any company using high-risk AI regardless of size.
What counts as a "high-risk" AI system for most companies?
Annex III of the EU AI Act lists the most common high-risk categories for companies outside AI-integrated products: employment and HR management AI (including CV screening, promotion decisions, performance monitoring), access to essential private services (creditworthiness assessment, life insurance underwriting), education and vocational training AI, law enforcement AI, and AI for administration of justice. A company using AI software in its HR processes — even a third-party SaaS tool — is likely a deployer of high-risk AI under Annex III.
What happens if a board cannot demonstrate AI literacy compliance?
Article 4 violations carry penalties of up to €7.5 million or 1.5% of global annual turnover under Article 99. More practically: a supervisory board that cannot demonstrate it has met its AI literacy obligation is exposed under national corporate governance law (GmbHG Art. 52, AktG Art. 111 in Germany) for failure to supervise legal compliance. In an M&A or exit context, an acquirer's legal due diligence will surface the absence of documented AI literacy as a compliance gap that requires remediation or is reflected in price.
Is ISO 42001 certification sufficient for EU AI Act compliance?
ISO 42001 certification substantially supports EU AI Act compliance but does not fully satisfy it. ISO 42001 covers the quality management system requirements of Article 17 and portions of the risk management (Art. 9) and data governance (Art. 10) obligations. However, ISO 42001 was not written to map directly to the EU AI Act's risk classification taxonomy (unacceptable/high/limited/minimal risk), and it does not address deployer-specific obligations under Article 26 or post-market monitoring under Article 72. A company with ISO 42001 certification typically scores in the Silver to Gold band on AMIVADIS — indicating strong foundations with targeted gaps remaining.
How should a board run its annual AI governance review?
A structured annual AI governance review should cover: (1) AI literacy status — have all board members completed structured AI education? (2) AI system inventory review — has management presented the full AI register with risk classifications? (3) Compliance status — for each high-risk AI system, what is the deployer compliance status against Art. 26 obligations? (4) Risk management system — is the RMS operational and when was it last audited? (5) Post-market monitoring — what were the significant findings in the past 12 months? (6) AI score — what is the organisation's AMIVADIS rating and how has it moved since last year? The AMIVADIS assessment produces a board-ready scorecard that structures exactly this review.

Measure Your EU AI Act
Governance Posture in 20 Minutes

The AMIVADIS assessment measures compliance against EU AI Act obligations at article level — and tells your board exactly where the gaps are.

Take the Free Assessment → What is AMIVADIS?
Free · No login · Results owned by you · PDF export for board presentation