European enterprises are entering a period of compounding regulatory obligation. With the EU AI Act’s high-risk system requirements taking effect on August 2, 2026, and joint guidance on its interplay with GDPR now confirmed for public consultation, the window for reactive compliance is closing. For CFOs, General Counsel, and Chief Risk Officers, the convergence of these two frameworks is not an abstract legal question — it is an immediate enterprise risk management priority.

A Dual Regulatory Burden with Asymmetric Penalty Exposure

The EU AI Act introduces a tiered enforcement architecture that, in several respects, surpasses GDPR in punitive reach. Violations involving prohibited AI practices under Article 5 — enforceable since August 2025 — carry fines of up to €35 million or 7% of global annual turnover, exceeding GDPR’s ceiling of €20 million or 4% of turnover. For high-risk AI systems, non-compliance with conformity assessment requirements, CE marking obligations, and mandatory registration in the EU database triggers a separate penalty tier.

Crucially, these obligations do not exist in isolation. Organisations deploying high-risk AI systems that process personal data — which encompasses the majority of enterprise AI applications in HR, credit scoring, fraud detection, and customer profiling — must simultaneously satisfy GDPR’s Data Protection Impact Assessment (DPIA) requirements and the AI Act’s own risk management documentation standards. Regulators have signalled that these are complementary, not interchangeable. Dual compliance is required, not a choice between frameworks.

For mid-market firms operating across multiple EU jurisdictions, this creates a structural governance challenge. The proposed GDPR amendments from Q4 2025 — which introduce revised cookie consent mechanics, SME-specific derogations, and modified rules for AI training data — add further complexity to an already demanding compliance calendar.

Joint Guidance: A Practical Lifeline, but Not a Delay Mechanism

On March 18, 2026, an EU official confirmed that the European Commission and data protection authorities will issue joint guidance on the AI Act–GDPR interplay, including practical compliance examples, through a public consultation process. Notably, this guidance will proceed independently of any pending legislative amendments — a signal that regulators do not intend to pause enforcement while the legal architecture is refined.

This is a meaningful development for compliance teams. Practical examples will help clarify how legitimate interest assessments interact with AI Act risk classifications, and how special category data — now potentially permissible for algorithmic bias correction under proposed GDPR revisions — should be handled under both regimes. However, organisations should not treat the guidance process as a moratorium. The August 2, 2026 deadline for high-risk AI system obligations remains firm.

The proposed expansion of allowances for AI development, including clearer scientific research exemptions and derogations for training data with appropriate safeguards, reflects a calibrated regulatory posture: facilitating responsible AI innovation while hardening enforcement against misuse. For corporate governance purposes, boards should understand that regulatory intent is not to obstruct AI adoption, but to ensure accountability structures are in place before systems are deployed at scale.

Implications for Business: Governance, Risk, and Operational Readiness

For decision-makers, the practical implications are immediate and cross-functional:

  • Inventory and classification: Legal and technology teams must jointly audit all AI systems in use or under development to determine whether they meet the AI Act’s definition of high-risk. This classification determines the full scope of conformity assessment, technical documentation, and human oversight obligations.
  • DPIA alignment: Existing GDPR DPIAs for AI-enabled processes should be reviewed and updated to incorporate AI Act risk management requirements. Where these documents exist in silos, integration is now a regulatory expectation, not a best practice.
  • Vendor and supply chain exposure: Deployers — not only providers — bear direct obligations under the AI Act. Contracts with AI vendors must be reviewed to allocate responsibility for conformity assessments, incident reporting, and post-market monitoring.
  • Board-level reporting: Enterprise risk management frameworks should be updated to reflect AI regulatory exposure as a quantified risk category, alongside AML, ESG reporting obligations, and data privacy liabilities.
  • Engage the consultation process: The forthcoming joint guidance consultation represents a rare opportunity to shape practical interpretation. Legal and compliance functions with material AI deployments should consider submitting responses.

Key Takeaway

The convergence of the EU AI Act and GDPR is not a future compliance scenario — it is the present operating environment for any European enterprise deploying AI at scale. With penalty exposure exceeding GDPR thresholds, dual documentation obligations, and a firm August 2026 deadline, the cost of deferred action is measurable. Organisations that treat AI governance as an integrated compliance discipline — rather than a technology team concern — will be materially better positioned as enforcement intensifies across the EU.