EU AI Act in force since August 2024 · Annex III enforcement: 2 December 2027

Are you personally exposed
under the EU AI Act?

Every director on a board that deploys AI carries a personal duty of care under Companies Act 2006 s.174 — a duty that cannot be discharged by board minutes, company compliance programmes, or reliance on management. That duty has been running since the EU AI Act entered into force in August 2024.

Enforcement dates for the high-risk Annex III categories are now fixed at 2 December 2027 following the Omnibus VII amendments. The extension changes the technical compliance timeline. It does not pause your personal oversight obligation — or the evidence gap accumulating against it.

Answer 10 questions. Understand your personal position in under 3 minutes.

€35M
Max corporate fine
Side A
D&O policies retreating
4
Jurisdictions assessed
Aug '24
In force since
For executive directors, NEDs and board members · UK · US · Australia · Middle East · Anonymous · No data stored · 2–3 minutes
Update — 16 June 2026: The European Parliament has formally approved the Omnibus VII amendments with 423 votes in favour. The new fixed application dates — 2 December 2027 for stand-alone high-risk AI systems (Annex III), and 2 August 2028 for high-risk AI systems embedded in products (Annex I) — now await formal adoption by the Council of the EU as the final legislative step. The personal director oversight duty under Companies Act 2006 s.174 is continuous and is not extended by changes to technical compliance timelines.

Why the personal oversight duty is already running

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. From that date, any company deploying AI in material processes has been operating inside the Regulation's architecture — and every individual director of that company has carried a personal oversight obligation alongside it.

The obligation does not come from the AI Act alone. In the UK, it comes from Companies Act 2006 Section 174: the personal duty of care, skill and diligence owed by every director individually. Re Barings plc (No 5) [1999] confirmed that this duty is non-delegable — each director must personally demonstrate what they did. Equivalent standards apply in the United States (the Delaware Caremark line), Australia (ASIC v Healey), and the ADGM and DIFC.

English commercial courts place significantly greater weight on documentary evidence created at the time of an event than on witness recollection reconstructed afterwards. A director who cannot produce a contemporaneous personal record of the AI governance questions they raised is defending years-old conduct from memory — against a documentary standard.

This is why a change to the technical enforcement timeline changes nothing for individual directors: the personal duty is continuous, and the evidence gap either accumulates or it does not.

What the assessment measures

The assessment reflects your own answers back through a structured governance framework across four dimensions of personal exposure:

  • Sector exposure — whether your board appointments fall within the Annex III high-risk categories: financial services, recruitment and HR, critical infrastructure, healthcare and MedTech.
  • Personal evidence position — whether you could produce timestamped, independently held evidence of the AI governance questions you have personally raised.
  • D&O insurance verification — whether your insurer has confirmed in writing that your Side A personal coverage extends to AI governance failures, in a market where AI exclusions are being filed.
  • Record portability — whether your governance records would survive your resignation, given that board portal access is typically revoked on departure while personal liability is not.

It is anonymous, runs entirely in your browser, and stores nothing.

The personal liability standard in your jurisdiction

The EU AI Act applies to companies with EU market exposure regardless of where the board is registered. The personal liability standard that runs alongside it is set by your jurisdiction of appointment.

United Kingdom

Companies Act 2006 Section 174 — personal duty of care, skill and diligence

The duty is individual — it cannot be discharged by board minutes, collective decisions, or reliance on management. Re Barings plc (No 5) [1999] confirmed each director must personally demonstrate what they did. The duty is continuous — it is not timed to a technical compliance deadline.

The contemporaneous evidence standard — English Commercial Court

Courts place significantly greater weight on documentary evidence created at the time of an event than on witness recollection reconstructed afterwards. Where a director relies on memory alone, courts assign it substantially less weight than a timestamped personal record created at the moment of oversight. This principle is firmly established in English commercial litigation and applies directly to director liability proceedings.

ENRC v Sir Paul Judge [2014] EWHC 2340 (QB)

Directors may retain their own questions, notes and assessments for personal legal defence. This confirms that a personal record of your conduct — distinct from company confidential data — is legally yours to keep after resignation.

United States / Delaware

Marchand v Barnhill, 212 A.3d 805 (Del. 2019) — the Caremark renaissance

The Delaware Supreme Court held directors liable for breach of the duty of loyalty where they failed to make a good faith effort to implement board-level monitoring of mission-critical risks. The court scrutinised board minutes and found them wanting. Absence of evidence in the minutes was treated as absence of oversight.

KT4 Partners LLC v Palantir Technologies Inc., 203 A.3d 738 (Del. 2019)

The Delaware Supreme Court expanded the definition of books and records to include informal electronic communications — emails, texts — where a company conducts business informally. A director's personal devices become fair game in discovery if no formal governance record exists.

Schoon v Troy Corp., 948 A.2d 1157 (Del. Ch. 2008)

A former director generally loses Section 220 inspection rights upon resignation and cannot compel the company to produce documents to defend their past conduct. Possessing an independent personal record before departure is the only guaranteed proactive defence.

Australia / New Zealand

ASIC v Healey (Centro) [2011] FCA 717 — the enquiring mind standard

The Federal Court rejected the defence that directors had relied on management and external auditors. Justice Middleton held each director must apply an enquiring mind and take a diligent and intelligent interest in the information available. Passive reliance is not a defence.

Corporations Act 2001 Section 198F — access rights and their limits

Former directors have a right to inspect company books for legal proceedings — but only once a proceeding exists. Hostile boards routinely deny access, forcing court applications. A personal record held independently bypasses this gatekeeping entirely.

Kane's Hire Pty Ltd v Anderson Aviation Australia Pty Ltd [2023] FCA 381

The Federal Court reiterated the danger of relying on reconstructed direct speech in affidavits years after the event. A contemporaneous timestamped note created at the time of a board meeting is evidentially superior to sworn testimony reconstructed years later — a principle now firmly established in Australian commercial litigation.

Middle East / ADGM / DIFC

ADGM Companies Regulations 2015 — English common law applied directly

ADGM applies English common law. The personal director liability standard mirrors the UK duty of care exactly. The wrongful trading defence under ADGM Insolvency Regulations requires proof that a director took every step to minimise creditor loss — a defence of documented process, not outcome.

DIFC Law No. 5 of 2018, Article 72 — reasonable care, skill and diligence

The DIFC imposes a duty equivalent to the UK and Australian standards. In Lynch v Cadwallader [2021], the DIFC Courts held that documentary evidence created at the time carries significantly greater weight than witness memory reconstructed in credibility disputes — a principle applied directly to director conduct proceedings in the region.

UAE onshore — Federal Decree-Law No. 32/2021 and the no-discovery problem

Onshore UAE civil courts have no broad pre-trial discovery process. A director cannot compel a hostile company to produce thousands of emails to prove their diligence. In a system where you must produce the evidence you rely upon, possessing a personal contemporaneous record is the only reliable defence. Electronic records are admissible under the UAE Electronic Transactions Law and Evidence Law.

Multiple jurisdictions

Independent liability standards apply simultaneously

A portfolio director with UK, US and Australian appointments faces the English contemporaneous evidence standard, Marchand/Caremark (Delaware) and Centro (Australia) simultaneously — and a failure in any one does not protect against claims in another. A company compliance programme in one jurisdiction does not discharge your personal duty in another. Annex III obligations follow EU market exposure, not board registration.

Frequently asked questions

What is the EU AI Act enforcement date?
The European Parliament formally approved the Omnibus VII amendments on 16 June 2026 with 423 votes in favour. The new fixed application dates for high-risk AI rules are 2 December 2027 for stand-alone high-risk AI systems (Annex III) and 2 August 2028 for high-risk AI systems embedded in products (Annex I). Formal adoption by the Council of the EU is the remaining legislative step. The original date of 2 August 2026 was the statutory baseline under Regulation 2024/1689 prior to the Omnibus amendment. The personal director oversight duty under Companies Act 2006 s.174 is continuous and unaffected by any change to technical compliance timelines.
Are NEDs personally liable under the EU AI Act?
Yes. Non-executive directors carry the same personal duty of care under Companies Act 2006 Section 174 as executive directors. The EU AI Act creates conditions for shareholder derivative claims against individual directors — including NEDs — for AI governance failures.
What is Annex III of the EU AI Act?
Annex III defines the high-risk AI categories subject to the most stringent obligations under the EU AI Act, including AI used in financial services (credit scoring, insurance pricing, fraud detection), recruitment and HR (automated candidate screening), critical infrastructure (energy, water, transport), and healthcare (diagnostics, patient triage).
What is the personal liability risk for directors under the EU AI Act?
A corporate AI governance failure can trigger a shareholder derivative claim against individual directors under Companies Act 2006 Section 174. Courts place significantly greater weight on documentary evidence created at the time than on witness recollection reconstructed afterwards. Directors without an independent personal evidence record of their AI governance oversight are personally exposed. The personal oversight duty has been running since the Regulation entered into force in August 2024 — a technical compliance extension does not change this.
What is Companies Act 2006 Section 174 and how does it apply to AI oversight?
Section 174 imposes a personal duty of care, skill and diligence on every UK company director. The duty is individual and non-delegable: it cannot be discharged by board minutes, collective decisions, or reliance on management. Re Barings plc (No 5) [1999] confirmed that each director must personally demonstrate what they did. When a company deploys AI in material processes, oversight of that deployment falls within the s.174 duty of each individual director.
Can a NED rely on the company's compliance programme as a defence?
No. A company compliance programme addresses corporate obligations; it does not discharge an individual director's personal duty of care under s.174. In proceedings, the question is what the individual director personally did — what questions they raised, what responses they received, and what evidence of that oversight exists. Collective board activity and company compliance frameworks are not a substitute for a personal evidentiary record.
Do directors keep access to board records after resigning?
Generally, no. Board portals and company email are company property, and access is typically revoked on resignation. A director's personal liability, however, does not end with their tenure — regulatory investigations and derivative claims routinely begin years after a director has left. ENRC v Sir Paul Judge [2014] EWHC 2340 (QB) confirmed that directors may retain their own questions, notes and assessments for personal legal defence, distinct from company confidential data.
Does D&O insurance cover AI governance claims against individual directors?
Not necessarily. Major insurers are filing AI-related exclusions on Side A personal coverage — the layer that protects an individual director's personal assets when the company cannot indemnify them. Unless you have obtained written confirmation from your insurer that the policy covers AI governance failures, your personal financial protection is unverified and may already have been withdrawn.
Does the EU AI Act apply to UK boards after Brexit?
Yes, where the company has EU market exposure. The EU AI Act applies extraterritorially: obligations attach to providers and deployers whose AI systems are placed on the EU market or whose outputs are used in the EU, regardless of where the company is registered. A UK-registered board whose company serves EU markets is in scope for the Annex III enforcement period — and the personal oversight duty of its directors under s.174 runs alongside it.

Who is behind this assessment

Ethical AI Advisor is a trading name of Archimedes Lever Ltd, a private limited company registered in England and Wales (Company No. 16859569), specialising in personal governance protection for corporate directors. The assessment framework is built on primary sources: the Companies Act 2006, Regulation (EU) 2024/1689, and the reported case law cited on this page.

The assessment is a self-assessment tool, not legal advice. It reflects your own responses back through a structured governance framework and makes no determination about your personal legal position. Full details are on the Legal & Privacy page.

EU AI Act — Personal Liability Assessment 1 / 10

Analysing your liability profile…

Cross-referencing EU AI Act Annex III, your jurisdiction's
director liability standard, and your personal evidentiary position

  • Mapping sector to Annex III exposure categories
  • Identifying jurisdiction-specific liability standard
  • Assessing personal evidentiary position
  • Reviewing D&O insurance coverage gaps
  • Generating your personal risk profile
/ 100

Based on your responses, you have indicated the following about your current governance position:
Your jurisdiction — applicable legal standard

A personal briefing is available.

Book a personal briefing →
Legal & Privacy  ·  © 2026 Archimedes Lever Ltd