According to the IAPP-EY Annual Privacy Governance Report 2024, fewer than one in three US privacy professionals feel their organisation is adequately prepared for EU AI Act obligations even though the majority already operate under GDPR. That gap is not a resourcing problem. It reflects a more fundamental misconception: that the EU AI Act is simply GDPR applied to artificial intelligence.
It is not. The two frameworks regulate different things, impose different compliance obligations, and are enforced by different authorities. For US organisations with any EU market exposure, understanding this distinction is not an academic exercise the EU AI Act’s high-risk AI system requirements apply from August 2026, and the clock is running.
This article maps the structural differences between the two frameworks, identifies where they overlap operationally, and sets out a practical path for organisations that need to satisfy both.
What Each Framework Actually Regulates
The fastest way to understand the difference: GDPR regulates what organisations do with personal data. The EU AI Act regulates what AI systems do regardless of whether personal data is involved.
GDPR at a Glance: Scope, Legal Basis, and Who It Applies To
GDPR (Regulation (EU) 2016/679) applies whenever an organisation processes personal data any information relating to an identified or identifiable natural person. It is technology-neutral by design. A paper personnel file, a database of customer email addresses, and an AI-driven credit scoring model are all subject to GDPR if they involve personal data about EU individuals.
The regulation’s core obligations cluster around six lawful bases for processing (Article 6), data subject rights (Articles 12-22), accountability and governance requirements (Articles 5, 24-26), and mandatory technical safeguards. For high-risk data processing, Article 35 requires a Data Protection Impact Assessment (DPIA) before processing begins.
GDPR applies extraterritorially under Article 3: any organisation regardless of where it is established that offers goods or services to EU data subjects, or monitors their behaviour, is within scope. Most US companies with EU customers, employees, or users already know this.
EU AI Act at a Glance: Scope, Risk Tiers, and Who It Applies To
The EU AI Act (Regulation (EU) 2024/1689) applies to AI systems specifically to those that are placed on the EU market, put into service in the EU, or whose outputs are used within the EU. Article 3(1) defines an AI system as:
“A machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, recommendations, decisions, or content that can influence real or virtual environments.”
Where GDPR is organised around the type of data being processed, the EU AI Act is organised around the risk posed by the AI system’s function. A spam filter and a biometric identification system are both AI systems under Article 3(1). The compliance obligations they trigger are entirely different.
The regulation introduces distinct legal roles: providers (who develop or place AI systems on the market), deployers (who use AI systems in a professional context), and affected persons (those whose interests the AI system’s outputs affect). These roles carry different obligations and have no direct GDPR equivalent, though the provider/deployer relationship loosely parallels GDPR’s controller/processor split.
| Dimension | GDPR | EU AI Act |
|---|---|---|
| Regulatory object | Personal data processing | AI system development and deployment |
| Organising principle | Lawful basis for data processing | Risk tier of the AI system |
| Technology dependency | Technology-neutral | Technology-specific (AI systems only) |
| Key legal roles | Data controller, data processor, data subject | AI provider, AI deployer, affected person |
| Enforcement authority | National supervisory authorities (e.g., ICO, CNIL) | EU AI Office (GPAI) + national market surveillance authorities |
| Fully in force | Since May 2018 | Phased: prohibited practices Aug 2024; high-risk Aug 2026 |
EU AI Act’s Risk-Based Architecture: What GDPR Doesn’t Have
GDPR contains a risk-based element high-risk data processing triggers a DPIA but it has no equivalent to the EU AI Act’s tiered risk classification system. This architecture is the AI Act’s defining structural contribution and the primary reason GDPR compliance does not substitute for AI Act compliance.
The Four Risk Tiers: What Falls Where
Unacceptable risk (prohibited practices – Article 5):
These AI applications are banned outright. No compliance programme, risk management system, or oversight mechanism can make them permissible. The list includes: real-time biometric surveillance in publicly accessible spaces by law enforcement (with narrow exceptions); AI systems that exploit vulnerabilities of specific groups; social scoring by public authorities; and subliminal manipulation that causes harm. There is no GDPR parallel GDPR constrains how data is used; the AI Act prohibits entire categories of AI application.
High risk (Title III, Annex III):
This tier carries the full weight of EU AI Act compliance obligations. High-risk AI systems include those used in: biometric identification; critical infrastructure management; educational or vocational training decisions; employment screening and management; access to essential services (credit, benefits, insurance); law enforcement; migration and border control; and administration of justice. Providers and deployers operating in these categories must establish risk management systems, produce technical documentation, conduct conformity assessments, implement human oversight mechanisms, and register the system in the EU database before deployment.
Limited risk:
AI systems that interact with humans chatbots, emotion recognition tools, deepfake-generating systems must comply with transparency obligations. Users must be informed they are interacting with an AI system.
Minimal risk:
The majority of AI applications fall here spam filters, inventory management systems, recommendation engines not in a high-risk category. No specific AI Act obligations apply.
General-Purpose AI Models: The Rules for Foundation Model Providers
OUTLINE GAP NOTE: GPAI detail not fully specified in outline; written from best judgement. Editorial review recommended against latest EU AI Office GPAI guidance.
Title VIII of the EU AI Act introduces a separate regulatory layer for general-purpose AI (GPAI) models large-scale foundation models that can be applied across a wide range of tasks. This is entirely outside GDPR’s scope.
All GPAI model providers must maintain technical documentation, comply with copyright obligations, and publish training data summaries. Providers of GPAI models with “systemic risk” defined by training compute exceeding 10^25 floating-point operations (Article 51) face additional obligations: model evaluations, adversarial testing, cybersecurity incident reporting to the EU AI Office, and energy consumption reporting.
The GPAI rules matter for US organisations that develop or fine-tune large AI models whose outputs reach EU users a category that captures a significant number of US AI companies. GDPR compliance does not address any of these obligations.
Where GDPR Already Touches AI: Article 22 and Beyond
Before mapping what the EU AI Act adds, it is worth being precise about what GDPR already requires for AI-driven processing. Many organisations overestimate GDPR’s AI coverage. Others underestimate it.
Article 22: What It Actually Prohibits (and What It Doesn’t)
Article 22 of GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on them. The word “solely” is doing significant work here.
If a human meaningfully reviews an AI system’s output before a consequential decision is made an underwriter reviewing an AI-generated risk score, a hiring manager reading an AI-screened CV Article 22 typically does not apply. The decision is AI-assisted, not solely automated. Many organisations incorrectly assume Article 22 governs any use of AI in decision-making; it governs only fully automated decisions with legal or significant effects.
Where Article 22 does apply, it creates three obligations: the individual must be able to obtain human intervention, express their point of view, and contest the decision (Article 22(3)). Recital 71 further requires “suitable safeguards” including the right to obtain an explanation of the decision’s logic.
This overlaps with the EU AI Act’s transparency requirements for high-risk AI systems but the AI Act’s human oversight obligations (Article 14) apply regardless of whether the decision is “solely” automated. A human must be capable of understanding, monitoring, and overriding the system. This is a materially higher standard than GDPR’s Article 22 right to request human review.
DPIAs and AI: What GDPR Already Requires You to Assess
Article 35 of GDPR requires a DPIA before processing that is “likely to result in a high risk to the rights and freedoms of natural persons.” The EDPB guidelines on DPIAs identify several processing activities that trigger this requirement, including: systematic and extensive profiling with significant effects, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas.
Many AI-driven processes an AI recruitment tool screening hundreds of thousands of CVs, an AI fraud detection system processing financial transaction data at scale will trigger a DPIA under GDPR. Organisations already doing DPIAs for AI systems have an existing assessment methodology. But that methodology is not sufficient for the EU AI Act’s parallel assessment requirement.
Compliance Obligations: A Direct Comparison
The table below maps the core compliance obligations across both frameworks. The relationship column is the critical field: “overlapping” means a single compliant action can satisfy both; “additive” means both frameworks require separate actions; “unique” means only one framework requires it.
| Obligation | GDPR Requirement | EU AI Act Requirement | Relationship |
|---|---|---|---|
| Risk assessment | DPIA for high-risk processing (Art. 35) | Risk management system (Art. 9) + FRIA for certain deployers (Art. 27) | Additive |
| System documentation | Records of processing activities (Art. 30) | Technical documentation (Art. 11) + instructions for use | Additive |
| Transparency to individuals | Inform data subjects of automated decision logic (Arts. 13-15, Recital 71) | Transparency obligations for high-risk deployers and limited-risk systems (Arts. 13, 26) | Overlapping |
| Human oversight | Right to request human review of automated decisions (Art. 22(2)(b)) | Mandatory human oversight mechanisms for all high-risk AI systems (Art. 14) | Additive AI Act sets higher standard |
| Governance roles | DPO appointment in certain circumstances (Art. 37) | No mandatory AI Officer equivalent; Art. 26 obligations imply accountability | Unique to each (converging in practice) |
| Incident reporting | 72-hour personal data breach notification (Art. 33) | Serious incident reporting by high-risk AI providers (Art. 73) | Additive different triggers and channels |
| Third-party obligations | Data processing agreements with processors (Art. 28) | Provider/deployer responsibility allocation; supply chain obligations | Additive different contractual frameworks |
| Market access control | No equivalent | Conformity assessment + CE marking for high-risk AI (Arts. 43-44) | Unique to EU AI Act |
| Prohibited activities | Processing without lawful basis; unlawful special category processing | Prohibited AI practices (Art. 5) absolute bans | Unique to each framework |
DPIA vs FRIA: Can You Combine Them?
A DPIA (required under GDPR Article 35) assesses risks to the rights and freedoms of natural persons arising from personal data processing. A Fundamental Rights Impact Assessment, or FRIA (required under EU AI Act Article 27 for certain deployers of high-risk AI systems), assesses the impact of an AI system’s deployment on fundamental rights including rights that extend beyond data privacy: the right to non-discrimination, freedom of expression, access to justice, and the right to an effective remedy.
The scope of a FRIA is broader than a DPIA. A DPIA focuses on data processing risks. A FRIA focuses on fundamental rights risks that may arise regardless of whether personal data is being processed.
EU AI Act Article 27(4) explicitly acknowledges this overlap and permits deployers to integrate a FRIA into an existing GDPR DPIA to avoid duplication. The combined assessment pathway is available — but it comes with a condition: the combined document must satisfy all requirements of both frameworks. In practice, most existing DPIAs will need to be substantially expanded. Renaming a DPIA as a “DPIA/FRIA” without adding fundamental rights analysis does not satisfy Article 27.
What to add to a DPIA to make it FRIA-capable:
- A broader fundamental rights inventory (covering all rights in the EU Charter, not only data rights)
- Analysis of the affected population particularly vulnerable groups
- Assessment of cumulative effects of the AI system across its full deployment context, not just individual data processing instances
- Mitigation measures specific to fundamental rights impacts
Roles and Accountability: DPO, AI Officer, and Who Owns What
GDPR Article 37 requires certain organisations public authorities, organisations conducting large-scale systematic monitoring, and those processing special category data at scale to appoint a Data Protection Officer. The DPO’s role is defined in Articles 38-39: advising on GDPR obligations, monitoring compliance, cooperating with supervisory authorities.
The EU AI Act does not mandate an equivalent role by name. However, Article 26’s deployer obligations, combined with the governance requirements for high-risk AI systems, create a functional accountability gap that most organisations are filling with a designated AI Officer or Chief AI Officer (CAIO). The EU AI Act’s Code of Practice for GPAI models is expected to address governance role requirements more explicitly.
For US organisations, the practical question is whether the DPO’s remit should be extended to cover EU AI Act obligations, or whether a separate AI governance role is needed. The answer depends on the organisation’s AI footprint: organisations with significant high-risk AI deployments will find the technical compliance requirements (conformity assessments, risk management systems, technical documentation) exceed what a typical DPO function is designed to handle.
Which Framework Applies to US Organisations and When
Both regulations extend beyond EU borders. But they do so in different ways, and the conditions that trigger each framework are not identical. US organisations should not assume that because they are not established in the EU, they are outside scope.
The “Output in the EU” Test: How the AI Act Reaches Further Than GDPR
GDPR’s extraterritorial reach (Article 3) is well understood: if you offer goods or services to EU individuals, or monitor their behaviour, you are in scope regardless of where your servers are or where your company is incorporated. Most US companies with EU customers or EU employees already operate under GDPR.
The EU AI Act’s extraterritorial reach (Article 2) is structured differently and in some respects goes further. The AI Act applies to providers and deployers established in a third country (including the US) where the output produced by the AI system is used in the EU. A US company providing an AI-powered analytics product whose outputs are consumed by EU-based clients could be an AI Act provider even with no EU office, no EU employees, and no active targeting of EU customers.
| Operational Scenario | GDPR Applies? | EU AI Act Applies? | Basis |
|---|---|---|---|
| US company with EU B2C customers, AI-driven product | Yes | Yes (as provider) | Art. 3 GDPR; Art. 2(1)(a) AI Act |
| US company processing EU employee data using AI HR tools | Yes | Likely yes (as deployer, if high-risk) | Art. 3 GDPR; Art. 2(1)(c) AI Act |
| US company providing AI API, outputs consumed in EU | No (if no personal data) | Yes (as provider) | Art. 2(1)(c) AI Act: output used in EU |
| US company, no EU customers, no EU data subjects | No | No | N/A |
| US company with EU B2B clients who use AI outputs | Depends on personal data | Yes (as provider) | Art. 2 AI Act: output used in EU |
| US company using AI tools from EU vendors | Depends on processing | Possibly yes (as deployer) | Art. 2(1)(b) AI Act |
Penalties, Enforcement, and the Supervisory Architecture
The penalty structures of the two frameworks are often compared as simple numbers. The more useful comparison is structural: who enforces each framework, how enforcement actions are initiated, and what behaviour has actually attracted sanctions.
Penalty Comparison at a Glance
| Violation Category | GDPR Maximum | EU AI Act Maximum |
|---|---|---|
| Most serious violations | €20M or 4% of global annual turnover | €35M or 7% of global annual turnover |
| Other violations | €10M or 2% of global annual turnover | €15M or 3% of global annual turnover |
| Minor violations / incorrect information | €10M or 2% | €7.5M or 1.5% |
The EU AI Act’s top-tier penalties reserved for violations of the prohibited AI practices in Article 5 are structurally higher than GDPR’s maximum. This is a deliberate signal: the EU legislature considered certain AI applications at least as serious as the most egregious data protection violations.
For US organisations, GDPR enforcement against non-EU entities has been demonstrated at scale the Irish Data Protection Commission’s €1.2 billion fine against Meta in 2023 established that the largest US tech companies are not beyond reach.
Enforcement Bodies: Who Has Authority Over What
GDPR’s enforcement model is decentralised: each EU member state has a national supervisory authority with full enforcement powers. The one-stop-shop mechanism (Article 56) allows organisations with a main EU establishment to deal primarily with one supervisory authority.
The EU AI Act introduces a partly centralised model: the EU AI Office (established within the European Commission) has direct enforcement authority over GPAI model providers at EU level a centralised mechanism with no GDPR equivalent. National market surveillance authorities enforce high-risk AI system requirements for systems already on the market.
For US organisations providing GPAI models or foundation model services to EU users, the EU AI Office is the primary regulatory counterpart a single EU-level authority rather than the fragmented national supervisory landscape they may be familiar with under GDPR.
Building One Compliance Programme That Covers Both
The frameworks are not alternatives. US organisations with any EU market exposure will frequently need to satisfy both simultaneously. The strategic question is not “which one do we comply with?” but “how do we design a governance architecture that handles both without duplicating effort at every turn?”
ISO/IEC 42001 as the Bridge Standard Between GDPR and EU AI Act
ISO/IEC 42001:2023 defines requirements for an Artificial Intelligence Management System (AIMS) a structured governance framework for AI development and deployment across an organisation. It is the only internationally recognised management system standard specifically for AI governance, designed with exactly this multi-framework challenge in mind.
| ISO 42001 Clause | GDPR Alignment | EU AI Act Alignment |
|---|---|---|
| Clause 4 (Context) | Art. 24 accountability; Art. 30 records | Art. 9 risk management system scope |
| Clause 6 (Planning risk) | Art. 35 DPIA trigger assessment | Art. 9 AI risk management; Art. 27 FRIA |
| Clause 8 (Operational control) | Art. 25 data protection by design | Art. 9(2) risk management; Art. 10 data governance |
| Clause 9 (Performance evaluation) | Art. 5(2) accountability principle | Art. 72 post-market monitoring; Art. 9(7) risk updates |
| Clause 10 (Improvement) | Art. 24 corrective action | Art. 73 incident reporting; conformity assessment updates |
A Seven-Step Implementation Sequence for US Organisations
- Build a complete AI system inventory. Document every AI system in use developed internally, procured externally, or embedded in third-party products. GDPR’s Article 30 records and the EU AI Act’s technical documentation requirements both begin here.
- Classify each system by EU AI Act risk tier. Apply Annex III to determine whether any systems fall into the high-risk category. Identify whether your organisation is the provider, deployer, or both.
- Identify systems that process personal data. Cross-reference your AI inventory with your GDPR data processing records. Systems at the intersection of high-risk AI and personal data processing require compliance actions under both frameworks.
- For GDPR-triggered systems: review lawful basis for processing, audit Article 22 applicability for automated decision-making, and confirm DPIAs are current and complete.
- For high-risk AI Act systems: initiate conformity assessment procedures, prepare technical documentation per Article 11, establish risk management systems per Article 9, and implement human oversight mechanisms per Article 14.
- For systems triggering both frameworks: design a combined DPIA/FRIA per Article 27(4). Expand existing DPIAs to include the broader fundamental rights analysis required for FRIA compliance.
- Establish ongoing governance structures: post-market monitoring, incident reporting processes (separate under GDPR Article 33 and AI Act Article 73), audit evidence management and where applicable EU AI Act database registration.
Govern365.ai‘s AI model registry, risk assessment workflows, and compliance dashboards are designed around exactly this sequence mapping each system to its applicable ISO 42001 clauses, GDPR obligations, and EU AI Act risk tier within a single governance interface. Built and backed by the Global AI Certification Council, it’s the platform designed by the people who wrote the certification standard.
Frequently Asked Questions
Does the EU AI Act replace GDPR?
No. The EU AI Act and GDPR are complementary regulations with distinct regulatory objects. GDPR governs the processing of personal data and applies whenever any organisation handles information about EU individuals. The EU AI Act governs AI systems it applies based on the risk level and function of the system, regardless of whether personal data is involved. Organisations subject to both frameworks must comply with both, though certain overlapping obligations particularly transparency disclosures and impact assessments can be satisfied through coordinated compliance processes.
Does the EU AI Act apply to US companies?
Yes, in many cases. Under Article 2, the EU AI Act applies to any provider placing an AI system on the EU market or putting it into service in the EU, and to providers and deployers in third countries where the output of the AI system is used in the EU. A US company that sells an AI-powered product used by EU organisations, or whose AI outputs are consumed by EU-based clients, may be a regulated provider under the AI Act regardless of where the company is incorporated or operates from.
What is a high-risk AI system under the EU AI Act?
High-risk AI systems are defined in Annex III of the EU AI Act. They include AI used in: biometric identification systems; critical infrastructure management; educational and vocational training decisions; employment screening and worker management; access to essential services such as credit, insurance, and public benefits; law enforcement; migration and border control; and administration of justice. High-risk AI systems face the most demanding compliance obligations, including conformity assessment, technical documentation, risk management systems, and mandatory human oversight.
Can a DPIA satisfy both GDPR and EU AI Act requirements?
Partially. EU AI Act Article 27(4) permits deployers to integrate a Fundamental Rights Impact Assessment (FRIA) into an existing GDPR DPIA, avoiding a fully separate assessment process. However, a standard DPIA is not sufficient on its own it must be expanded to include a broader fundamental rights analysis covering rights beyond data privacy (non-discrimination, access to justice, freedom of expression). Organisations should review existing DPIAs for any high-risk AI systems and assess whether the fundamental rights scope needs to be widened to meet FRIA requirements.
When does the EU AI Act come into force?
The EU AI Act was published in the Official Journal of the EU in July 2024 and entered into force in August 2024. Its obligations are phased: prohibited AI practices (Article 5) applied from August 2024; GPAI model rules (Title VIII) from August 2025; high-risk AI system requirements (Title III) from August 2026; certain product safety integrations from August 2027. US organisations deploying high-risk AI systems that reach EU users have a compliance window until August 2026 but conformity assessments and technical documentation require significant lead time.
What are the penalties for the EU AI Act vs GDPR?
The EU AI Act’s maximum penalties are higher than GDPR’s. Violations of the prohibited AI practices in Article 5 carry fines of up to €35 million or 7% of global annual turnover. Other high-risk AI system violations carry fines up to €15 million or 3%. GDPR’s most serious violations carry fines of up to €20 million or 4% of global annual turnover. In both cases, turnover-based penalties mean large US technology companies face materially higher absolute fines than smaller organisations for equivalent violations.
Does GDPR compliance give a head start on EU AI Act compliance?
Yes, but a limited one. Organisations with mature GDPR programmes have established documentation practices, governance structures, and a culture of accountability that directly supports EU AI Act compliance. What GDPR compliance does not provide: risk management systems for AI systems, conformity assessment processes, technical documentation at the AI system level, or human oversight mechanisms. These are additive obligations that must be built specifically for EU AI Act compliance.
What is the EU AI Office and how does it differ from GDPR supervisory authorities?
The EU AI Office is a body established within the European Commission with direct enforcement authority over general-purpose AI model providers at EU level. Unlike GDPR’s national supervisory authorities decentralised bodies operating in each EU member state the EU AI Office operates centrally and coordinates enforcement across member states for the highest-risk AI applications. For US companies providing GPAI models, the EU AI Office is the primary regulatory counterpart, rather than the patchwork of national authorities that characterises GDPR enforcement.
Conclusion
GDPR and the EU AI Act address different problems with different tools. One governs how organisations handle personal data; the other governs how AI systems behave. For US organisations operating at the intersection of both which describes most enterprises deploying AI with any EU market exposure the challenge is not choosing between them. It is building a governance programme capable of evidencing compliance with both, efficiently and continuously.
The practical starting point is always the same: a complete inventory of AI systems, mapped to the data they process and the decisions they influence. Every compliance obligation under both frameworks flows from that foundation.
Start your 14-day free trial of Govern365.ai, built by the Global AI Certification Council, designed to map your AI systems across ISO 42001, GDPR, and EU AI Act obligations from a single governance platform.
