EU AI Act & GDPR — What Companies Must Do Now in 2026

The AI Act is no longer a distant threat. The first obligations are already in force, the next major milestone is marked on the calendar for August 2026 — and, in parallel, the EU is working on an amendment package designed to push exactly that deadline back, but it has not yet entered into force. Companies that set things up cleanly now, rather than betting on relief, are on the safe side. This article situates the legal position and names concrete next steps. (This is general information, not legal advice.)

What Already Applies — and What Only Appears to Be Waiting

The AI Regulation — formally Regulation (EU) 2024/1689 — entered into force on August 1, 2024. As a regulation, it applies directly in all Member States; no national transposition, as would be needed for a directive, is required. Its obligations, however, do not take effect all at once but in phases (Art. 113):

• February 2, 2025: The prohibited AI practices (Art. 5) are live. So is the obligation to ensure AI literacy (Art. 4).
• August 2, 2025: Obligations for general-purpose AI models (GPAI), the governance structure, and the penalty regime take effect.
• August 2, 2026: General application of the remaining provisions — in particular the high-risk obligations under Annex III and the transparency obligations (Art. 50).
• August 2, 2027: High-risk systems under Annex I (AI as a safety component of regulated products).

A practical point worth stressing: two of these obligations apply to every company, including pure users. The prohibited practices (e.g. social scoring) are off limits in any case. And the AI-literacy obligation under Art. 4 — that is, ensuring that staff who work with AI have a sufficient understanding of it — applies regardless of risk class and is already in force. How to implement it concretely, without lapsing into training theater, I cover separately in Implementing the AI-literacy obligation (Art. 4).

The Risk-Class Principle in One Sentence

The AI Act classifies AI systems by their risk and ties the obligations to it: unacceptable risk is prohibited, high-risk systems carry full obligations, limited risk only transparency duties, minimal risk none. GPAI models form their own cross-cutting category.

The AI Act follows a simple logic: the higher a system’s risk, the stricter the obligations. Four tiers plus one cross-cutting category:

• Unacceptable risk — prohibited (Art. 5).
• High risk — e.g. AI used in hiring, in creditworthiness assessment, or in critical infrastructure (Annex III), as well as AI as a safety component of regulated products (Annex I). Full obligations for providers and deployers.
• Limited risk — e.g. chatbots, AI-generated content. Here the transparency obligations (Art. 50) apply: people must be able to recognize that they are talking to an AI or that content is AI-generated.
• Minimal risk — the bulk of applications, with no mandatory requirements.
• GPAI models cut across the rest: universally deployable models with their own obligation track. Transparency and copyright obligations apply to all of them, with additional safety requirements where there is systemic risk (one indicator being a training compute above 10²⁵ FLOP).

For most mid-sized companies, the decisive question is not “Are we the provider of a high-risk system?” but “Do we deploy such a system?” Companies that merely purchase and use AI are usually deployers and therefore carry a lighter burden than the provider — but not zero. Note: anyone who substantially modifies a system or markets it under their own name can themselves become a provider (the common interpretation; to be assessed case by case).

The August 2026 Deadline and the “Digital Omnibus”

This is the most important pitfall of the year. On May 7, 2026, the EU Parliament, Council and Commission reached a provisional agreement on the “Digital Omnibus on AI” — the first amendment package to the AI Act. Among other things, the plan is to push the high-risk deadline for Annex III systems from August 2, 2026 to December 2, 2027, and the Annex I deadline to August 2, 2028.

The crucial point — where most mistakes are currently being made in advisory practice — is this: this package is not yet in force. As of mid-May 2026, the Parliament’s final plenary vote, the Council’s formal adoption, and publication in the Official Journal are all still outstanding. Until publication in the Official Journal, August 2, 2026 remains the binding high-risk cut-off date. The new dates become binding only once the Omnibus is actually published.

The sober recommendation: plan according to the law as it stands, not according to anticipated relief. A company that builds its compliance on a not-yet-adopted deadline extension — only for the package to slip or be reworked — will find itself unprepared on August 2.

The Fines — and Why SMEs Sometimes Come Off Better

The penalty regime (Art. 99) is tiered; in each case the higher of the two values applies:

• Prohibited practices (Art. 5): up to EUR 35 million or 7% of worldwide annual turnover.
• Other breaches of obligations: up to EUR 15 million or 3%.
• Incorrect information supplied to authorities: up to EUR 7.5 million or 1%.

This means the AI Act’s maximum even exceeds the GDPR ceiling (EUR 20 million / 4%, Art. 83 GDPR). One important relief for smaller players: for SMEs and start-ups, the lower value applies in each case (percentage or fixed amount) — not, as otherwise, the higher one (Art. 99(6)).

Two rulebooks, one system: the AI Act regulates the AI system as a product, the GDPR the personal data processed within it. As soon as both coincide, both tracks apply at the same time.

The Interface with the GDPR: Two Regimes, Not One

The most common conceptual error is to treat the AI Act and the GDPR as alternatives. They apply cumulatively. The AI Act is primarily product safety law — it regulates the system. The GDPR protects the fundamental right to data protection — it regulates the processing of personal data. As soon as an AI system processes personal data, both apply at the same time.

This gives rise to concrete overlaps:

• Legal basis first. Every processing of personal data in an AI tool requires a legal basis under Art. 6 GDPR — in practice usually performance of a contract (point (b)), legitimate interest (point (f), with a documented balancing test) or consent (point (a)). Special categories (health, biometrics, etc.) additionally require Art. 9 GDPR.
• Processing on behalf. If an external AI provider processes data on your behalf, a data processing agreement under Art. 28 GDPR is mandatory. Free consumer tools usually offer none — and partly use inputs for training, which can flip the provider’s role from processor to independent controller.
• Third-country transfer. Most AI providers are based in the US. Any transfer there requires a basis under Art. 44 et seq. GDPR — either certification of the provider under the EU-US Data Privacy Framework or standard contractual clauses. The DPF currently applies (the General Court dismissed the action against the adequacy decision on September 3, 2025), but that ruling is not yet final — double-securing via SCCs as a fallback is a common precaution. When an EU-hosted model or on-premise deployment is worth it instead, I compare in EU-hosted vs. US LLMs.
• Impact assessments. This is where the regimes interlock: the GDPR’s DPIA (data protection impact assessment, Art. 35) and the AI Act’s data-governance requirements (Art. 10) are separate but related instruments. For high-risk systems involving personal data, both often arise together — when a DPIA for AI systems actually becomes mandatory, and how to run it cleanly, is a topic of its own.

It is precisely this dual nature that makes AI compliance neither a pure tech question nor a pure legal one. Anyone wearing both lenses avoids the typical gap: a technically clean system whose data flows were never assessed under the GDPR — or, conversely, watertight data-protection documentation for a system whose AI Act classification no one has carried out.

Action Checklist for 2026

1. Inventory. Which AI systems do you use, plan, or tolerate — including unofficial “shadow AI” run by employees?
2. Classify. Which AI Act risk class does each system fall into, and are you the provider or the deployer?
3. Establish a legal basis per use case (Art. 6, and where relevant Art. 9 GDPR) and document it.
4. Review contracts. A data processing agreement under Art. 28 with every provider that processes personal data; business/enterprise plans rather than consumer versions. What needs to go into an AI contract beyond the DPA — performance, liability, IP, SLA — is a separate checkpoint.
5. Secure third-country transfers — check DPF status, use SCCs as a fallback.
6. Create transparency. Label AI interactions and AI-generated content (Art. 50).
7. Build AI literacy. Training is mandatory (Art. 4) — and it simultaneously defuses the shadow-AI risk.
8. Carry out a DPIA wherever there is a high data-protection risk (Art. 35 GDPR).
9. Put an internal AI policy in writing: permitted tools, prohibitions, the duty to check outputs, reporting channels.
10. Monitor the legal landscape — keep an eye on the Digital Omnibus and the DPF, but act according to the law as it stands.

Conclusion

The AI Act is manageable once you take it for what it is: a phased program of obligations with a clear logic. The two obligations already in force today — prohibited practices and AI literacy — cost little and are quickly handled. The bigger task, the high-risk classification and the interlocking with the GDPR, should be tackled now — regardless of whether the Digital Omnibus ultimately pushes the August deadline back. A company that knows, classifies, and has legally underpinned its systems can face both regimes with composure.

This dual perspective — the legal classification and the technical implementation in one head — is exactly how I work. If you want to classify your AI systems or structure your compliance homework, get in touch.

Frequently Asked Questions (FAQ)

Does the AI Act apply to my company even if we only purchase AI?

Yes. Anyone who deploys an AI system is regularly a deployer within the meaning of the regulation and carries its own obligations — for high-risk systems, for example, human oversight and monitoring. Regardless of risk class, you are also bound by the prohibition of certain practices (Art. 5) and the AI-literacy obligation (Art. 4). “Just a user” does not mean “not affected”.

Does the “Digital Omnibus” push the August 2026 deadline back bindingly?

No — not yet. The political agreement of May 7, 2026 is a statement of intent, not law in force. The new dates (Annex III: December 2, 2027) would only become binding once published in the Official Journal. Until then, August 2, 2026 remains the relevant high-risk cut-off. Plan according to the law as it stands.

Is complying with the GDPR enough when I deploy AI?

No. The AI Act and the GDPR are cumulative: the GDPR governs the processing of personal data, the AI Act the system as a product. A GDPR-compliant tool can still breach AI Act obligations — and vice versa. As soon as personal data is involved, you must serve both regimes.

As an SME, what should I do first?

Pragmatically, in this order: inventory your AI systems (including shadow AI), determine each system’s risk class and role, document the legal basis and data processing agreements, write an internal AI policy, and ensure your staff’s AI literacy. These five steps cover the bulk of the acute risk.

Are the fines really existential for small companies?

The maximum (up to EUR 35 million / 7% of turnover for prohibited practices) targets large players. For SMEs and start-ups, Art. 99(6) applies the lower of the two values in each case. That puts the headline figures into perspective — but does not exempt you from the obligations.

---

Sources — as of 14.05.2026

• Regulation (EU) 2024/1689, Art. 113 (entry into force/application): https://artificialintelligenceact.eu/article/113/
• Art. 99 (fines): https://artificialintelligenceact.eu/article/99/
• Art. 4 (AI literacy): https://artificialintelligenceact.eu/article/4/
• Implementation timeline: https://artificialintelligenceact.eu/implementation-timeline/
• AI Act official (European Commission): https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
• Digital Omnibus — Gibson Dunn: https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
• Digital Omnibus — DLA Piper: https://knowledge.dlapiper.com/dlapiperknowledge/globalemploymentlatestdevelopments/2026/The-Digital-AI-Omnibus-Proposed-deferral-of-high-risk-AI-obligations-under-the-AI-Act
• Digital Omnibus — Latham & Watkins: https://www.lw.com/en/insights/ai-act-update-eu-resolves-to-change-rules-and-extend-deadlines
• AI Act vs. GDPR — IAPP: https://iapp.org/resources/article/mapping-interplays-gdpr-eu-ai-act
• AI Act & data protection — DLA Piper Privacy Matters: https://privacymatters.dlapiper.com/2024/04/europe-the-eu-ai-acts-relationship-with-data-protection-law-key-takeaways/
• DSK guidance “AI and Data Protection” (German Data Protection Conference, May 6, 2024): https://www.datenschutzkonferenz-online.de/media/oh/20240506_DSK_Orientierungshilfe_KI_und_Datenschutz.pdf
• General Court, Judgment T-553/23 (Latombe v Commission), September 3, 2025 — DPF remains valid: https://www.heuking.de/en/news-events/newsletter-articles/detail/eug-confirms-effectiveness-of-eu-us-data-privacy-framework.html