C-Suite Gets Personal: EU's AI Act Holds Executives Accountable as Compliance Gaps Widen
Veröffentlicht: 08.07.2026 um 00:51 Uhr, Redaktion boerse-global.de
The clock is ticking for business leaders across Europe. From August 2, the European Union’s landmark AI regulation imposes direct personal liability on company directors and public authority heads when their organisations fall foul of the new rules. Yet mounting evidence suggests that many are nowhere near ready.
A study by Cancom and ServiceNow, focusing on Germany’s Mittelstand, found that while 76 percent of businesses already use artificial intelligence in production, only 26 percent have fully integrated it into core processes. Nearly half operate AI in isolated silos, and a worrying 16 percent rely on uncontrolled shadow AI. The three biggest hurdles cited were IT security (38 percent), high costs (28 percent) and a shortage of skilled personnel (25 percent).
What the AI Act demands
Under the regulation, top managers must personally ensure their organisation complies with sweeping due-diligence duties. These include compiling a central register of all AI systems in use, carrying out systematic risk assessments, and establishing internal governance policies. Failure is not an option: fines can reach €35 million or 7 percent of global annual turnover, whichever is higher.
A particularly tough provision is the reversal of the burden of proof. In the event of a dispute, companies must proactively demonstrate that they have met all requirements. Authorities also have the power to demand comprehensive responses within just 14 days.
Cybersecurity takes centre stage
Legal experts increasingly describe the AI Act as a de facto security regulation, especially for high-risk AI systems. The law demands robustness, accuracy and cybersecurity across the entire lifecycle of such systems. Security teams now face novel threats, including data poisoning and adversarial attacks that deliberately manipulate model outputs.
Professionals recommend acting immediately: take an inventory of every AI system deployed, secure the full data supply chain, and vet third-party vendors. Compliance teams must also align the new rules with overlapping legislation, notably the NIS2 directive – whose own deadline expired at the end of July – and the upcoming Cyber Resilience Act.
Co-determination and AI literacy
The introduction of AI agents does not automatically trigger works council co-determination rights under Germany’s Works Constitution Act (Betriebsverfassungsgesetz). Employee representatives only gain a say when the system processes personal data in a way that enables performance or behaviour monitoring – a line that remains blurry in practice.
Meanwhile, Article 4 of the regulation obliges employers to ensure sufficient AI literacy among their workforce. Staff must be able to operate AI tools safely and in a legally compliant manner. Several training providers have already launched short courses covering basics such as malfunction risks, data protection and the legal framework.
The yawning readiness gap
The overall picture is one of high ambition colliding with patchy execution. According to the F5 State of Application Strategy Report 2026, 78 percent of companies surveyed are already running AI inference in production, averaging seven models each. Yet 88 percent report AI-specific security incidents – a stark mismatch.
Roland Berger’s research paints a similar contrast. Some 62 percent of executives say AI will drive profound change in their organisation, but only 38 percent have started any kind of transformation. And 42 percent doubt that their current governance structures are adequate.
With the August 2 deadline days away, the safe harbour for unprepared executives disappears. Personal liability is no longer a theoretical risk – it is the letter of the law.
