With the EU Artificial Intelligence Act having entered into force on 1 August 2024 and full application commencing in August 2026, European and globally exposed organisations face a compressed window to restructure their AI governance frameworks. For boards and executive teams, this is no longer a horizon risk — it is an active compliance obligation requiring cross-functional coordination across legal, technology, and enterprise risk management functions.
A Dual Regulatory Burden: Where the EU AI Act Meets GDPR
The most operationally significant challenge for organisations is not the AI Act in isolation, but its direct intersection with the General Data Protection Regulation (GDPR). High-risk AI systems that process personal data — including recruitment tools, credit scoring models, and large language models used in customer-facing applications — must now satisfy obligations under both regimes simultaneously.
The AI Act mandates enhanced requirements for data governance, transparency, and human oversight for high-risk systems, while simultaneously requiring providers to implement bias detection and correction mechanisms in large language models. These requirements layer directly onto GDPR’s existing obligations around lawful processing, data minimisation, and automated decision-making under Article 22. The European Data Protection Board’s launch of the Coordinated Enforcement Framework (CEF) 2026 signals that regulators intend to treat these frameworks as complementary, not separate — and enforcement will reflect that integration.
The Ireland Data Protection Commission’s €405 million fine against Meta Platforms Ireland for failures in protecting children’s data on Instagram serves as a material reference point. It illustrates both the scale of exposure and the regulator’s willingness to pursue structural failures in data governance — precisely the category of risk that poorly governed AI systems introduce at scale.
Transatlantic Data Flows and the AI Supply Chain
For multinational organisations, the EU–US Data Privacy Framework adequacy decision provides meaningful relief for transatlantic personal data transfers to certified US entities following the uncertainty created by the Schrems II ruling. However, this adequacy decision does not resolve the AI-specific compliance obligations that arise when US-developed or US-hosted AI systems process European personal data.
Organisations must now conduct a rigorous audit of their AI supply chains — including third-party model providers, cloud infrastructure, and API-dependent services — to determine whether each component meets the AI Act’s conformity requirements and GDPR’s data transfer safeguards. This is particularly relevant for enterprises that have rapidly deployed generative AI tools without corresponding governance structures.
The emerging Digital Omnibus proposal adds further complexity by introducing material GDPR updates, including exempting approximately 60% of low-risk processing purposes from consent requirements and mandating that controllers respect browser-based privacy signals such as Global Privacy Control. For organisations operating consent management platforms, this will require technical reconfiguration and updated legal bases across digital properties.
Implications for Corporate Governance and Enterprise Risk Management
The convergence of these regulatory developments has direct implications for corporate governance structures and board-level oversight responsibilities. Key actions for decision-makers include:
- AI risk classification: Conduct a formal inventory of AI systems in use and classify each against the AI Act’s risk tiers. High-risk designations trigger mandatory conformity assessments, technical documentation, and human oversight mechanisms before August 2026.
- Integrated compliance architecture: Establish a unified governance function — or formal coordination protocol — between Data Protection Officers, Chief AI Officers, and General Counsel to manage the GDPR-AI Act interface without duplicative or conflicting controls.
- Third-party due diligence: Embed AI Act and GDPR compliance requirements into vendor contracts and M&A due diligence frameworks. Target companies with material AI deployments now carry regulatory contingent liabilities that must be quantified at deal stage.
- Consent infrastructure review: Anticipate the Digital Omnibus changes by auditing existing consent management platforms against the forthcoming browser-signal requirements and reduced consent scope.
- Board reporting: Integrate AI regulatory compliance into existing ESG reporting and enterprise risk management dashboards. Regulators and institutional investors increasingly expect board-level accountability for AI governance.
Key Takeaway
The August 2026 full application date for the EU AI Act is not a distant deadline — it is an active project timeline. Organisations that treat AI governance as a standalone technical matter, rather than an integrated component of their regulatory compliance and corporate governance frameworks, risk both enforcement exposure and competitive disadvantage. The regulatory architecture is now clear. The strategic imperative is execution.