Data Sovereignty
2024

EU AI Act Effective: Data Governance Meets AI Governance

The EU AI Act's 2024 implementation brought binding obligations for AI systems used in enterprise operations — changing how organizations must govern, document, and deploy AI.

2024

The EU Artificial Intelligence Act—the world's first comprehensive AI regulation—entered into force in August 2024, with a phased implementation timeline extending to 2027. The regulation classifies AI systems by risk level, imposes obligations proportionate to that classification, and creates enforcement mechanisms with fines reaching €35 million or 7% of global annual turnover for the most serious violations. For data governance professionals who had spent six years building GDPR compliance programs, the AI Act arrived as both a familiar challenge and a new dimension: AI governance requires data governance, but it adds algorithmic accountability, human oversight requirements, and prohibited use categories that GDPR did not address.

For CTOs, CDOs, and compliance officers, the AI Act requires a systematic inventory of AI systems in use, risk classification, and compliance gap assessment that most organizations have not completed. The phased implementation timeline creates urgency for high-risk AI categories while providing runway for lower-risk systems—but the assessment work is required regardless of where specific AI systems fall in the classification hierarchy.

The Path to the EU AI Act

The European Commission's AI Act proposal was published in April 2021, following a white paper consultation in 2020. The regulatory development reflected the EU's consistent approach to emerging technology: identify risks, create a comprehensive framework, and establish enforcement mechanisms with significant consequences for non-compliance. The AI Act's development took three years of legislative process, during which generative AI—not contemplated in the original proposal—transformed the AI landscape and required significant amendments.

The initial proposal focused primarily on specific high-risk AI applications: biometric identification systems, AI in critical infrastructure, AI for employment decisions, AI in law enforcement. The risk-based approach—matching regulatory requirements to the potential harm of specific AI applications—was designed to avoid blanket restrictions that would impede beneficial AI development while addressing the applications with the greatest potential for harm.

The emergence of ChatGPT and large language models in 2022-2023 required substantial amendments to the original proposal. General-purpose AI models—capable of a wide range of tasks without being designed for specific high-risk applications—weren't adequately addressed in the original text. The final regulation added a new tier of obligations for general-purpose AI models above certain capability thresholds, with enhanced requirements for the most capable models.

The AI Act's Risk Classification Framework

The AI Act organizes AI systems into four risk categories with proportionate obligations. Unacceptable risk AI systems—social scoring by governments, real-time remote biometric identification in public spaces, emotion recognition systems in certain contexts—are prohibited outright. High-risk AI systems—including AI in critical infrastructure, education, employment, essential services, and law enforcement—face comprehensive requirements: risk management systems, data governance, transparency, human oversight, accuracy standards, and conformity assessments before deployment.

Limited risk AI systems—including chatbots and systems generating synthetic content—face transparency requirements: users must be informed they are interacting with AI. Minimal risk systems—spam filters, AI in video games—face no specific regulatory requirements beyond general EU law. The vast majority of AI applications in commercial use fall into the limited or minimal risk categories, but high-risk applications are broadly defined and encompass AI systems used in consequential employment, credit, and essential service decisions.

General-purpose AI models add a horizontal tier to this classification: foundation models above defined compute thresholds face additional transparency, capability assessment, and reporting requirements. The most capable general-purpose AI models—designated as systemic risk models based on training compute—face enhanced obligations including adversarial testing and incident reporting.

Immediate Impact: Compliance Programs Launch

The AI Act's entry into force triggered compliance responses across the European enterprise landscape:

  • AI inventory projects launched: organizations began systematic documentation of AI systems in use, required for risk classification
  • GDPR and AI Act alignment work: data governance teams identified where GDPR compliance programs overlapped with AI Act data governance requirements and where gaps existed
  • High-risk AI assessment programs: organizations using AI in HR, credit, and other high-risk categories began conformity assessment preparation
  • Vendor due diligence requirements changed: procurement processes for AI tools began including AI Act compliance verification
  • DPO and AI compliance officer coordination: organizations with existing GDPR programs began integrating AI Act responsibilities into compliance governance

Lessons Learned: AI Governance Builds on Data Governance

The AI Act compliance experience confirmed that strong GDPR compliance programs provide a meaningful foundation for AI Act compliance. The data governance requirements for high-risk AI systems—data quality, documentation, bias assessment, data minimization—overlap significantly with GDPR's data governance requirements. Organizations that had invested in genuine GDPR compliance, including data mapping and quality management, were better positioned for AI Act compliance than those with performative GDPR programs.

The novel elements of AI Act compliance—human oversight requirements, accuracy and robustness standards, post-market monitoring—required capabilities that data governance programs hadn't previously addressed. AI Act compliance required expansion of data governance programs rather than simply application of existing capabilities to a new regulation.

Evolution: AI Governance Maturity

The AI Act's phased implementation timeline—with prohibited practices prohibited from February 2025 and high-risk requirements applying from August 2026—provides a structured runway for compliance program development. Organizations that begin AI Act compliance work now are building the foundation that will be required when high-risk obligations apply.

The international dimension of AI governance is developing in parallel. Other jurisdictions—Canada, Brazil, Singapore, UAE—are developing AI regulatory frameworks that reflect varying approaches to risk classification and requirements. Organizations with global AI deployments must navigate a patchwork of AI governance requirements that requires a consistent internal governance framework rather than jurisdiction-by-jurisdiction compliance programs.

The Outpace Approach: EU AI Act Compliance

Outpace Professional Services designs AI governance frameworks that address both EU AI Act requirements and the broader data governance context in which AI operates. Our compliance engagements begin with AI inventory and risk classification—the foundation that determines which requirements apply—then build the governance programs proportionate to the risk profile of each client's AI systems.

For clients with Odoo ERP deployments incorporating AI features, we assess AI Act applicability to specific AI uses—demand forecasting, credit assessment, HR analytics—and design the documentation, oversight, and monitoring programs required for compliance. ERP AI features are often underestimated in AI Act scope assessments.

The Compliance Urgency

The prohibited uses provisions of the AI Act apply from February 2025—organizations operating prohibited AI systems are already in violation. High-risk system requirements become applicable from August 2026. The compliance runway is real but not indefinite. Organizations that begin AI Act compliance programs now are in a manageable position; those that defer until 2026 will face compressed timelines for compliance work that requires significant organizational investment.

💡 Ready for an EU AI Act compliance assessment? Outpace Professional Services delivers AI inventory, risk classification, and compliance gap assessments that identify your AI Act obligations and design remediation programs—building AI governance that satisfies regulators and builds stakeholder trust.

Continue Reading

Sovereign AI Models: When Training Data Location Mattered More Than Model Performance

As AI systems train on massive datasets, the question of where that training occurred becomes a sovereignty issue — with profound implications for which AI products European organizations can use.
ERP
2026

2026 Data Sovereignty Reckoning: US CLOUD Act vs EU Laws

By 2026, the fundamental conflict between the US CLOUD Act's extraterritorial data access claims and EU data sovereignty requirements is forcing organizations to make definitive architectural choices.
Data Sovereignty
2026

The End of 'Apps': When Everything Became Conversational

By 2026, the enterprise interface is becoming conversational — AI agents replacing apps as the primary way employees interact with business systems, data, and each other.
Collaboration
2026
Get Started

Ready to Execute 
Your Next Move?

Let’s talk about your next milestone and how to reach it with speed, security, and full control
Schedule Your Strategy Call
Outpace Professional Services strategic business consulting team