June 3, 2026

China GenAI regulations compliance
Uncategorized

China GenAI Regulations: The Complete Compliance Guide for SMEs in 2026

About This Framework Framework Type: Multi-layered regulatory regime. Four core pillars. No single AI Act. Pillar 1: Generative AI Measures: Interim Measures for the Administration of Generative AI Services. Effective August 15, 2023. World’s first binding generative AI regulation. Issued by CAC jointly with six ministries. Pillar 2: AI Content Labelling: Administrative Measures for the Labelling of AI-Generated and Synthetic Content. Issued March 14, 2025. Effective September 1, 2025. Mandatory explicit and implicit labels on all public AI-generated content. Pillar 3: Algorithm Registration: Administrative Provisions on Algorithm Recommendation. Effective March 1, 2022. Registration with CAC required for AI recommendation services. Pillar 4: Cybersecurity Law AI Amendments: Effective January 1, 2026. First inclusion of AI compliance obligations in China’s core national Cybersecurity Law. Latest Enforcement (April 2026): CAC penalised CapCut, Maoxiang, and Dreamina AI for AI content labelling violations. First high-profile penalties under September 2025 labelling rules. 2026 Enforcement Campaign: Qinglang 2026 campaign: CAC and Ministry of Public Security targeting AI fraud, deepfakes, celebrity impersonation, and privacy violations. Draft Rules (April 2026): CAC published draft rules for digital virtual human services (April 3, 2026). Consent for likeness use, AI companion safety, and platform liability provisions. Primary Regulator: Cyberspace Administration of China (CAC). MIIT, Ministry of Public Security, and NRTA have overlapping jurisdiction. Introduction In April 2026, the Cyberspace Administration of China (CAC) penalised CapCut, Maoxiang (Cat Box), and Dreamina AI for failing to properly label AI-generated content. All three apps violated China’s Cybersecurity Law, the Interim Measures for Generative AI Services, and the AI labelling provisions that took effect September 1, 2025. The CAC did not issue warnings. It imposed penalties directly. Enforcement is real, it is active, and it extends to international platforms operating in China. China’s annual Qinglang (Clear and Bright) AI enforcement campaign is underway for 2026, targeting AI-enabled fraud, deepfakes, impersonation of celebrities and officials, and illegal AI applications violating privacy and intellectual property. CAC has also published draft rules for digital virtual human services (April 3, 2026). China’s AI regulatory framework is expanding in real time. This guide covers China’s four core AI regulatory pillars, the latest enforcement actions, and the practical compliance steps every SME must take to protect its position in the Chinese market. Why China’s AI Framework Demands Immediate Attention in 2026 The April 2026 enforcement actions against CapCut, Maoxiang, and Dreamina AI are the most significant signal yet that China’s AI labelling rules are fully operational. CapCut, owned by ByteDance, is one of the most widely used video editing platforms in the world. If the CAC is willing to penalise ByteDance’s own applications, the enforcement posture for all operators, including foreign brands, is unambiguous. The Qinglang 2026 campaign adds a second dimension, running across multiple phases through mid-2026, targeting AI-enabled fraud using voice-cloning and face-swapping deepfakes, non-consensual AI resurrection of deceased individuals, unregistered AI products, and AI content manipulating public opinion. Pillar 1: The 2023 Generative AI Measures The Interim Measures for the Administration of Generative AI Services, effective August 15, 2023, remain the foundation of China’s AI regulatory framework. Pillar 2: AI Content Labelling (Now Being Actively Enforced) China’s Administrative Measures for the Labelling of AI-Generated and Synthetic Content took effect September 1, 2025. The April 2026 enforcement actions against CapCut and Dreamina AI confirm these rules are being actively enforced. The labelling requirement operates on two levels. Explicit labels are visible to users and must appear on all AI-generated text, images, audio, video, and virtual scenes. Implicit labels are technical metadata identifiers embedded by AI systems or platforms. Both types are required. Visible labels alone do not satisfy the rules. All major Chinese platforms (WeChat, Douyin, Weibo, Xiaohongshu, Bilibili, Tmall, JD.com) are covered. Any AI-assisted marketing campaign distributed on these platforms by any brand, including foreign brands, must carry both types of labels. Running AI-generated campaigns on Chinese platforms? The CAC is actively penalising unlabelled AI content in 2026. Book a free China AI compliance review and make sure your labelling, filing status, and data governance are in order before your next campaign. Pillar 3: Algorithm Registration China’s Algorithm Recommendation Provisions (effective March 2022) require any provider of algorithm-based recommendation services to register with the CAC. This applies to AI systems personalising content, product listings, search results, or user experiences for Chinese users. For foreign e-commerce brands with Chinese stores on Tmall or JD.com using personalised AI recommendations, algorithm registration is a legal requirement. Regional CAC offices are actively penalising unregistered AI applications. Use your Chinese platform partner or local legal representative to complete this filing. Pillar 4: The Amended Cybersecurity Law and Draft Virtual Human Rules China’s amended Cybersecurity Law (effective January 1, 2026) brings AI into China’s core national law for the first time, creating explicit AI ethics review obligations and AI security governance requirements for network operators. New CAC draft rules for digital virtual human services (published April 3, 2026) cover consent requirements for AI-generated likenesses of real individuals, safety requirements for AI companion services, and platform liability. Final rules are expected in 2026 or early 2027. Businesses deploying AI-generated presenters, avatars, or companion characters in China-facing products should track these rules. Practical Compliance Checklist for Foreign SMEs Frequently Asked Questions Did the CAC really penalise major platforms for AI labelling violations? Yes. In April 2026, the CAC issued formal penalties against CapCut (owned by ByteDance), Maoxiang (Cat Box), and Dreamina AI for violating the AI-generated content labelling requirements. This confirms the CAC is willing to penalise even major domestic platforms. What is the Qinglang enforcement campaign? Qinglang (Clear and Bright) is an annual CAC-coordinated enforcement campaign. The 2026 edition targets AI-enabled fraud, deepfakes used for impersonation, non-consensual AI resurrection of deceased individuals, AI manipulation of public opinion, and unregistered AI services. It runs across multiple phases through mid-2026. Do China’s AI regulations apply to foreign companies based outside China? Yes. The Generative AI Measures and AI labelling rules apply based on where users are located, not where the company is incorporated. The April 2026 penalty

South Korea AI Basic Act compliance
AI for Business, AI Governance

South Korea AI Basic Act: What Foreign Companies Must Know in 2026

About This Law Official Name: Act on the Development of Artificial Intelligence and the Establishment of a Foundation for Trust (AI Basic Act / AI Framework Act), Act No. 20676 Passed by National Assembly: December 26, 2024 Promulgated: January 21, 2025 Enforcement Decree Effective: January 22, 2026 (Presidential Decree No. 36053) Jurisdiction: Republic of Korea. Extraterritorial: applies to any foreign business whose AI activities affect Korean market users. Grace Period: At least one year from January 22, 2026. Fines deferred except for exceptional cases involving serious social harm (loss of life or human rights violations). High-Performance AI Threshold: AI systems trained with cumulative compute of at least 10^26 FLOPs. Roughly 10 times EU AI Act GPAI threshold. Primarily targets global big-tech GPAI operators. High-Impact AI Categories: Employment, healthcare, financial services, public safety, education. Mandatory lifecycle risk management, impact assessments, and compliance reporting. Generative AI Obligation: Any business producing AI-generated content visible to Korean users must notify users in advance and label outputs that may be difficult to distinguish from non-AI content. Governing Ministry: Ministry of Science and ICT (MSIT). National AI Committee (under President). AI Safety Research Institute. Implementation Task Force: AI Basic Act Institutional Improvement Task Force launched March 2026. 40+ experts across industry, academia, civil society. Refining implementation during grace period. Introduction On January 21, 2025, South Korea became the second jurisdiction in the world, after the European Union, to enact comprehensive AI legislation. The Act on the Development of Artificial Intelligence and the Establishment of a Foundation for Trust (Act No. 20676), known as the AI Basic Act or AI Framework Act, was passed by the National Assembly on December 26, 2024, promulgated on January 21, 2025, and took full legal effect on January 22, 2026. Since the Act took effect, MSIT has clarified several key compliance details. The high-performance AI threshold has been confirmed at systems trained with a cumulative compute of at least 10 to the power of 26 floating-point operations (FLOPs), roughly ten times the EU AI Act’s general-purpose AI model threshold. A multi-stakeholder AI Basic Act Institutional Improvement Task Force of more than 40 experts launched in March 2026 to refine implementation during the one-year grace period. This guide breaks down who the Act applies to, the clarified compliance details, and the practical steps foreign SMEs must take before the grace period ends and enforcement fines begin. Why South Korea’s AI Law Is a Landmark Moment for Asia-Pacific Before the AI Basic Act, South Korea had more than 20 separate AI governance bills circulating through the National Assembly. The Act consolidated them into a single unified framework, balancing industrial promotion with safety, transparency, and human rights protection. It is the world’s first comprehensive AI law in the Asia-Pacific region and only the second globally after the EU AI Act. New President Lee Jae-myung has publicly defined AI as a game-changer that will shift the global economic paradigm, presenting it as a core engine for South Korea’s technology-led growth. The government is pairing regulation with significant AI investment: startup support programmes, government-funded training data access, and AI Growth Zones with reduced regulatory requirements. Does the South Korea AI Basic Act Apply to Your Company? The Act applies to both domestic and foreign AI business operators. The foreign company domestic representative requirement is triggered when a company meets any one of three thresholds. For most SMEs, these thresholds mean the domestic representative requirement does not immediately apply. However, High-Impact AI requirements and the generative AI user notification obligation apply to any business operating in Korea regardless of size. High-Impact AI: The Core Compliance Category High-Impact AI is the Act’s central compliance concept: AI systems that may significantly affect human life, safety, or fundamental rights. For High-Impact AI, operators must implement lifecycle risk identification and mitigation, maintain incident monitoring systems, conduct fundamental rights impact assessments before deployment, and report compliance information to MSIT. Operating an AI system in South Korea that may qualify as High-Impact AI, or using generative AI that produces content for Korean users? Book a free compliance assessment. Our team reviews your AI use cases against the Act’s definitions and tells you exactly what obligations apply. The High-Performance AI Threshold: 10 to the Power of 26 FLOPs MSIT confirmed in the Enforcement Decree that AI systems trained with a cumulative compute of at least 10 to the power of 26 floating-point operations (FLOPs) are designated as high-performance AI and subject to additional safety obligations. This threshold is roughly ten times higher than the EU AI Act’s GPAI model computation threshold. This was a deliberate policy choice targeting only the most powerful global AI systems, primarily from US and Chinese big tech companies, while exempting the vast majority of commercially deployed AI. Most SMEs are well below this threshold. The Domestic Representative Requirement Explained Foreign AI business operators that meet the revenue or user thresholds must designate a domestic representative in South Korea and report that designation to MSIT. The representative bears legal accountability for the company’s compliance and must have a domestic Korean address or place of business. The April 2025 amendment to Korea’s PIPA tightened these rules, requiring companies with established Korean business units to designate those units rather than unrelated third-party nominees. Frequently Asked Questions When did the South Korea AI Basic Act take effect? The Act and its Enforcement Decree both took effect on January 22, 2026. A one-year grace period applies to administrative fines, with exceptions for exceptional cases involving serious social harm. Substantive compliance obligations apply from January 22, 2026. What is the high-performance AI FLOPs threshold and does it affect my business? MSIT confirmed the threshold at 10^26 FLOPs of cumulative compute. This primarily affects global frontier AI model developers such as OpenAI, Google, and Anthropic. Most SMEs and mid-size AI companies are well below this threshold. Does the AI Basic Act apply to internal AI tools used by a Korean subsidiary? Yes, if those tools make decisions affecting Korean employees. HR AI systems, performance evaluation

UK AI regulation
AI for Business, AI Governance

UK AI Regulation: A Complete Guide for Small Businesses in 2026

About This Framework Primary Framework: UK AI White Paper: A Pro-Innovation Approach to AI Regulation (DSIT, March 2023). Five cross-sector principles: Safety/security/robustness, Transparency/explainability, Fairness, Accountability/governance, Contestability/redress. DSIT Blueprint (October 2025): Replaces AI Bill as immediate legislative vehicle. Introduces AI Growth Lab: sectoral sandboxes where regulations can be relaxed under licence for approved AI innovators. Data Use and Access Act 2025: Royal Assent June 19, 2025. Bulk of provisions commenced February 5, 2026. New recognised legitimate interests basis for automated decision-making now in force. Section 103 complaints procedure commences June 19, 2026. Deepfake Criminal Law: Crime and Policing Act amendment in force from February 6, 2026. Criminalises creation of sexually explicit deepfake images of adults without consent. Copyright and AI Report: Published March 18, 2026 (required by DUAA 2025). Government maintains status quo on AI/copyright for now. AI Bill Status: As of June 2026, still expected but not introduced. Government deliberately delayed to resolve AI/copyright interaction. Penalties Under Existing Law: UK GDPR: GBP 17.5M or 4% global turnover. FCA, Ofcom, CMA retain separate enforcement powers. Deepfake criminal law: criminal prosecution. Key Regulators: ICO, FCA, Ofcom, CMA, MHRA, AI Security Institute/DSIT. Introduction No single AI law. No risk tiers. No mandatory impact assessments. The UK has deliberately chosen a principles-based, sector-led model rather than following the EU’s comprehensive AI Act approach. As of June 2026, there is still no UK AI Act. But that absolutely does not mean no rules apply to your AI systems. In 2026, UK AI regulation is moving on multiple tracks simultaneously. The Data (Use and Access) Act 2025 commenced in February 2026. A deepfake criminal law took effect on February 6, 2026. The government published the Copyright and AI Report on March 18, 2026. The DSIT Blueprint for AI Regulation, published in October 2025, introduces the AI Growth Lab concept. And a government-backed AI Bill remains expected but has not yet been introduced. This guide explains every active UK AI rule as of June 2026, which sector regulators apply them, and the practical compliance steps your business must take right now. The Current UK AI Framework: What Is Actually In Force The UK’s AI governance landscape as of June 2026 is built on layers rather than a single law. The foundational layer is the five White Paper principles from March 2023: safety/security/robustness, transparency/explainability, fairness, accountability/governance, and contestability/redress. These are not statutory. They are guidance that each sector regulator applies within its own binding framework. The second layer is the Data (Use and Access) Act 2025, in force from February 5, 2026. The most important change for AI businesses: the new recognised legitimate interests lawful basis for automated decision-making means UK GDPR’s ADM rules are now more accessible. The near-blanket prohibition that previously made solely automated decisions difficult to lawfully deploy has been replaced by a legitimate interests framework with genuine human oversight and transparency safeguards. New Laws Already In Force: What Changed in 2026 Three significant developments have changed the UK AI compliance landscape since January 2026. The deepfake criminal law is the most immediate. From February 6, 2026, the Crime and Policing Act amendment makes it a criminal offence to create sexually explicit deepfake images of adults without their consent. Businesses deploying any AI capable of generating such content face direct criminal liability without adequate consent and safety controls. The DUAA automated decision-making framework creates new operational requirements. The new recognised legitimate interests basis for ADM removes the previous consent barrier, but requires genuine human oversight, transparent contestation mechanisms, and a documented balancing test. The Copyright and AI Report (March 18, 2026) confirmed the government’s status quo on AI training data: no text-and-data mining exception was introduced. AI systems trained on copyrighted UK content without licences remain legally exposed. Which Regulator Oversees Your AI? The Sector Guide Unsure which UK regulators apply to your specific AI systems, or whether the new DUAA ADM framework changes your current legal basis for automated decisions? Download our free UK AI compliance readiness guide, updated for June 2026. The DSIT Blueprint and the AI Growth Lab Published October 21, 2025, the DSIT Blueprint for AI Regulation replaced the long-awaited AI Bill as the government’s immediate legislative vehicle. The centrepiece is the AI Growth Lab: a set of sectoral sandboxes where specific regulations can be relaxed under licence for approved AI innovators. For SMEs, the AI Growth Lab represents a genuine opportunity. Approved participants can test AI systems in regulated environments (healthcare, financial services, energy) with temporary relief from specific sector regulations. The DSIT One Year On progress report (January 29, 2026) confirmed 38 of the 50 AI Opportunities Action Plan commitments are met. Your UK AI Compliance Action Plan for 2026 Frequently Asked Questions Does the UK have an AI Act? No. As of June 2026, no comprehensive UK AI Act has been passed. The government’s approach is the DSIT Blueprint and sector-led enforcement of existing law. A government-backed AI Bill is expected to be introduced in 2026, but no timeline has been confirmed. What does the DUAA 2025 change for businesses using automated decision-making? The Data (Use and Access) Act 2025, in force from February 2026, replaced the near-blanket prohibition on solely automated decisions with a recognised legitimate interests framework. Businesses can now more readily use automated decision-making under UK GDPR, but must implement genuine human oversight and transparent contestation mechanisms. Is creating deepfake images now a criminal offence in the UK? Yes, for sexually explicit images of adults. From February 6, 2026, the Crime and Policing Act amendment makes it a criminal offence to create sexually explicit deepfake images without the subject’s consent. Businesses deploying AI image or video generation tools face criminal liability without adequate safeguards. How does UK AI regulation compare to the EU AI Act? The EU AI Act is binding law with fines of up to 7% of global turnover (with high-risk deadlines extended to December 2027 via the Omnibus). UK regulation is principles-based and sector-led with no mandatory AI-specific impact assessment requirement.

NIST AI Risk Management Framework
AI for Business, AI Governance

NIST AI Risk Management Framework: A Practical Guide for SMEs

About This Framework Official Name: NIST AI Risk Management Framework (AI RMF 1.0), NIST AI 100-1 Published By: National Institute of Standards and Technology (NIST), US Department of Commerce Published: January 26, 2023 Authorising Law: National Artificial Intelligence Initiative Act of 2020 (P.L. 116-283) Binding?: Voluntary. Not law. However, provides affirmative legal defense in Colorado AI Act (June 30, 2026) and Texas TRAIGA (January 1, 2026). Required in US federal government AI procurement. Global Adoption: Referenced in EU AI Act compliance, ISO/IEC 42001, Singapore AI Verify, Australia AI6 framework, UK DSIT guidance, and enterprise vendor questionnaires worldwide. Core Structure: Four functions: GOVERN, MAP, MEASURE, MANAGE. Nine trustworthy AI characteristics. Cost: Free. Full framework, Playbook, and Generative AI Profile available at airc.nist.gov. Latest Version: AI RMF 1.0 (Jan 2023). Generative AI Profile (NIST AI 600-1) published July 2024. Introduction The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary AI governance framework published by the US National Institute of Standards and Technology on January 26, 2023. It was built under the National Artificial Intelligence Initiative Act of 2020, developed over 18 months through a consensus process involving more than 240 organisations from industry, academia, civil society, and government. It is free, flexible, and designed for organisations of any size and sector. In 2026, the NIST AI RMF is referenced as an affirmative legal defence in Colorado’s AI Act and Texas TRAIGA, incorporated into ISO/IEC 42001, and used as the evaluation framework in Singapore’s AI Verify toolkit. Enterprise procurement teams across financial services, healthcare, and government are adding NIST AI RMF alignment to vendor questionnaires. Most SMEs adopt AI tools faster than they build governance around them. If something goes wrong and you cannot show a documented, defensible process for identifying, measuring, and managing AI risk, you are exposed both legally and commercially. The NIST AI RMF fixes that gap with minimal overhead. This guide walks you through the four core functions in plain language, with practical steps you can implement this week, no dedicated compliance team required. Why SMEs Cannot Afford to Ignore AI Governance in 2026 AI systems fail in ways that traditional software does not. A biased training dataset can produce discriminatory hiring outcomes at scale. A hallucinating AI assistant can give customers inaccurate information that creates legal liability. A poorly monitored model can drift over time, quietly degrading decisions in ways no human reviewer notices. For SMEs, the consequences of these failures are disproportionately severe. A single AI-related discrimination claim, a regulatory investigation, or a high-profile customer harm can consume operational resources that a large enterprise would absorb as a rounding error. Critically, 2026 is the year US state AI laws start imposing real compliance burdens. Colorado’s AI Act (effective June 30, 2026) and Texas TRAIGA (effective January 1, 2026) both reference NIST AI RMF alignment as an affirmative defence or safe harbor. Implementing the framework is now both good governance and a legal shield. The 4 Core Functions: Govern, Map, Measure, Manage The NIST AI RMF organises AI risk management into four interconnected functions that work across the AI lifecycle. GOVERN applies continuously across all stages. MAP, MEASURE, and MANAGE apply sequentially as each AI system moves through its lifecycle. The Generative AI Profile (NIST AI 600-1, July 2024) extends the framework to LLMs and foundation model deployments. Trustworthy AI: The 9 Characteristics the Framework Targets The NIST AI RMF defines trustworthy AI through nine characteristics. These are measurable properties, not aspirational values. For an SME starting from scratch, focus first on Valid and Reliable and Accountable and Transparent. These form the foundation for everything else and are the characteristics regulators, clients, and courts are most likely to ask about first. Want a free assessment of where your AI systems stand against the NIST AI RMF criteria, and whether your documentation would satisfy Colorado’s AI Act or Texas TRAIGA affirmative defence requirements? Book a 30-minute consultation and we will walk you through the gaps. Implementing the NIST AI RMF Without a Dedicated Team Why the AI RMF Is Now a Commercial Requirement Colorado’s AI Act (effective June 30, 2026) provides an affirmative defence to organisations complying with a nationally or internationally recognised AI risk management framework. The NIST AI RMF is the primary framework cited. Texas TRAIGA similarly recognises substantial compliance with the NIST AI RMF as a liability shield. ISO/IEC 42001, the international AI management system standard that is rapidly becoming the ISO 9001 of AI, builds on NIST AI RMF principles. Companies that implement the AI RMF now are typically ISO 42001 certification-ready with minimal incremental work. Frequently Asked Questions Is the NIST AI RMF mandatory in the United States? No. The NIST AI RMF is voluntary. However, it is referenced as an affirmative defence in Colorado’s AI Act and Texas TRAIGA, required in US federal government AI procurement, and increasingly demanded by enterprise clients as a condition of vendor approval. How does the Generative AI Profile (NIST AI 600-1) differ from the AI RMF 1.0? The AI RMF 1.0 is the foundational framework for all AI systems. NIST AI 600-1, published July 2024, extends the framework specifically to generative AI and large language models, addressing hallucination, data provenance, and intellectual property risks. How long does it take an SME to implement the NIST AI RMF? A basic implementation covering all four core functions can be completed in 4 to 8 weeks for a small organisation with a handful of AI systems. Ongoing maintenance requires roughly 2 to 4 hours per month. Where can I download the NIST AI RMF? The full AI RMF 1.0, the Playbook, NIST AI 600-1, and all supporting resources are available free at airc.nist.gov. Conclusion The NIST AI Risk Management Framework is the most practical AI governance tool available to SMEs today. In 2026, it is also a legal shield under US state AI laws and a commercial requirement for enterprise vendor relationships. The combination of free availability, legal benefit, and commercial necessity makes implementation an easy

GDPR AI compliance
AI Governance, Business Guides

GDPR and AI: What Every Business Must Know Before a Fine Arrives

About This Law Official Name: Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) Adopted: April 27, 2016 Entered into Force: May 25, 2018 (all 27 EU member states simultaneously) UK Equivalent: UK GDPR retained under Data Protection Act 2018. Near-identical obligations, enforced by ICO. UK fines: GBP 17.5M or 4% global turnover. Jurisdiction: All 27 EU member states directly. Extraterritorial: applies globally to any organisation processing personal data of individuals located in the EU. Cumulative Fines (June 2026): EUR 7.1 billion across 2,800+ documented decisions. Q1 2026: EUR 68.18M in 3 months. France now second-largest enforcer after Ireland. Key AI-Specific Rule: Article 22: Right not to be subject to solely automated decisions with legal or similarly significant effects. DPIAs mandatory for high-risk AI processing. EDPB 2026 AI Ruling: AI models trained on personal data cannot in all cases be considered anonymous. The burden of proof is on the controller to demonstrate anonymisation. Maximum Penalties: EUR 20M or 4% global annual turnover (serious violations); EUR 10M or 2% (technical violations). Whichever is higher. Enforcement Body: 27 national DPAs. EDPB coordinates cross-border enforcement. Introduction GDPR cumulative fines crossed EUR 7.1 billion in early 2026, with more than 60% of that total imposed since January 2023 alone. The first quarter of 2026 alone produced EUR 68.18 million in fines, a pace of roughly EUR 757,600 per day. France’s CNIL imposed a EUR 42 million combined fine on Free Mobile and Free SAS in January 2026 for a data breach affecting 24 million subscriber records. The regulatory machine is not slowing down. It is accelerating. The GDPR was not written with AI in mind, but it governs every AI system that processes personal data of EU residents. Your AI hiring tool, your AI credit scorer, your AI customer service bot: every single one is subject to GDPR with fines reaching EUR 20 million or 4% of global turnover. And in a landmark statement, the European Data Protection Board (EDPB) has ruled that AI models trained on personal data cannot, in all cases, be considered anonymous. That single line resets the compliance burden for every organisation whose AI has ever touched EU personal data. Keep reading to learn the six GDPR obligations every AI deployer must meet, and the steps to address the EDPB anonymisation ruling before it becomes the basis of an enforcement action against your business. What Is GDPR and Why Does It Cover AI? GDPR is a directly applicable EU regulation that became enforceable on May 25, 2018, replacing the 1995 Data Protection Directive. Its jurisdiction is anchored to where the data subject is located, not where the company is based: if your AI processes personal data of a person located in the EU, GDPR applies to you regardless of where your company is headquartered. The GDPR creates a compliance thread through the entire AI lifecycle. Training data, validation data, model weights derived from personal data, and inference-time decisions about identifiable individuals are all in scope. The EDPB has made this explicit: if personal data contributed to training an AI model, that model is subject to GDPR obligations, even when you believe the personal data has been removed from the final model. France’s CNIL, Germany’s BfDI, and Ireland’s DPC are the most active AI enforcement authorities in 2026. CNIL became the second-largest enforcer globally in 2025, behind only Ireland’s DPC. The EDPB Anonymisation Ruling: A Game-Changer for AI Training The most significant GDPR development of 2026 for AI businesses is the EDPB’s ruling on AI model anonymisation. The EDPB has stated that AI models trained on personal data cannot, in all cases, be considered anonymous. Many organisations trained AI models on personal data, removed the raw data from production systems, and treated the trained model as outside GDPR scope. The EDPB’s position challenges this. The model itself, through inference attacks or memorisation, may retain information that allows re-identification. The burden is now on the data controller to demonstrate that anonymisation is effective. The practical implication: if you cannot demonstrate with confidence that your AI model does not retain personally identifiable information, GDPR applies to the model itself, not just the training data. Build anonymisation assessments into your DPIA process and document them before deployment. Article 22: The Rule That Changes Everything About Automated Decisions Article 22 of GDPR gives individuals the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Three key obligations follow from Article 22. First, if you make a solely automated decision with significant effects on an individual, you must have a valid legal basis: explicit consent, contractual necessity, or specific legal authorisation. Second, individuals must be able to request human review. Third, individuals must be able to contest the decision. Courts and regulators have confirmed that credit scoring, insurance pricing, employment screening, and loan decisions all trigger Article 22. A Berlin bank was fined EUR 300,000 in 2023 for rejecting a credit card application via an automated process without providing an explanation. The individual could not challenge or understand the decision: a textbook Article 22 violation that can happen to businesses of any size. Data Protection Impact Assessments for AI: When They Are Mandatory A DPIA is mandatory when your AI system poses a high risk to individuals’s rights and freedoms. Several categories of AI processing trigger this automatically. Under the EDPB’s anonymisation ruling, add a new category: any AI system trained on personal data where you cannot affirmatively demonstrate that the model retains no re-identifiable information. Concerned your AI systems may already have GDPR exposure, including under the EDPB anonymisation ruling? Book a free GDPR AI compliance audit. Our specialists review your AI stack and identify gaps before they become enforcement actions. The 6 GDPR Obligations Every AI Deployer Must Meet GDPR and the EU AI Act: Double Compliance in 2026 For businesses subject to both GDPR and the EU AI Act, the two frameworks overlap significantly. Note that the EU AI Act Omnibus (May 7,

EU AI Act compliance SMEs
Uncategorized

EU AI Act Compliance for SMEs: The Complete 2026 Guide

About This Law Official Name: Regulation (EU) 2024/1689, EU AI Act, amended by Digital Omnibus on AI (political agreement May 7, 2026; formal adoption expected July 2026) Entered into Force: August 1, 2024. Omnibus amendments expected in Official Journal before August 2, 2026. Jurisdiction: All 27 EU member states directly. Extraterritorial: any organisation worldwide placing AI on EU market or whose AI outputs are used within the EU. Prohibited AI (Active Now): In force since February 2, 2025. Social scoring, subliminal manipulation, real-time biometric surveillance (narrow exceptions), exploitation of vulnerabilities. NEW: AI-generated non-consensual intimate imagery (nudifiers) and CSAM added by Omnibus. GPAI Model Obligations: In force since August 2, 2025. General-purpose AI model providers must maintain technical documentation, comply with copyright law, publish summaries of training data. Article 50 Transparency (Active August 2, 2026): Chatbot disclosure, emotion recognition labelling, deepfake marking. UNCHANGED by Omnibus. Watermarking (Article 50(2)): NEW deadline December 2, 2026. High-Risk AI Annex III Standalone (Updated): Employment, credit, education, biometrics, law enforcement, critical infrastructure: NEW deadline December 2, 2027 (was August 2, 2026). Grandfathering: systems placed on market before this date not subject to HRAIS requirements unless substantially modified. High-Risk AI Annex I Products (Updated): Medical devices, machinery, toys, vehicles: NEW deadline August 2, 2028 (was August 2, 2027). Maximum Penalties: EUR 35M or 7% global turnover (prohibited practices); EUR 15M or 3% (high-risk non-compliance); EUR 7.5M or 1.5% (transparency/watermarking). Lower caps for SMEs. SME Extensions: Omnibus extends SME compliance simplifications to Small Mid-Cap companies (SMCs) with up to 750 employees and EUR 150M annual revenue. Introduction Everything you read about August 2, 2026 being the EU AI Act deadline for high-risk AI just became outdated. On May 7, 2026, the European Parliament and the Council reached a political agreement on the Digital Omnibus on AI, the most significant amendment to the EU AI Act since it entered force. The headline change: the compliance deadline for most high-risk AI systems has been extended from August 2, 2026 to December 2, 2027. For standalone Annex III systems, that is 16 additional months. For high-risk AI embedded in regulated products, the new deadline is August 2, 2028. The Omnibus was prompted by a stark reality: technical standards and guidance documents that businesses need to implement high-risk AI requirements are not ready. Implementation was visibly off track. The co-legislators extended the deadline rather than rush compliance against standards that do not yet exist. Formal adoption is expected by July 2026, before the original August deadline. Here is what this means for your SME: the extra time is a gift, not a licence to pause. Article 50 transparency obligations (chatbot disclosure, deepfake labelling, emotion recognition marking) still apply from August 2, 2026, unchanged. Prohibited AI practices have been banned since February 2, 2025. And a new watermarking obligation kicks in December 2, 2026. The Act is already in force. The clock is running. Read on for the updated compliance roadmap, including what the Omnibus changes, what it does not change, and the exact steps your SME must take before each remaining deadline. What the EU AI Act Omnibus Actually Changes The Digital Omnibus on AI, agreed May 7, 2026, amends the EU AI Act in five significant ways. Understanding each change precisely is essential because some deadlines moved and others did not. What the Omnibus does NOT change: Article 50 transparency obligations (chatbot disclosure, emotion recognition labelling, deepfake disclosure) still apply from August 2, 2026. GPAI model obligations remain unchanged from August 2025. Prohibited practice enforcement from February 2025 is unchanged. What Is the EU AI Act? The EU AI Act is the world’s first comprehensive, risk-based legal framework for artificial intelligence. Its full official title is Regulation (EU) 2024/1689 Laying Down Harmonised Rules on Artificial Intelligence. It was proposed by the European Commission in April 2021, negotiated over three years, and entered into force on August 1, 2024, following the longest AI legislative process in EU history. Unlike a directive, a regulation is directly applicable law across all 27 EU member states simultaneously. No national AI Act is needed in France, Germany, or Spain: the EU AI Act is already their law. The Act also applies extraterritorially: a US company selling AI hiring tools to French firms, or a Singapore SaaS provider serving German clients, must comply. This is the Brussels Effect in action. The Act is risk-based, not sector-based. Your compliance obligations depend entirely on what your AI system does and how significant its impacts on people are, not on your company’s industry or size. The 4 Risk Tiers: Where Does Your AI System Land? The Act divides AI systems into four categories. Getting this classification right is not optional: it determines everything that follows. Most SMEs operate in the Limited Risk or Minimal Risk tiers. However, if your business uses AI for recruitment, loan decisions, or health-related assessments, you are almost certainly in the High-Risk category regardless of your company size. What Still Applies From August 2, 2026 The Omnibus deadline extension is not a reason to stop compliance work. Three obligations apply from August 2, 2026 regardless of the Omnibus. First, Article 50 transparency obligations cover all AI systems that interact with the public. Any product or service that uses a chatbot must clearly disclose it is AI-powered. AI systems that generate synthetic audio, images, or video must be labelled as AI-generated. Systems using emotion recognition on natural persons must inform them. Second, GPAI model obligations from August 2025 remain fully in force. If your business provides a general-purpose AI model, you must maintain technical documentation, register with the EU AI Office, comply with copyright law, and publish training data summaries. Third, prohibited practices remain banned since February 2025. No new grace period applies to these. The Omnibus adds a new prohibition (nudifiers) to this list. Not sure which 2026 obligations apply to your AI systems right now, and which of your high-risk systems benefit from the December 2027 extension? Book your free 30-minute EU AI Act

Scroll to Top
starter pack emial collector

Get Your Free AI Starter Pack

Enter your details, download starts instantly.