EU AI Act and GDPR: How AI Regulations Are Reshaping European Compliance in 2024-2026

The GDPR (General Data Protection Regulation) in Europe established important milestones for personal data protection. This legislation guarantees fundamental rights to data subjects, such as access, correction, deletion, and portability of information.

However, when we talk about Artificial Intelligence, the challenges go beyond personal data protection. AI systems can:

Make automated decisions
Create discriminatory biases
Generate public safety risks
Threaten fundamental rights — even when they don't directly process personal data

That's why new AI-specific regulations emerge: the EU AI Act in Europe, representing the world's first comprehensive AI regulation.

What is the EU AI Act and how does it regulate Artificial Intelligence?

The EU AI Act (European Union Artificial Intelligence Act) entered into force in August 2024 and represents the first comprehensive AI regulation in the world. Unlike GDPR, which focuses on personal data, the EU AI Act classifies AI systems according to the level of risk they represent to fundamental rights and safety.

What is the EU AI Act's risk classification?

The European legislation divides AI systems into four risk categories:

Unacceptable Risk: Prohibited systems, such as government social scoring ("social credit" style) or subliminal manipulation causing physical or psychological harm
High Risk: AI used in critical infrastructure, education, employment, essential services, law enforcement, and migration — requiring rigorous compliance before deployment
Limited Risk: Systems that interact with humans (chatbots, deepfakes) — must clearly inform that they are AIs
Minimal Risk: Most applications (spam filters, video games) — no specific obligations

What are the main obligations of the EU AI Act?

For high-risk systems, companies must:

Implement robust risk management systems
Ensure governance and quality of training data
Maintain detailed technical documentation
Ensure transparency and human oversight capability
Guarantee accuracy, robustness, and cybersecurity
Register systems in European database

The EU AI Act also creates specific obligations for general-purpose AI providers (such as large language models), including technical documentation, copyright policies, and safety testing.

How does the EU AI Act compare to other emerging AI regulations?

While the EU AI Act leads global AI regulation, other jurisdictions are developing similar frameworks. For comparison, Brazil's proposed PL 2338/2023 follows a similar risk-based approach but adapts to national realities.

The EU AI Act serves as a model for global AI governance, establishing principles that influence international standards.

What are the principles of comprehensive AI regulation?

Modern AI regulation establishes fundamental principles for AI development and use:

Respect for human rights and democratic values
Legitimate purpose compatible with fundamental rights
Non-discrimination and combating unfair biases
Transparency and explainability of automated decisions
Safety and harm prevention
Accountability and responsibility

How does the EU AI Act classify AI systems?

The European regulation categorizes systems by risk:

Prohibited Systems (Unacceptable Risk):

Emotion recognition in educational or workplace environments
Biometric categorization to infer sensitive data
Social scoring by public authorities
Exploitation of vulnerabilities of specific groups

High-Risk Systems:

AI in critical infrastructure (energy, transport, water)
Educational systems for assessment or admission
Recruitment, selection, and worker evaluation
Access to essential services (credit, insurance, public benefits)
Law enforcement and criminal justice
Border management and migration
Justice administration

Limited Risk Systems:

Chatbots and virtual assistants
Content recommendation systems
AI that directly interacts with users

Minimal Risk Systems:

Applications without significant impact on fundamental rights

What are the obligations by role in the AI value chain?

The EU AI Act distributes responsibilities among different actors in the AI value chain:

Who is the AI "provider" or "developer"?

Those who develop or train AI systems. Their obligations include:

Conduct conformity assessment before deployment
Implement risk management system
Ensure quality and representativeness of training data
Elaborate complete technical documentation
Maintain automatic records (logs) of operations
Ensure adequate transparency for operators and users
Implement appropriate human oversight
Guarantee robustness, security, and accuracy

Who is the AI "deployer" or "operator"?

Those who use the AI system under their authority. Must:

Use AI according to provider instructions
Ensure effective human oversight
Monitor functioning and results
Report incidents and malfunctions
Conduct impact assessment for high-risk systems
Inform affected persons about AI use in decisions that impact them

Who is the "importer" or "distributor"?

Intermediaries in the chain must:

Verify system compliance
Maintain traceability and documentation
Cooperate with regulatory authorities
Report identified non-compliance

When do these regulations take effect? Practical timeline

EU AI Act Timeline (Europe)

The EU AI Act is already in force since August 2024, but with gradual implementation:

February 2025: Prohibition of unacceptable risk systems
August 2025: Rules for general-purpose AI (large models)
August 2026: Complete obligations for high-risk systems
August 2027: Obligations for high-risk systems already in use before the law

Global Impact Timeline

The EU AI Act's influence extends beyond Europe:

2024-2025: Other jurisdictions developing similar regulations
2026: Expected convergence of international AI standards
2026-2027: Global companies adapting to EU AI Act requirements
2027-2028: Enforcement and penalty application

Important: Companies should start preparing now, even before formal enforcement, implementing AI governance practices and mapping existing systems.

How should your company prepare for new AI rules?

What are the first practical steps?

Map all AI systems in use or development in the organization
Classify each system according to risk level (high, limited, minimal)
Identify roles (is your company a provider, deployer, or both?)
Assess compliance gaps regarding applicable obligations
Prioritize actions starting with high-risk systems

What documentation does your company need to create?

For high-risk systems, prepare:

Algorithmic impact assessment (impacts on fundamental rights)
Technical documentation (architecture, data, training, testing)
Risk management policy with bias and discrimination analysis
Instruction manual for operators
Decision records and system logs
Human oversight processes and contestation mechanisms

How to ensure training data quality?

Training data must be:

Representative of the population or real use cases
Free from unfair or discriminatory biases
Accurate and updated as necessary
Documented regarding origin and processing
Protected according to GDPR when personal data

What is the role of human oversight?

High-risk systems require "human oversight":

Human operators must be able to intervene in automated decisions
There must be capability to interrupt or reverse AI decisions
Affected persons must be able to contest automated decisions
Oversight must be exercised by qualified and trained persons

What are the penalties for non-compliance?

EU AI Act Fines

The European Union establishes significant penalties:

Up to €35 million or 7% of global turnover (whichever is higher) for using prohibited systems
Up to €15 million or 3% of global turnover for violations of high-risk obligations
Up to €7.5 million or 1.5% of global turnover for incorrect information to authorities

Additional Enforcement Measures

Beyond fines, the EU AI Act includes:

Public warnings and reputational damage
Partial or total suspension of AI systems
Prohibition of AI-related activities
Mandatory compliance audits

How can Trust This help your company with AI compliance?

Trust This offers specialized solutions for AI governance and transparency:

Mapping and Classification: We identify all AI systems in your organization and classify them by risk level according to EU AI Act requirements.

Compliance Assessment: We analyze gaps between your current practices and regulatory obligations, prioritizing corrective actions.

Technical Documentation: We assist in creating all required documentation, including algorithmic impact assessments and risk management policies.

Continuous Monitoring: We implement processes for monitoring bias, accuracy, and incidents in AI systems.

AITS Platform: Our solution analyzes AI tool transparency and compliance through 20 criteria, helping with vendor selection and governance.

Preparing for new AI regulations isn't just a matter of legal compliance — it's an opportunity to build customer trust, differentiate in the market, and develop AI ethically and responsibly. Start your compliance journey today and position your company ahead of 2026 regulatory requirements.