The compliance window is narrowing. The EU AI Act entered into force on 1 August 2024, and its phased implementation schedule is advancing faster than many mid-market organisations anticipated. With transparency rules for AI-generated content set to apply in August 2026 and General Purpose AI (GPAI) governance obligations already in effect since 2 August 2025, the question for CFOs, General Counsel, and enterprise risk leaders is no longer whether to act — it is whether they have acted sufficiently.
For companies operating in Europe or serving EU customers, the convergence of the AI Act with existing GDPR obligations creates a dual compliance burden that demands immediate attention across legal, technology, and operations functions.
A Phased Regulation With Immediate Consequences
The AI Act’s implementation timeline is deliberately staged, but each milestone carries material obligations. Prohibited AI practices and AI literacy requirements applied from 2 February 2025. GPAI model governance — covering foundation models and large-scale generative systems — became enforceable on 2 August 2025. The August 2026 deadline introduces mandatory transparency requirements for AI-generated content, including clear labelling of deepfakes, synthetic media, and certain public-interest communications.
For high-risk AI systems embedded in regulated products — spanning medical devices, industrial machinery, and critical infrastructure — an extended transition period runs until 2 August 2028. While this provides breathing room for product-heavy manufacturers, it should not be mistaken for an exemption. Documentation, risk assessment frameworks, and vendor due diligence must be initiated well in advance of that deadline.
The practical implication is clear: organisations that have deferred AI governance planning on the assumption that the regulation remains distant are now operating in a live compliance environment.
GDPR and the AI Act: An Overlapping Compliance Architecture
Perhaps the most operationally significant development is the tightening overlap between the AI Act and data privacy law. Any AI application that processes personal data — which encompasses the vast majority of enterprise AI deployments in HR, finance, customer service, and fraud detection — must simultaneously satisfy GDPR’s lawful basis requirements and the AI Act’s conformity, transparency, and incident reporting obligations.
This dual-regime architecture imposes a layered burden on mid-market firms that may lack the dedicated legal and compliance infrastructure of larger enterprises. Specifically, high-risk AI systems require:
- Risk assessment and mitigation documented prior to deployment
- High-quality, bias-audited datasets with traceability
- Comprehensive logging and technical documentation for regulatory review
- Human oversight mechanisms embedded in operational workflows
- Cybersecurity and accuracy controls maintained throughout the system lifecycle
For marketing and communications teams, the August 2026 transparency rules add a further layer: AI-generated content must be identifiable, and specific categories — including deepfakes and synthetic text used in public-interest contexts — must carry explicit disclosure labels. This directly affects brand governance, content production pipelines, and external communications strategies.
Implications for Enterprise Risk Management and Corporate Governance
From an enterprise risk management perspective, the AI Act fundamentally repositions AI from a technology decision to a corporate governance matter. Board members and audit committees should expect AI risk to appear alongside AML, cybersecurity, and ESG reporting on risk registers within the next 12 to 18 months.
Three priority actions stand out for decision-makers:
- Conduct an AI inventory audit. Map every AI system in use across the organisation, classify it against the AI Act’s risk tiers, and identify which systems trigger high-risk obligations or GPAI governance rules.
- Align GDPR and AI Act documentation. Establish a unified compliance framework that links lawful basis assessments under GDPR with conformity assessments and technical documentation required by the AI Act. Siloed legal and technology teams cannot manage this effectively.
- Strengthen third-party and vendor risk management. Many mid-market firms deploy AI through SaaS platforms and third-party vendors. Contractual obligations, audit rights, and transparency commitments must be reviewed and, where necessary, renegotiated.
Key Takeaway
The EU AI Act is no longer a future regulatory consideration — it is an active compliance framework with enforceable obligations already in place and critical deadlines approaching in 2026. For mid-market organisations operating across European markets, the convergence of AI governance and data privacy regulation demands a structured, cross-functional response. Those that treat this as an IT project rather than a regulatory compliance and governance imperative risk material exposure as enforcement mechanisms mature. The time to build defensible AI governance is now, not in the months before an August 2026 deadline.