As the EU AI Act begins its phased implementation on August 1, 2024, businesses across Europe are facing new compliance challenges alongside existing GDPR requirements. The complex rollout timeline stretches over three years, with key deadlines approaching in 2025 and 2026.
By August 2, 2026, companies will need to follow both GDPR and EU AI Act rules for high-risk AI systems. This includes AI used in critical sectors like healthcare, employment, and financial services. The European Data Protection Board warned in April 2025 that large language models rarely anonymize data properly, making GDPR compliance essential.
High-risk AI systems in healthcare, employment, and financial services face dual compliance challenges as GDPR and AI Act requirements converge by 2026.
Companies operating AI systems must update their Records of Processing Activities to include AI-specific information. Vendor contracts need revision to reference the 2025 Standard Contractual Clauses that address AI compliance requirements. Financial institutions have particularly high adoption rates, with payment institutions and banks leading AI implementation in areas like anti-money laundering and client onboarding.
For general-purpose AI models already on the market, providers have until August 2, 2027, to comply with the new rules. However, any new models launched after August 2, 2025, must comply immediately. The EU AI Office is working on a Code of Practice to help guide these providers.
Member States face tight deadlines too. They must identify fundamental rights authorities by November 2024 and set up AI regulatory sandboxes by August 2026. The Commission has committed to providing codes of practice by May 2, 2025, to assist in implementation. National competent authorities and penalty laws should be in place by August 2025.
Implementation challenges are mounting. The Commission missed its February 2026 deadline to provide guidance on high-risk AI determination. Industry groups are pushing for delays, arguing they don’t have enough time to prepare for the August 2026 deadlines.
The Digital Omnibus legislation being discussed might link high-risk compliance deadlines to the availability of technical standards. This could potentially delay full implementation until December 2027 or even August 2028.
As 2026 approaches, the intersection of GDPR and the EU AI Act represents a significant turning point for digital regulation in Europe, with stricter enforcement expected on AI systems, dark patterns, and consent manipulation.
References
- https://artificialintelligenceact.eu/implementation-timeline/
- https://www.klgates.com/EU-and-Luxembourg-Update-on-the-European-Harmonised-Rules-on-Artificial-IntelligenceRecent-Developments-1-20-2026
- https://www.dataguard.com/eu-ai-act/timeline
- https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
- https://www.alstonprivacy.com/first-milestone-in-the-implementation-of-the-eu-ai-act/
- https://www.crowell.com/en/insights/client-alerts/eu-ai-act-gdpr-and-digital-laws-changes-proposed
- https://iapp.org/news/a/european-commission-misses-deadline-for-ai-act-guidance-on-high-risk-systems
- https://secureprivacy.ai/blog/gdpr-compliance-2026
- https://artificialintelligenceact.eu
