RatedWithAI

RatedWithAI

Accessibility scanner

Sign in
Blog/EU AI Act

EU AI Act vs GDPR: What Overlaps and What's New (2026 Compliance Guide)

Already GDPR-compliant? Your data protection program gives you a real head start on the EU AI Act — but it doesn't get you all the way there. Here's exactly where the two laws align, where they diverge, and the eight gaps most GDPR-compliant companies still need to close before August 2026.

By RatedWithAI Team·June 30, 2026·12 min read

Key Dates

  • February 2, 2025 — EU AI Act prohibited practices ban in effect
  • August 2, 2025 — GPAI model obligations apply
  • August 2, 2026 — High-risk AI system obligations enforceable
  • August 2, 2027 — Legacy high-risk AI systems in scope

Why GDPR Compliance Matters for the EU AI Act

The EU AI Act and GDPR are separate laws with separate enforcement authorities. The AI Act is enforced by national market surveillance authorities (and the European AI Office for GPAI models). GDPR is enforced by data protection authorities. Different agencies, different penalties, different audit processes.

But the two laws share a common design philosophy: risk-based, accountability-driven, documentation-heavy. Companies that built genuine GDPR compliance programs — not just cookie banners — already have infrastructure that translates directly into AI Act obligations. The question is identifying what's covered and what isn't.

Where GDPR and the EU AI Act Overlap

These are areas where your existing GDPR compliance work directly satisfies or substantially contributes to EU AI Act requirements:

1. Transparency Obligations

GDPR requires you to inform data subjects about automated decision-making (Article 22) including meaningful information about the logic involved. The EU AI Act requires deployers of high-risk AI systems to give affected people clear information about the AI system's purpose and capabilities. Your existing AI transparency notices likely cover much of this ground — review them against EU AI Act Article 13 requirements to identify gaps.

2. Data Governance and Quality

GDPR's data minimization, accuracy, and purpose-limitation principles (Article 5) align closely with the EU AI Act's data governance requirements for high-risk systems (Article 10). If you've documented your training data sources, quality controls, and bias mitigation for GDPR purposes, that documentation provides the foundation for AI Act compliance. Extend it to cover bias testing and representativeness requirements.

3. Record-Keeping and Accountability

GDPR's Records of Processing Activities (RoPA) requirement and the AI Act's technical documentation requirement (Article 11) both demand that you maintain detailed records of how your AI systems work. Your GDPR documentation practices are directly transferable — you'll add AI-specific fields (model architecture, training methodology, performance metrics) to existing documentation frameworks.

4. Data Protection Impact Assessments

GDPR DPIAs for high-risk processing and the EU AI Act's fundamental rights impact assessment for certain deployers (Article 27) address overlapping territory. Both assess risks to individuals from automated systems. A well-executed GDPR DPIA for an AI application will capture much of what the AI Act assessment requires — though the AI Act assessment has distinct output requirements and must be registered with the relevant authority in some cases.

5. Human Review of Automated Decisions

GDPR Article 22 gives EU residents the right not to be subject to purely automated decisions with significant effects. The EU AI Act's human oversight requirements (Article 14) for high-risk AI systems require deployers to ensure humans can understand, monitor, and override AI system outputs. If you've already implemented Article 22 review processes, extend them to satisfy Article 14's more specific technical requirements.

Where the EU AI Act Goes Beyond GDPR

These are the gaps — areas where GDPR compliance doesn't get you there and where most companies need to do new work:

Gap 1: Technical Documentation (Article 11)

The EU AI Act requires providers of high-risk AI systems to maintain detailed technical documentation before placing the system on the market. This goes far beyond GDPR record-keeping. Required content includes: general description of the AI system, intended purpose, version history; a detailed description of the system's elements, development process, and design specifications; information on training, validation, and testing methodologies; and performance metrics including accuracy on different populations. GDPR RoPA entries don't capture this level of technical detail.

Gap 2: Conformity Assessment (Articles 19–20)

High-risk AI systems require a conformity assessment demonstrating compliance before market placement. For most high-risk systems, this is a self-assessment against EU AI Act Annex IV requirements. For certain systems (biometric identification, critical infrastructure), third-party notified body assessment is required. GDPR has no equivalent process — there's no GDPR "conformity marking" requirement. This is purely new work.

Gap 3: CE Marking and Registration

Compliant high-risk AI systems must bear CE marking and be registered in the EU database for high-risk AI systems (Article 51). Deployers using high-risk AI must also register their use in some categories. There's no GDPR analog to CE marking or the EU AI database. This requires coordination between your legal, compliance, and product teams.

Gap 4: Accuracy, Robustness, and Cybersecurity Testing (Article 15)

The EU AI Act requires high-risk AI providers to design systems to achieve appropriate levels of accuracy, robustness, and cybersecurity. Critically, you must test and document these properties — including performance across different demographic groups and under adversarial conditions. GDPR doesn't mandate technical security testing at this level of specificity for AI systems.

Gap 5: Post-Market Monitoring (Article 72)

High-risk AI providers must implement post-market monitoring plans to continuously collect and analyze data about system performance in real-world deployment. When serious incidents occur, you must report to the relevant national authority. GDPR has data breach notification obligations, but not ongoing AI performance monitoring requirements. This requires building new operational processes.

Gap 6: Prohibited Practices (Already in Effect)

The EU AI Act's prohibited practices (Article 5) ban specific AI applications regardless of data protection compliance. Prohibited practices include: subliminal manipulation techniques causing harm, exploiting vulnerabilities of specific groups, social scoring by public authorities, real-time remote biometric identification in public spaces (with narrow exceptions), and predictive policing based on profiling alone. Being GDPR-compliant doesn't authorize any of these — they've been banned since February 2025.

Gap 7: GPAI Model Obligations (If Applicable)

If your company develops or fine-tunes general-purpose AI models (including making them available via API), GPAI-specific obligations apply from August 2025. These include: maintaining technical documentation, publishing summaries of training data, implementing copyright policies, and reporting serious incidents. Models with "systemic risk" (training compute above 10^25 FLOPs) face additional requirements. GDPR has no equivalent framework for foundation model providers.

Gap 8: Fundamental Rights Impact Assessment

Certain deployers of high-risk AI systems — primarily public bodies and private companies providing public services — must conduct fundamental rights impact assessments (Article 27) before deployment. This is distinct from a GDPR DPIA. The FRIA assesses impacts on fundamental rights broadly (not just privacy) and must be submitted to the relevant national market surveillance authority. Even if you've done a thorough GDPR DPIA, you may need a separate FRIA depending on your organization type and the AI systems you deploy.

Your Gap-Closing Action Checklist

If you're already GDPR-compliant, here's what to do before August 2026:

EU AI Act Gap-Closing Checklist for GDPR-Compliant Companies

Immediate (February 2025 — already required)

  • Audit all AI systems for prohibited practices and discontinue any that qualify
  • Document the prohibited-practices review with sign-off from legal

By August 2, 2025 (GPAI providers)

  • Publish technical documentation and training data summary for GPAI models
  • Implement copyright compliance policy for training data
  • Register with EU AI Office if model has systemic risk indicators

By August 2, 2026 (high-risk AI system providers)

  • Complete AI system inventory and risk classification under Annex III
  • Prepare Annex IV technical documentation for each high-risk system
  • Complete conformity assessment (self-assessment or notified body)
  • Implement human oversight mechanisms satisfying Article 14
  • Conduct accuracy, robustness, and cybersecurity testing (Article 15)
  • Affix CE marking to conformant high-risk systems
  • Register high-risk systems in the EU database
  • Appoint EU authorized representative if no EU establishment
  • Build post-market monitoring program

By August 2, 2026 (high-risk AI system deployers)

  • Verify providers have supplied required technical documentation and instructions
  • Implement human oversight per provider's instructions
  • Conduct fundamental rights impact assessment if required by Article 27
  • Register use of high-risk AI in EU database (Article 27, specific categories)
  • Train staff who operate or monitor high-risk AI systems

The Enforcement Reality

EU AI Act penalties mirror GDPR's structure: up to €35 million or 7% of global annual turnover for prohibited practices violations; up to €15 million or 3% of turnover for other violations; up to €7.5 million or 1.5% of turnover for providing incorrect information to authorities. The percentages are the same tier structure as GDPR Article 83 — but the absolute amounts are higher at the top.

Enforcement will follow the GDPR pattern: early focus on larger companies and egregious violations, with cross-border cases handled at the EU level. Companies that can demonstrate good-faith compliance efforts and documented risk management will fare better than those with no documentation at all.

Practical Next Steps

The most practical starting point for a GDPR-compliant organization is an AI system inventory: list every AI system you develop or deploy that affects EU users, classify each against Annex III risk categories, and assign ownership for the gap-closing work. Most organizations discover that a small number of systems require the full high-risk compliance program while the majority fall under minimal-risk obligations.

From there, extend your GDPR technical documentation templates to add AI-specific fields, task your security team with the Article 15 testing requirements, and begin conversations with your authorized representative if you don't have an EU entity. The August 2026 deadline sounds distant but the conformity assessment process alone takes months for complex systems.

This article is for informational purposes only and does not constitute legal advice. Consult qualified EU law counsel for compliance guidance specific to your organization.