Boards don’t need to memorize articles and recitals—but they do need to understand what regulators expect the organization to have in place when AI touches personal data, critical operations, or high-impact decisions.
This is an educational overview, not legal advice. Obligations depend on your role (provider vs deployer), sector, and use case.
GDPR (Regulation (EU) 2016/679): The “Data Is the Product” Reality
GDPR applies when you process personal data—and many AI deployments do, directly or indirectly (customer queries, employee data, logs, training datasets, transcripts).
Board-level implications:
- You need a lawful basis for the processing, and transparency about what you do.
- Purpose limitation matters: “we collected it for X” does not automatically justify “we train or deploy AI with it.”
- Accountability is provable: documentation, DPIAs where required, and control evidence.
Where AI changes the game: AI often involves large-scale or “invisible” processing, and privacy authorities are actively clarifying expectations for AI models and personal data.
DORA (Regulation (EU) 2022/2554): Operational Resilience Is a Governance Topic
DORA is a financial-sector regulation focused on ICT risk management, incident reporting, resilience testing, and third-party ICT risk.
Even if your AI is “just software,” it often becomes a critical dependency:
- model vendors
- cloud platforms
- tool integrations (agents calling external systems)
- data pipelines and monitoring
Board-level implications:
- management must know and govern critical ICT dependencies
- major ICT incident reporting must be operational (not improvised)
- third-party arrangements must be controlled and documented (including registers of ICT providers)
EU AI Act (Regulation (EU) 2024/1689): Risk-Based Rules + New Duties
The EU AI Act introduces a risk-based compliance model. Some systems are prohibited, some are high-risk with strong obligations, and many are “limited/minimal risk” with lighter rules.
Two practical board points:
1) Role matters
Your obligations differ depending on whether you are a provider (placing AI systems on the market) or a deployer (using AI under your authority).
2) AI literacy is not optional
Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy among staff and others operating/using AI on their behalf (Article 4).
Boards should expect management to show:
- an AI inventory
- role-based training and refresh cadence
- controls aligned to risk tier (especially where AI influences consequential decisions)
A Board-Friendly “Compliance Without Micromanaging” Checklist
Ask management to confirm—system by system:
- Inventory: AI systems, owners, data categories, vendors, geography
- Privacy: lawful basis, transparency, DPIA where needed, retention controls
- Security: access controls, monitoring, incident response, supplier risk management
- Governance: approvals, escalation, audit evidence, change control for vendor updates
- Training: AI literacy measures aligned to actual roles and risk
Want board-ready regulatory clarity (GDPR, DORA, EU AI Act) without getting lost in details? I deliver board-focused courses and provide consulting to help boards implement practical compliance—policies, templates, and operating controls. Contact me.
Relevant Sources
- GDPR (Regulation (EU) 2016/679) — EUR-Lex — https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
- DORA (Regulation (EU) 2022/2554) — EUR-Lex — https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
- EU AI Act (Regulation (EU) 2024/1689) — EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
- Article 4: AI literacy — EU AI Act Service Desk — https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-4
- AI Literacy — Questions & Answers (PDF) — European Commission — https://digital-strategy.ec.europa.eu/en/node/13629/printable/pdf
- EDPB Opinion 28/2024 on AI models and personal data (PDF) — European Data Protection Board — https://www.edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf