I worked at one of the largest banks in the United States. Too-big-to-fail, marble-lobbied American finance. And at some point — with what I can only assume was a completely straight face — someone in Physical Security decided that the bathroom was a secured area.
Not metaphorically. To enter, you badged in and punched a key code. To exit, you badged out and punched a key code. This was called an anti-passback system — a real access control feature designed to prevent anyone passing their credential back through the door to sneak a colleague in. Applied to a trading floor: sensible. Applied to a bathroom: the system was formally logging the duration of every visit. Timestamp in. Timestamp out. The institution knew, to the minute, how long you had been in there.
Nobody sat in a meeting and said "let's monitor bathroom time." They simply applied their total-access-control philosophy everywhere, without exception, and the bathroom was included without anyone blinking. The same badge that opened the trading floor, the server room, and the executive elevator was the one you fumbled for at 2pm post-coffee while a colleague who'd seen you every day for three years watched you prove you were allowed to answer nature's call.
The data — billions of dollars of it, account numbers, social security numbers — lived on servers you could reach from your desk. The bathroom required credentials, a keypad, and an exit scan. This was considered normal.
Nobody called it behavioural analytics. It was just security. You complained about it the way you complained about the vending machine — loudly, briefly, then you moved on.
What strikes me now is how thoroughly normalised total monitoring became — because it had edges. The badge didn't follow you home. There was a door, and you walked through it, and the system stopped caring. That boundary was obvious. You could feel it.
Every debate in the EU AI Act, every scramble around data sovereignty, every anguished conversation about profiling — it is the bathroom pass problem, scaled by ten million, with the edges removed.
At the bank, the system was clunky, obvious, and legible. You knew the camera was there.
Now? The monitoring is frictionless. No clicking badge reader. No awareness of where the boundary sits. Data about where you pause, what you hesitate over, how long you looked at something before clicking away — it flows silently into systems generating inferences about you that you will never read and cannot contest.
The bathroom pass was annoying precisely because it was visible. That visibility was, it turns out, a feature.
The EU AI Act's high-risk system categories? The bank had sensitive floors — extra badge, extra justification. Same idea, larger argument.
Behavioural profiling bans? The bank never inferred you were going to steal because you used the bathroom three times before 10am. There were humans applying judgment, not models applying correlation. The Act draws exactly this line — banning social scoring and risk assessment conducted purely by automated pattern-matching, without human review. The bank was accidentally compliant.
Data minimisation? The bank didn't store your elevator conversation. Not out of principle — it just didn't have the storage. Somewhere between then and now, storage became free, and minimisation had to become a deliberate choice. Here we are.
Data rights — the ability to see, query, and correct what's held about you — sit at the intersection of GDPR (which established them) and the AI Act (which extends them into automated inference). Twenty years ago this was considered absurd. In 2026 it is law. Progress is slow, then sudden.
I talk regularly with CXOs across the Nordic region. Thoughtful, globally connected, institutionally literate people. When the EU AI Act comes up, I notice something consistent enough to be its own phenomenon.
There is genuine intellectual curiosity. They have read the summaries. Some have read the act itself. No hostility, no reflexive allergy to regulation — these are people who built societies on the idea that sensible rules, properly applied, produce good outcomes.
And then — almost without exception — comes the turn. Delivered calmly, over excellent coffee:
"Yes, of course. We'll need to address it. But there is still time. The direction is right — good to have this. When it becomes mandatory, we will be ready."
I call this Nordic Compliance Serenity. It is not denial. It is not arrogance. It is a deep, almost philosophical trust that the system will signal clearly before the deadline arrives.
Historically, in Scandinavia, this has been a reasonable bet.
The problem is that the EU AI Act is not a Nordic institution. And some of its deadlines have already passed.
Prohibited AI practices and AI literacy obligations became enforceable February 2, 2025. General-purpose AI model requirements landed August 2025. The broader framework applies from August 2026. Some high-risk product categories extend to 2027 — which is perhaps why the calendar feels spacious. It isn't, uniformly.
And then there is the number that tends to rearrange furniture in boardrooms:
Non-compliance fines reach up to €35 million or 7% of global annual turnover — whichever is higher.
For context: GDPR, which everyone spent years dreading, peaks at 4%. The AI Act looked at that number and raised it. For a large Nordic enterprise, 7% of global turnover is not a compliance line item. It is an existential event dressed in regulatory language.
The curious thing is that the fine is almost beside the point. The sharper consequence is operational: authorities can require non-compliant AI systems to be withdrawn from the EU market entirely. You do not get to keep running the product while the lawyers sort it out.
The bank employees who complained loudest about the anti-passback had thought about the policy extensively. They had sensible views on its uniformity, its bureaucratic reach into corners of daily life that felt beneath the dignity of serious security. What they had not done was prepare for the morning the keypad failed, the reader didn't register, or the card was left on the kitchen counter — and they stood outside the bathroom door waiting. That morning always came. It was never convenient.
The Nordic CXO who is calmly curious about the EU AI Act is already ahead of peers in regions who haven't looked at it at all. The literacy is there. The foundation is there. What is quietly needed — and what most of them already sense — is moving the conversation from the interesting chair to the operational one.
"Good to have" is an opinion about the regulation. "Must-have by February 2025" was a calendar entry. That one has already passed.
At NordicMojo, that gap between knowing and doing is exactly where we work. Preferably before you find yourself outside the door, looking for a pass you meant to get around to laminating.
Verified against EU AI Act Article 99 (penalties), Article 5 (prohibited practices), and the official application timeline (Regulation EU 2024/1689). GDPR comparison based on Article 83 maximum thresholds.
Emil Løvgren, Per Arne Haug, and Alf Niklas Kalmár have joined NordicMojo AS as partners.;
Access trusted teams in India - built for Nordic SMBs. Every time we meet a new customer, we know there is some hesitation in the beginning. The first...;
