The EU AI Act is no longer a horizon risk. With prohibited AI practices and AI literacy obligations already enforceable since 2 February 2025, and General Purpose AI (GPAI) governance rules applicable since 2 August 2025, European companies — and any global enterprise operating in EU markets — are now inside a live compliance window. The next critical milestone, 2 August 2026, brings transparency obligations for generative AI systems and full applicability for the majority of high-risk AI requirements. For CFOs, General Counsel, and boards, the question is no longer whether to act, but whether current governance structures are adequate to absorb what is coming.

A Phased Timetable That Demands Immediate Planning

The Act’s architecture is deliberately staged, but that staging creates a deceptive sense of distance. In practice, organisations deploying or procuring AI systems in Europe need to work backwards from each deadline to assess readiness. The current compliance landscape breaks down as follows:

  • Already in force (February 2025): Prohibition on unacceptable-risk AI systems — including social scoring, real-time biometric surveillance in public spaces, and manipulative subliminal techniques — alongside mandatory AI literacy obligations for all organisations deploying AI tools.
  • In force since August 2025: GPAI model governance rules, including transparency, copyright compliance documentation, and systemic risk assessments for the most capable models.
  • August 2026: Full high-risk AI obligations — conformity assessments, quality management systems, registration in the EU database, and transparency requirements for generative AI outputs — become broadly applicable.
  • August 2028: Under the proposed AI Omnibus, certain regulated-product high-risk systems (medical devices, machinery, aviation) benefit from an extended transition, but this relief is sector-specific and not a general deferral.

Penalties for non-compliance are structured to compel board attention: prohibited AI systems attract fines of up to €35 million or 7% of global annual turnover, whichever is higher. High-risk system violations carry penalties of up to €15 million or 3% of global turnover. These are not administrative nuisances — they are existential financial exposures for mid-market firms.

AI Governance and GDPR: A Dual Compliance Obligation

A persistent misconception among leadership teams is that the EU AI Act displaces or supersedes GDPR. It does not. Where AI systems process personal data — which encompasses the overwhelming majority of enterprise AI deployments, from HR analytics to customer profiling and fraud detection — GDPR remains the baseline legal framework. Organisations must simultaneously satisfy both regimes.

In practice, this means that any high-risk AI system processing personal data requires not only a conformity assessment under the AI Act, but also a lawful basis under GDPR Article 6, a Data Protection Impact Assessment where Article 35 thresholds are met, and robust logging and audit trail capabilities to demonstrate accountability under both frameworks. The convergence of AI governance and data privacy compliance is not a future state — it is the current regulatory reality.

General Counsel should be stress-testing existing data governance frameworks against AI-specific use cases. Questions such as how long AI system logs are retained, whether automated decision-making disclosures satisfy both GDPR Article 22 and AI Act transparency requirements, and whether third-party AI vendors have been contractually mapped to compliance obligations, are now material legal risk questions — not IT procurement details.

Regulatory Simplification Is Coming, But Enforcement Expectations Are Rising

The European Commission’s proposed Digital Omnibus and AI Omnibus packages signal a political intent to reduce administrative friction, particularly for SMEs. Proposals include a consolidated breach-reporting mechanism and an extended breach notification window — potentially moving from 72 to 96 hours under GDPR. These are meaningful operational improvements for compliance teams managing multi-jurisdictional incidents.

However, simplification of process should not be read as a softening of substantive expectations. The Commission is simultaneously investing in enforcement infrastructure, and national supervisory authorities are building dedicated AI oversight capacity. The risk-based model of the AI Act places the burden of classification, documentation, and ongoing monitoring squarely on deploying organisations. Regulatory simplification reduces friction at the margin; it does not reduce the underlying compliance obligation.

Implications for Business: Four Actions for Decision-Makers

For CFOs, General Counsel, M&A Directors, and boards navigating this environment, the following actions are immediately relevant:

  • Conduct an AI system inventory and risk classification. Map all AI tools in use — including third-party SaaS applications with embedded AI — against the Act’s risk categories. This is a prerequisite for every subsequent compliance step and should be completed before Q1 2026.
  • Integrate AI Act obligations into M&A due diligence. Target companies with AI-dependent business models carry regulatory risk that must be quantified. Acquirers inheriting non-compliant high-risk AI systems inherit the associated liability.
  • Align AI governance with existing enterprise risk management frameworks. AI compliance is most efficiently managed as an extension of existing ERM, data privacy, and ESG reporting structures — not as a standalone workstream.
  • Engage the board now. Given the scale of potential sanctions and the reputational dimension of AI governance failures, this is a board-level issue. Audit and risk committees should be receiving regular AI compliance updates by mid-2025 at the latest.

Key Takeaway

The EU AI Act’s phased implementation is not a reason for deferred action — it is a structured timetable that rewards early movers and penalises organisations that treat August 2026 as a planning start date rather than a compliance deadline. The convergence of AI governance, GDPR, and enterprise risk management creates both complexity and an opportunity: companies that build integrated, board-governed compliance architectures now will be better positioned for enforcement scrutiny, M&A transactions, and the next wave of EU digital regulation.