The summer of 2026 has become a season of AI rule-making. The United Nations and the International Telecommunication Union launched the AI for Good Global Commission, bringing tech leaders and heads of state together around AI governance, with a first meeting set for 8 July in Geneva. In parallel, the US administration has been in advanced talks with major AI companies over voluntary standards for releasing powerful models — covering benchmarks, release timelines, and access rules. For a European company, the reasonable question is: which of this actually matters to me?
Sorting signal from noise
Most of what makes headlines is diplomacy and industry positioning — important for the shape of the field, but not something that changes your obligations next quarter. Here's the practical hierarchy for an EU firm.
Binding and already in motion: the EU AI Act. Everything above is voluntary or diplomatic. The AI Act is law, phasing in through 2026 and beyond, and it's what actually governs how you build and deploy AI in Europe. Its risk-based tiers — from prohibited uses to high-risk obligations to transparency duties — are the framework that carries real penalties. If you're spending energy tracking UN commissions while your AI Act readiness is unclear, the priorities are inverted.
Indirectly relevant: US voluntary standards. These don't bind EU firms, but they shape the models you use. If US labs adopt shared norms on release timelines and access, that affects which models are available, when, and under what terms — as recent access disruptions to certain frontier models have already shown. Worth monitoring as a supply-chain input, not a compliance duty.
Context, not action: global governance forums. The AI for Good Commission and similar bodies matter for where international norms drift over years. They're background, not a to-do list.
The theme underneath: fragmentation
The real story is that AI governance is splintering — Europe's risk-based approach, more security-driven US restrictions, and state-backed efforts across Asia are diverging rather than converging. For companies operating across borders, that means compliance is becoming a multi-jurisdiction problem. The forums launching this summer are, in part, attempts to slow that fragmentation before the gaps widen — but you should plan for a divided landscape, not a unified one.
What an EU company should do
- Anchor on the AI Act. Inventory your AI uses, classify them against the Act's risk tiers, and close gaps on anything high-risk. This is the work that carries legal weight.
- Connect it to what you already run. If you've addressed DORA and NIS2, you have governance muscle — risk assessment, documentation, incident processes — that extends naturally to AI Act obligations. Don't build a parallel programme.
- Treat model access as supply-chain risk. Given diverging rules and real access disruptions, avoid single-provider dependence for critical workloads and keep a portability plan.
- Watch, don't chase. Assign someone to monitor the AI Act's phase-in and major shifts in US model policy. Ignore the diplomatic theatre unless it turns into something binding.
The takeaway
The rulebook summer is loud, but for an EU company the signal is quiet and specific: the EU AI Act is what governs you, it builds on compliance capabilities you may already have, and the geopolitical churn mostly affects which AI tools you can rely on rather than what you're legally required to do. Focus there, and the headlines become context rather than anxiety.
Where Educatifu fits
We help EU companies operationalise AI governance — mapping uses to the AI Act's risk tiers, connecting it to existing DORA/NIS2 programmes, and building the portability that protects you from access shocks. If you're unsure where your AI usage sits under European law, get in touch — it's usually a clearer answer than the headlines suggest.