AI compliance teams frequently conflate the EU AI Act and the GDPR. Both are EU regulations with extraterritorial reach. Both apply to US companies. Both impose documentation, governance, and accountability requirements. But they are fundamentally different instruments, and treating them as interchangeable leads to gaps in compliance planning. The EU AI Act is a product safety regulation that governs AI systems based on risk tier. The GDPR is a data protection regulation that governs the processing of personal data. They overlap when AI systems process personal data, but their obligations are distinct: risk classification vs. lawfulness of processing; technical documentation vs. records of processing; market surveillance vs. data protection authorities.
What This Means
The EU AI Act and GDPR are complementary, not competing, frameworks. The AI Act asks: is this AI system safe, transparent, and accountable? The GDPR asks: is the processing of personal data lawful, fair, and transparent? An AI system can be fully compliant with the AI Act and still violate the GDPR, and vice versa. Double compliance is the standard, not the exception. For US companies, the practical implication is that AI governance and data protection governance must be coordinated but not collapsed into a single program. The AI Act compliance officer and the data protection officer need a shared vocabulary, but their respective obligations are distinct. The Digital Omnibus deal of 7 May 2026 addressed one important point of tension: it created a new legal basis for processing special categories of personal data (Article 9 GDPR) where strictly necessary to detect and correct biases in AI systems. This reduces the friction between the AI Act's bias-mitigation requirements and the GDPR's strict limits on sensitive data processing. However, the safeguard requirements are detailed and must be carefully implemented.
Key Requirements
Different legal nature.
The EU AI Act is a product safety regulation. It treats AI systems as products that must meet safety, transparency, and governance standards before being placed on the market. The GDPR is a data protection regulation. It treats personal data as a fundamental rights issue and regulates how organizations collect, use, store, and transfer it. The AI Act is closer to the Medical Devices Regulation or the Machinery Directive in spirit; the GDPR is closer to the ePrivacy Directive in its focus on individual rights.
Different scope triggers.
The AI Act is triggered by the AI system itself and its output. If an AI system produces results that are used in the EU, the Act applies, regardless of whether personal data is involved. The GDPR is triggered by the processing of personal data. If an AI system processes no personal data, the GDPR does not apply. Conversely, a non-AI system that processes personal data falls under the GDPR but not the AI Act.
Different risk frameworks.
The AI Act classifies AI systems by risk tier: prohibited, high-risk, limited-risk, and minimal-risk. The GDPR does not classify systems by risk in the same way, though it does require data protection impact assessments (DPIAs) for high-risk processing under Article 35. The AI Act's risk classification is product-centric; the GDPR's is data-centric.
Different documentation requirements.
The AI Act requires technical documentation (Article 11), a risk management system (Article 9), and record-keeping (Article 12). The GDPR requires records of processing (Article 30), privacy notices (Articles 12-14), and data protection impact assessments (Article 35). The content, format, and audience for these documents differ. Technical documentation is designed for market surveillance authorities; records of processing are designed for data protection authorities.
Different enforcement bodies.
The AI Act is enforced by market surveillance authorities in each Member State, coordinated at the EU level by the AI Office for general-purpose AI models. The GDPR is enforced by national data protection authorities, coordinated by the European Data Protection Board. A US company may face simultaneous or sequential investigations by different authorities for the same AI system.
Different penalty structures.
The AI Act penalties are defined in Article 99 and are structured by violation type: up to €35 million or 7% of turnover for prohibited practices; up to €15 million or 3% for high-risk non-compliance; and up to €7.5 million or 1% for information violations. GDPR penalties are defined in Article 83 and are structured by infringement type: up to €20 million or 4% of global turnover for fundamental principle violations; and up to €10 million or 2% for other violations. The maximum percentage is higher under the GDPR (4% vs. 7% for Tier 1 AI Act, but 3% for the more common Tier 2).
Different transparency requirements.
The AI Act requires transparency for limited-risk systems (Article 50) and detailed transparency for high-risk systems (Articles 13 and 50). The GDPR requires transparency about personal data processing (Articles 12-14). An AI chatbot must disclose that it is AI under the AI Act and must disclose what personal data it collects under the GDPR. These disclosures may be combined in practice but have different legal foundations.
Overlap in bias and fairness.
Both frameworks address algorithmic bias. The AI Act requires data governance (Article 10) and bias mitigation for high-risk systems. The GDPR requires fairness in automated decision-making (Article 22) and prohibits discrimination under Article 5(1)(b). The Digital Omnibus created a specific legal basis for bias detection under the GDPR, but the underlying obligations remain distinct.
Practical Steps
Do not assume that GDPR compliance satisfies AI Act requirements, or that AI Act compliance satisfies GDPR requirements. Establish a cross-functional working group that includes legal, data protection, engineering, and product stakeholders. Map each obligation to the responsible function.
2. Map overlapping obligations.
Create a matrix that identifies where the AI Act and GDPR impose similar but distinct requirements. For example, both require transparency, but the AI Act's transparency is about system nature and capabilities, while the GDPR's transparency is about data use. Both require risk assessment, but the AI Act's is product-oriented and the GDPR's is data-oriented.
3. Align documentation.
Where possible, align technical documentation under Article 11 with records of processing under Article 30 GDPR. This does not mean merging the documents; it means ensuring that common elements (data sources, processing purposes, system logic) are consistent across both. Inconsistencies between AI Act and GDPR documentation are a red flag for regulators.
4. Plan for dual enforcement.
A US company operating an AI system that processes personal data may face enforcement from both market surveillance authorities (AI Act) and data protection authorities (GDPR). Ensure that response protocols, legal counsel, and documentation are prepared for both tracks. The authorities may share information, but their investigative processes are independent.
5. Use the new bias detection legal basis.
The Digital Omnibus created a specific legal basis for processing special categories of personal data under Article 9 GDPR for bias detection purposes. If your AI Act risk management system requires bias testing on sensitive attributes, document the legal basis carefully and implement the required safeguards. Do not rely on vague consent or legitimate interest arguments.
6. Train teams on both frameworks.
AI literacy under Article 4 of the AI Act and data protection training under GDPR accountability principles should be complementary. Engineers should understand when they are building an AI system (AI Act) and when they are processing personal data (GDPR). Product managers should understand both the risk classification and the data protection impact.
Related Resources
GDPR and AI compliance intersection:
GDPR and AI
EU AI Act overview:
EU AI Act Overview
Double compliance under GDPR Article 22 and the EU AI Act:
GDPR Article 22 and EU AI Act Double Compliance
Frequently Asked Questions
Q: Does GDPR compliance mean we are also AI Act compliant?
No. The AI Act and GDPR are separate regulations with different scopes, obligations, and enforcement bodies. While there is overlap in areas like transparency and fairness, compliance with one does not automatically satisfy the other. A dedicated AI Act compliance assessment is necessary.
Q: Which authority enforces the AI Act and which enforces the GDPR?
The GDPR is enforced by national data protection authorities. The AI Act is enforced by national market surveillance authorities, with the AI Office coordinating enforcement for general-purpose AI models. A US company may face investigations from both types of authorities for the same system.
Q: Can we use the same risk assessment for both the AI Act and GDPR?
Partially. The AI Act requires a risk management system (Article 9) focused on health, safety, and fundamental rights risks of the AI system. The GDPR requires a data protection impact assessment (Article 35) focused on risks to individuals' rights and freedoms. The processes may share some inputs, but they address different questions and should be documented separately.
Q: What is the new bias detection legal basis under the Digital Omnibus?
The Digital Omnibus created a specific legal basis under EU data protection law allowing providers and deployers to process special categories of personal data (Article 9 GDPR) where strictly necessary to detect and correct biases in AI systems, subject to safeguards. This addresses the tension between the AI Act's bias-mitigation obligations and the GDPR's strict limits on sensitive data.
Q: Are the penalties higher under the AI Act or the GDPR?
It depends on the violation. The AI Act's Tier 1 penalties for prohibited practices are up to €35 million or 7% of turnover. The GDPR's maximum is €20 million or 4% of turnover. For the more common violations (high-risk non-compliance vs. GDPR fundamental principle violations), the AI Act Tier 2 is up to €15 million or 3%, while GDPR Article 83(5) is up to €20 million or 4%. Both are material.
2026-06-27 Regulation (EU) 2024/1689 (EU AI Act); Regulation (EU) 2016/679 (GDPR); Digital Omnibus provisional agreement, 7 May 2026. The EU AI Act is a product safety regulation governing AI systems by risk tier. The GDPR is a data protection regulation governing personal data processing. They overlap when AI systems process personal data but have distinct obligations, documentation requirements, enforcement bodies, and penalty structures. Double compliance is required. Navigating both the EU AI Act and GDPR?