EU AI Act + GDPR: What C-Suite Must Prepare Before August 2026
AI literacy obligation in force since Feb 2025. Market surveillance starts Aug 2026. Fines up to 7 % of turnover. What C-suite needs to do now.
Two Dates Hardly Any European Board Has on the Calendar
Over the past few months we've sat down with more than three dozen leadership teams across Europe to talk about AI compliance. One question comes up in every conversation: which regulatory obligations are actually heading our way? In roughly half of those meetings, it turns out the two key dates are not known. Here they are.
February 2, 2025 marks the day the AI literacy obligation from Article 4 of the EU AI Act came into full force. Anyone deploying AI systems in their organization must ensure the people working with them have sufficient AI competence. This obligation has been in force for over a year, and very few have implemented it.
August 3, 2026 is the day national market surveillance authorities begin enforcing it. Fines up to €35 million or 7 % of global annual turnover, whichever is higher.
Between these two dates there's still about one quarter of runway. That's not much.
What "AI Literacy" Actually Means in Practice
The temptation is to hand the topic to HR and put everyone through a one-hour e-learning. That isn't what the European Commission meant by Article 4.
"Sufficient AI competence" has to be calibrated to several factors: the technical background of the employees, the specific AI system they use, the risk class of the use case, and the customer group or affected parties the AI system touches.
An example from practice. A caseworker using ChatGPT to draft emails needs different training than an HR officer running AI-assisted candidate pre-selection. The latter operates a high-risk application under the EU AI Act and falls under stricter requirements, even if they've never opened ChatGPT before.
Important: you have to document the measures. Who was trained when on what. In an inspection, the burden of proof sits with the company, not with the authority. A well-run AI Champions program covers many of these literacy requirements as a side effect and produces the documentation along the way.
Three Everyday Use Cases That Quickly Become High-Risk
Most companies we advise underestimate how quickly a seemingly harmless use case slides into the high-risk category of the EU AI Act. Three typical examples.
Recruiting. Any AI tool that pre-sorts applications or scores resumes is high-risk. Even when a human makes the final call. Even when the tool only delivers a ranking score.
Credit scoring. Any AI component that influences creditworthiness falls under high-risk. For end consumers and for business customers with consumer-credit characteristics.
Employee evaluation. Tools influencing performance, behavior, or access to work belong in the strictest category. This includes many "neutral" productivity dashboards once they're used in performance reviews.
If one of these use cases runs in your organization, you need more than training. You need a risk management system, technical documentation, human-oversight procedures, and in many cases a conformity assessment.
How the EU AI Act and GDPR Work Together
GDPR hasn't been superseded. It still applies, and it kicks in whenever personal data is involved.
What has changed: there's now a second compliance layer organized by AI system risk class, not by data category. In practice that means:
You still need your GDPR records, your data processing agreements, your TOMs. You additionally need an inventory of all AI systems including risk classification. When a breach falls under both regimes, the higher penalty applies. No double jeopardy.
The good news: organizations with a well-maintained GDPR inventory have already done 60 % of the work for the EU AI Act. It's an extension, not a fresh start.
The Invisible Gap: Shadow AI
Most boards think of "AI compliance" first in terms of official systems. The most expensive incidents, however, regularly come from employees using private chatbots on their own initiative. The Shadow AI risk, with an average $670,000 additional cost per incident, is measurable and well documented. An honest inventory before August 2026 has to include these unofficial tools, otherwise it only documents what the IT department can see.
A Pragmatic Checklist Before August 2026
What should be in place by the deadline, as plainly as possible.
First, an inventory of all AI systems in use. Including the unofficial ones. Including AI features built into existing software (Outlook, CRM, ERP, sales plug-ins).
Second, risk classification per system. Which fall under "prohibited," which under "high-risk," which under "limited risk"?
Third, an Acceptable Use Policy for unsanctioned tools. Clear, short, enforceable.
Fourth, an AI literacy program with role-based training. Not one course for everyone.
Fifth, documentation of measures. Who was trained when, which tools are deployed, what risk class applies to each use case.
Sixth, a clear escalation path for incidents. Who decides when an AI system makes a mistake or an employee used an unsanctioned tool?
Get Started
The compliance obligation is real, the timeline is tight, the solution is doable. We help organizations through inventory, risk classification, and setting up literacy structures. A typical project runs six to ten weeks. If that's coming up for you, let us know.
Sources
Frequently Asked Questions
Does the EU AI Act apply to my SME?
Yes. The EU AI Act applies in principle to every company that develops, distributes, or deploys AI systems in the EU market, regardless of size. SMEs get relief on fine calculation (the lower of the two amounts applies), but the core obligations, especially the AI literacy duty, apply in full. Even companies that 'only use' AI (ChatGPT Enterprise, Microsoft Copilot) qualify as deployers and bear the obligations.
What's the difference between GDPR and the EU AI Act?
GDPR governs the protection of personal data, regardless of whether AI is involved. The EU AI Act governs AI systems, regardless of whether personal data is involved. In practice they overlap often, for example when an AI tool processes customer data. If a breach falls under both, the higher penalty applies. No double jeopardy, but distinct violations can still accumulate.
Is offering ChatGPT training enough?
No, and this is one of the most common misunderstandings. Article 4 of the EU AI Act requires 'sufficient AI literacy' for all individuals using AI systems on the company's behalf, including external contractors. What 'sufficient' means depends on context: technical background, area of use, risk class. A 45-minute online course rarely suffices. Documentation is mandatory, and the burden of proof sits with the company.
