European regulatory compliance has entered a new phase. While the GDPR established the foundational architecture for data privacy governance, the EU AI Act is now reshaping the compliance landscape at a structural level — and the timelines are no longer theoretical. Prohibited AI practices have been banned since February 2025, General Purpose AI (GPAI) obligations became enforceable in August 2025, and the most consequential wave of requirements — covering high-risk AI systems across financial services, HR, critical infrastructure, and legal processes — arrives on 2 August 2026. For mid-market firms operating in or selling into the EU, the window for orderly preparation is narrowing.
From Policy to Enforcement: The EU AI Act’s Accelerating Timeline
The EU AI Act is the world’s first comprehensive legal framework for artificial intelligence, applying a risk-tiered approach that mirrors — and in some respects extends — the extraterritorial logic of the GDPR. Any organisation placing AI systems on the EU market or deploying them to EU-based users falls within scope, regardless of where the organisation is headquartered.
The compliance obligations now active or imminent include:
- Prohibited practices (February 2025): AI systems that deploy subliminal manipulation, exploit vulnerabilities, or enable real-time biometric surveillance in public spaces are banned outright.
- GPAI governance (August 2025): Providers of general-purpose AI models must maintain technical documentation, comply with EU copyright law, and — for systemic-risk models — conduct adversarial testing and report serious incidents.
- High-risk AI obligations (August 2026): Systems used in credit scoring, employment decisions, access to essential services, and legal proceedings must demonstrate documented risk management frameworks, human oversight mechanisms, conformity assessments, and post-deployment monitoring before market entry.
Non-compliance carries penalties of up to €35 million or 7% of global annual turnover for violations involving prohibited practices — figures that place AI governance firmly in the same risk category as GDPR enforcement, where penalties can reach €20 million or 4% of global revenue.
The Convergence of AI Governance, Data Privacy, and Enterprise Risk Management
What makes the current regulatory environment particularly demanding is not the complexity of any single framework but their convergence. Enterprise risk management teams are now required to maintain coherent controls across GDPR data privacy obligations, EU AI Act documentation requirements, AML screening processes that increasingly rely on algorithmic tools, and emerging ESG reporting standards that touch on AI-driven supply chain and emissions analytics.
This convergence is generating a structural compliance gap in many mid-market organisations. Responsibilities are fragmented across legal, IT, and operations functions, with no single owner accountable for AI-related risk. Regulators and compliance advisers are increasingly explicit: gap analyses, clear role assignments, and demonstrable staff AI literacy are now treated as substantive control measures, not aspirational best practice.
For General Counsel and Chief Compliance Officers, the practical implication is that AI governance can no longer be delegated to technology teams alone. Board-level oversight — including documented evidence that directors have engaged with AI risk — is becoming a regulatory expectation, consistent with the broader shift toward accountability-based compliance visible across GDPR enforcement actions and financial services regulation.
Implications for Business: What Decision-Makers Must Prioritise Now
With fourteen months remaining before the August 2026 deadline, organisations should treat the following as immediate priorities:
- AI system inventory and risk classification: Map all AI tools currently in use or under procurement against the EU AI Act’s risk categories. Third-party and vendor-supplied systems are not exempt — deployers bear compliance obligations alongside providers.
- Documentation architecture: High-risk AI systems require technical documentation, risk management records, and conformity assessments that must be audit-ready before deployment. Retrofitting documentation after deployment is both operationally costly and legally insufficient.
- Cross-functional governance structure: Assign clear ownership across legal, compliance, technology, and business lines. Consider appointing an AI Compliance Officer or integrating AI risk into existing enterprise risk management frameworks.
- Board and senior management engagement: Ensure that AI risk is a standing agenda item at board level, with documented evidence of oversight — particularly for organisations subject to financial services regulation or ESG reporting obligations.
- Staff AI literacy programmes: The EU AI Act explicitly requires organisations to ensure that staff working with AI systems possess sufficient AI literacy. This is an enforceable obligation, not a training recommendation.
Key Takeaway
The EU AI Act is no longer a future compliance challenge — it is an active enforcement framework with escalating obligations through 2026. For CFOs, General Counsel, and board members, the strategic imperative is to integrate AI governance into existing corporate governance, data privacy, and enterprise risk management structures before the August 2026 deadline, not after it. Organisations that treat this as a documentation exercise will be exposed; those that build genuine accountability frameworks will be positioned to deploy AI as a competitive asset rather than a liability.