The EU AI Act Makes It Personal. Three Countries Are Coming For Directors.

The Conversation Boards Are Not Having

Most conversations about EU AI Act compliance focus on company-level fines.

The real conversation that boards are not having yet is about personal liability.

The Penalty Structure in Full

The EU AI Act sets maximum penalties at:

Prohibited AI practices: up to 35 million euros or 7% of global annual turnover.

High-risk AI system failures: up to 15 million euros or 3% of global turnover.

Providing misleading information to regulators: up to 7.5 million euros or 1.5% of global turnover.

These are company-level maximums. But three EU member states are going further.

The National Implementation Layer

France, Spain, and Germany are building individual director liability into their national implementation of the EU AI Act.

Not just fines against the company. Personal accountability for the directors who were responsible for governance at the time of the failure.

This is the pattern GDPR established. Meta paid 1.2 billion euros. Amazon paid 746 million. And in the cases where enforcement was most aggressive, regulators did not stop at the organisation. They looked at who was responsible for the decisions.

What Personal Liability Actually Means

For a director to face personal liability, a regulator would need to demonstrate that the director had responsibility for AI governance and failed to exercise it.

The defence is documentation.

A board that can show it reviewed an AI governance framework, understood the gaps, and directed remediation is in a fundamentally different position than a board that cannot produce any evidence it ever discussed the question.

The documentation does not need to be perfect. It needs to exist.

The Conversation Your Board Needs to Have

If your company deploys AI systems in Europe, or serves European customers, the question is not whether EU AI Act obligations apply. They do.

The question is whether your board has evidence that it took those obligations seriously.

A structured AI compliance report gives directors something concrete to point to. It maps specific obligations against your actual deployment. It identifies gaps. It provides a remediation roadmap.

That document does not make you compliant overnight. But it is the difference between a board that engaged with the question and a board that ignored it.

AuditPulse generates that report in 4 minutes. The board meeting where someone asks the question costs significantly more.