Radisson Hotel’s Global Loyalty Program Data Breach
The Radisson Hotel Group has experienced a data breach impacting members of the firm’s loyalty and rewards scheme in over […]
Articles
Why Waiting for the EU AI Act to “Become Clearer” Is Not an EU AI Compliance Strategy
“We’ll wait until things become clearer.”
I hear this sentence almost every week when speaking with business leaders about the EU AI Act, AI governance, and organisational AI readiness to achieve EU AI Act compliance.
I understand where it comes from. The regulation is still new. Guidance is being published gradually. Interpretations are evolving. At first glance, waiting may seem like a reasonable approach.
The problem is that things will not suddenly become “clear”. More details will simply continue to appear. Meanwhile, the calendar keeps moving forward.
EU AI Act Deadlines Are Getting Closer
The rules on prohibited AI practices are already applicable. Requirements for general-purpose AI models started applying on 2 August 2025. The next major milestone is 2 August 2026, when a large part of the remaining EU AI Act compliance requirements will start applying, including obligations related to certain high-risk AI systems.
This is not some distant future deadline. It is next summer.
Many Companies Start Their AI Compliance Work in the Wrong Place
What I often see is that companies that have decided to take action begin from the wrong end.
They write an AI policy. They create a detailed document template. They prepare a long internal document that, in practice, no one will ever open.
This creates a false sense of security. It feels as if something has been done. But it does not create a functioning AI governance framework.
A practical internal framework starts with a much simpler question:
Which AI tools are actually being used in our organisation?
The marketing team relies on ChatGPT. Developers use GitHub Copilot. The CRM contains a scoring model that the sales manager did not even realise was artificial intelligence. In another department, someone is processing customer data in a tool that the legal team knows nothing about.
Two Questions That Solve Most of AI Readiness
Once all AI use cases have been mapped, the organisation can move forward in a structured way.
Which of these AI tools affect customers, employees, or decisions about people?
Who is responsible for ensuring that new AI tools are not introduced without review?
These two questions solve a large part of AI readiness. Only after that does documentation become meaningful.
The Question Is No Longer Whether AI Use Should Be Governed
Two years ago, it was still reasonable to debate whether companies needed to govern the use of artificial intelligence at all.
Today, that question is no longer open.
Employees are using AI tools anyway.
Customers are asking what happens to their data. Partners have added new AI-related sections to their due diligence questionnaires. The only real question is timing.
Summer Creates a False Sense of Time
July and August often feel like a natural pause. It seems reasonable to return to the topic in September.
But in September, many companies reach the same conclusion: work that could have been completed calmly over a few months now needs to be done in a few weeks.
An audit, a customer request, or the first internal AI-related incident will not wait for the summer holidays to end.
The Earlier the AI Governance Framework Is in Place, the Less Pressure Later
Managing the use of artificial intelligence is not something companies should postpone until autumn.
The earlier an AI governance framework is in place, the less time companies will later spend rushing, fixing mistakes, and explaining decisions after the fact.
Krete Paal is the co-founder and CEO of GDPR Register, an Estonian privacy technology company. GDPR Register provides software for data protection management, privacy risk management, and compliance workflows. This spring, the platform will also introduce a dedicated EU AI Act compliance module.
Original article available in estonian here
