EU AI Act Tightens the Screws: Company Leaders Face Personal Fines of Up to €35 Million

Starting August 2, 2026, European businesses must clearly mark any AI-generated content that could be mistaken for real. The requirement targets deepfakes — photorealistic images, videos, or audio clips — and explicitly bans reliance on machine-readable metadata alone. The human eye must be able to tell.

The urgency is clear: studies estimate that between 40 and 75 percent of users cannot distinguish AI-generated images from authentic photographs. Companies are now racing to embed watermarking directly into production workflows.

The real shocker, however, hits the C-suite personally. Article 4 of the EU AI Act obliges management to ensure AI competence across the organization. Violations carry fines of up to €35 million — a sum that stings particularly for small and medium enterprises. According to the Ifo Institute, 54.5 percent of German companies already use AI, a jump of 13.6 percentage points year-on-year.

Data protection poses another hurdle. Businesses deploying AI assistants such as Claude must scrutinize data transfers. Most large language models originate in the US, and certification under the EU-U.S. Data Privacy Framework remains elusive. Companies currently rely on standard contractual clauses for cross-border data flows. A critical nuance: commercial team or enterprise plans include data processing agreements; free personal versions do not.

The German Research Center for Artificial Intelligence (DFKI) has responded with a browser extension called Privacy Guardrail. It locally replaces sensitive information — names, email addresses — with placeholders before a query leaves the device, then restores the real data in the response. Separately, the European Commission presented a technological sovereignty package in early June 2026.

Across the Atlantic, the United States is tightening its own rules. A June 2026 executive order introduces a voluntary 30-day pre-review for advanced AI models. The Great American AI Act requires companies with revenue exceeding $500 million to file rigorous safety reports and submit to independent audits. Proposed daily penalties for non-compliance could reach $1 million.

Within Europe, industry is still arguing over what qualifies as high-risk AI. The electrical and digital industry association ZVEI welcomed the outcomes of the trilogue negotiations on the AI Omnibus, praising a stronger sectoral approach and a more realistic definition of industrial high-risk AI. However, it criticized the failure to extend those adjustments to medical devices.

Cybersecurity obligations are also mounting. The NIS-2 directive expands incident reporting requirements across 18 sectors. Leading tech firms are demanding tighter controls when AI models access sensitive data — advanced systems can already answer complex technical questions about laboratory procedures in detail.

To coordinate European efforts, the European Commission appointed Jim Hagemann Snabe as its special AI envoy.

en | boerse | 69494702 |