The EU AI Act regulates AI systems by risk; the GDPR regulates personal data. They apply at the same time and reinforce each other. An enterprise that uses AI on personal data must satisfy both: classify each AI system by its EU AI Act risk tier, and keep meeting GDPR obligations such as lawful basis, impact assessments, and data subject rights. The AI Act does not replace the GDPR.
What is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is the first comprehensive law for artificial intelligence. It is risk-based: the obligations on an AI system scale with the harm it could cause. It entered into force in August 2024 and applies in phases through 2027.
- Unacceptable risk. Banned outright (for example, social scoring and certain biometric practices).
- High risk. Permitted, but subject to strict obligations (for example, AI in hiring, credit, or critical infrastructure).
- Limited risk. Transparency duties (for example, telling users they are interacting with AI).
- Minimal risk. No mandatory obligations.
EU AI Act compliance deadlines
The Act applies in stages, not all at once:
| Date | What applies |
|---|---|
| Aug 2024 | The AI Act enters into force. |
| Feb 2025 | Bans on unacceptable-risk AI; AI literacy duties. |
| Aug 2025 | General-purpose AI (GPAI) model obligations; governance rules. |
| Aug 2026 | Most high-risk AI system obligations (Annex III). |
| Aug 2027 | High-risk AI embedded in regulated products (Annex I). |
How the EU AI Act relates to GDPR
The two laws govern different things but overlap whenever AI processes personal data. Both apply; neither overrides the other.
| GDPR | EU AI Act | |
|---|---|---|
| Regulates | Processing of personal data | AI systems, by risk level |
| In force since | 2018 | 2024 (phased through 2027) |
| Key duties | Lawful basis, DPIA, data subject rights, security | Risk classification, data governance, documentation, human oversight, conformity assessment |
| Impact assessment | DPIA | FRIA, for certain high-risk deployers |
| Maximum penalty | €20M or 4% of global turnover | €35M or 7% of global turnover |
Where the two laws overlap in practice
- Data governance. High-risk AI must use training data that is relevant and appropriately governed, which echoes GDPR principles of accuracy and data minimization.
- Impact assessments. A GDPR DPIA and an AI Act FRIA can be run together where both are triggered.
- Automated decisions. GDPR Article 22 already limits solely automated decisions with legal effects; the AI Act adds human oversight duties on top.
- Transparency. Both require telling people when AI is involved, from chatbots to AI-generated content.
What enterprises must do: a checklist
- Inventory every AI system in use, including embedded and third-party models.
- Classify each system by EU AI Act risk tier, and flag which ones process personal data.
- For high-risk systems, stand up risk management, data governance, technical documentation, logging, and human oversight.
- Run DPIAs and FRIAs where required, ideally as one combined assessment.
- Confirm a lawful basis for training and inference data, and keep GDPR data subject rights workflows working.
- Add the required transparency notices and keep an audit trail you can show a regulator.
Key takeaways
- The EU AI Act and GDPR apply together; the Act does not replace GDPR.
- Obligations phase in from 2025 to 2027, with most high-risk duties landing in August 2026.
- Penalties reach €35M or 7% of global turnover, higher than GDPR's €20M or 4%.
- Start with an AI inventory and risk classification; combine DPIAs and FRIAs.
Frequently asked questions
What is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is the first comprehensive law governing artificial intelligence. It sorts AI systems into four risk levels — unacceptable, high, limited, and minimal — and sets binding obligations that scale with risk. It entered into force in August 2024 and applies in phases through 2027.
Does the EU AI Act replace GDPR?
No. The EU AI Act regulates AI systems; the GDPR regulates personal data. They apply at the same time and are designed to reinforce each other. An enterprise using AI on personal data must comply with both, not choose between them.
When does the EU AI Act take effect?
In phases. Bans on unacceptable-risk AI applied from February 2025, general-purpose AI model rules from August 2025, most high-risk obligations from August 2026, and high-risk AI embedded in regulated products from August 2027.
What are the penalties under the EU AI Act?
Up to 35 million euros or 7% of global annual turnover for banned AI practices, up to 15 million euros or 3% for breaching other obligations such as the high-risk requirements, and up to 7.5 million euros or 1% for supplying incorrect information to authorities.
Do I need both a DPIA and a FRIA?
Possibly. A Data Protection Impact Assessment (DPIA) is a GDPR requirement when processing is high-risk to individuals. A Fundamental Rights Impact Assessment (FRIA) is an EU AI Act requirement for certain deployers of high-risk AI. Where both apply, the FRIA can build on the DPIA rather than duplicate it.
Most of this work starts with one thing: knowing which AI systems you run and which touch personal data. DataSafeguard builds that live inventory and classification, enforces policy at inference time, and keeps the audit trail both laws ask for. See how it maps to your stack, or read what AI governance covers.