Navigating the EU AI Data Act: Compliance, Impact, and Opportunities

Introduction

In 2024, the European Union finalized two landmark regulations set to reshape the AI and data landscape: the EU Artificial Intelligence Act and the EU Data Act. The EU AI Act is the world’s first comprehensive law governing artificial intelligence, introducing a rigorous risk-based framework to ensure AI is developed and used safely and ethically. The EU Data Act, which came into force in January 2024, is a cornerstone of Europe’s broader data strategy. It establishes new rules to make data more accessible and fair, supporting innovation in the EU’s digital economy. Together, these laws reflect Europe’s determination to foster trustworthy AI innovation while protecting fundamental rights and promoting a competitive, data-driven economy.

This article provides a detailed overview of the EU AI Act and the EU Data Act – collectively referred to here as the “EU AI Data Act” framework – incorporating the most up-to-date understanding and technical nuances of each. We will break down their key goals, scope, and requirements, explain how they differ yet complement each other, and discuss their impact on data handling and AI governance. In addition, we consider practical steps for compliance and new business opportunities arising from these regulations. Throughout, we’ll note how modern AI infrastructure tools (such as TrueFoundry’s governance and observability platform) can assist with compliance, auditability, and the deployment of trustworthy AI. The aim is a clear, technically credible guide for professionals seeking to navigate this evolving regulatory landscape.

What Is the EU AI Data Act?

“EU AI Data Act” is not a formal legal title, but a term that encapsulates two complementary EU regulations addressing AI and data. The EU Artificial Intelligence Act (AI Act) is a new law governing the development and use of AI in the EU. It takes a horizontal, risk-based approach: different rules apply to an AI system depending on its risk level and use case. The AI Act prohibits certain harmful AI practices outright and imposes strict governance, risk management, and transparency requirements on other (particularly high-risk) AI systems. By creating common rules for AI, the Act aims to ensure AI systems are safe, transparent, and respect fundamental rights, without stifling innovation.

The EU Data Act, by contrast, is a broad regulation focused on data access and sharing across connected devices and services. It establishes a comprehensive framework for how data can be accessed, used, and shared in the EU’s economy. In force since early 2024 (with major provisions applying from September 12, 2025), the Data Act grants businesses and consumers new rights to access data they generate (for example, data from smart devices or sensors) and seeks to prevent companies from hoarding such data. The law applies to a wide range of actors – device manufacturers, providers of digital services and cloud platforms, third-party data recipients, and even public sector bodies under certain conditions. By removing barriers to data portability and interoperability, the Data Act is intended to foster a more competitive and innovative data ecosystem.

In essence, the EU AI Act regulates AI systems (the algorithms and models and their use), while the EU Data Act regulates data (the input and output information that fuels modern digital services, including AI). They work in tandem: the Data Act’s push for open and fair data sharing complements the AI Act’s push for responsible and trustworthy AI. Together, these initiatives aim to create the conditions for “trustworthy AI” – robust AI systems built on high-quality, accessible data governed by clear rules.

Key Goals of the EU AI Data Act

Both the AI Act and the Data Act reflect strategic goals for the EU’s digital future. Key objectives include:

• Ensuring Trustworthy and Safe AI: The foremost goal of the AI Act is to make sure AI systems used in the EU are safe, transparent, and uphold fundamental rights like privacy and non-discrimination. By banning particularly harmful AI practices and tightly regulating high-risk uses, the law seeks to prevent AI from undermining human rights or safety. This focus on “trustworthy AI” is meant to boost public trust and acceptance of AI technology.
  
  
• Accountability and Transparency: Both laws stress greater accountability for organizations. The AI Act mandates documentation, traceability, and transparency obligations (e.g. informing users when they are interacting with an AI system). The Data Act similarly requires transparent terms for data sharing and gives users insight into how their data is used. Together, these measures push businesses to be clearer about AI decision-making and data handling, enabling audits and oversight.
  
  
• Promoting Innovation and Competition: A key aim is to balance regulation with innovation. The AI Act, by providing clear rules, aims to create legal certainty that can encourage investment in AI – especially by defining what is acceptable versus off-limits. The Data Act is explicitly intended to unlock more value from data and spur innovation, in part by breaking down data monopolies. It prevents manufacturers or service providers from retaining exclusive control over user-generated data, encouraging competition and new services built on that data. SMEs and startups, for example, could gain access to data that was previously siloed, allowing them to develop new AI-driven products and services.
  
  
• Data Fairness and User Rights: The Data Act’s goals include empowering users (individuals and businesses) with control over the data they create. It establishes that users have a right to access data from their IoT devices and instruct that it be shared with third parties of their choice. This prevents vendor lock-in and unfair contractual terms. Fairness is reinforced by provisions voiding unfair contract terms in data-sharing agreements imposed by dominant firms. Overall, the Act aims to create a fair data economy where value is shared and not concentrated unfairly.

• Harmonization and EU Digital Leadership: Both Acts seek to harmonize rules across EU member states, avoiding a regulatory patchwork. By setting a single high standard, the EU also positions itself as a global leader in digital regulation. Much as the GDPR influenced global privacy practices, the EU hopes these Acts will become a reference point internationally. The long-term objective is to assert an EU vision of digital development that marries innovation with ethics and rights – effectively shaping global norms for AI governance and data sharing.

Scope and Coverage of the Regulation

EU AI Act – Scope: The AI Act has a broad scope, applying to virtually all sectors and types of organizations that develop or use AI systems in the EU. It covers providers (developers or suppliers) of AI systems, users (deployers) of AI, as well as importers and distributors bringing AI systems into the EU market. Importantly, the Act has extraterritorial reach: even AI providers based outside Europe are subject to the rules if their AI system is used or has an effect in the EU. For example, if a company outside the EU offers an AI service that processes data and returns outputs to an EU customer, that company must comply with the AI Act. This broad applicability means global AI vendors cannot ignore EU requirements. There are limited exceptions – AI systems purely for personal, private use or those used exclusively for R&D are generally exempt from the Act’s requirements. Notably, AI systems developed for military and national security purposes are also exempt by design. Aside from these carve-outs, the Act covers AI software ranging from simple machine-learning models to complex general-purpose AI models.

Within its scope, the AI Act defines an “AI system” very broadly (any software that uses machine learning, logic- or knowledge-based approaches to generate outputs like content, predictions or decisions). It also introduces the concept of General-Purpose AI (GPAI) – large models like foundation models that can be adapted to many tasks (e.g. GPT-type language models) – and clarifies that providers of GPAI models have specific obligations under the Act.

EU Data Act – Scope: The Data Act applies to a wide range of situations where data is generated and shared in the economy. A primary focus is on data from connected products (IoT devices) and related services. The Act covers manufacturers of smart devices and owners of industrial machinery, providers of digital services that interact with these devices (for instance, a cloud platform or companion app for a device), and any company that collects or holds data generated by IoT products. This could include sectors from automotive (connected cars) and smart appliances, to industrial sensors and smart city infrastructure. If an entity controls data coming from such products, the Act likely applies. Additionally, cloud and edge service providers fall under the Data Act’s purview, particularly with regards to facilitating easy switching between providers. The law also sets expectations for third-party data recipients (companies that a user wants to share their device data with) – these recipients must abide by usage restrictions and protect any trade secrets in the data they receive (more on that later). Public sector bodies are within scope in specific circumstances: they can request data from companies during public emergencies or for certain public interest uses, under tightly defined conditions.

Like the AI Act, the Data Act has an international reach. Non-EU companies that offer products or services covered by the Act to EU customers must appoint an EU legal representative for compliance purposes. In practice, this means a non-EU manufacturer of a smart device selling in Europe needs to follow the Data Act’s rules on data access and sharing. It also means cloud providers outside the EU have to accommodate EU customers’ switching and portability rights. The Act covers both personal and non-personal data emanating from devices. However, it does not override GDPR: whenever personal data is involved, GDPR’s protections still apply and companies must have a lawful basis to share (the Data Act explicitly requires compliance with existing data protection laws for any personal data sharing).

In summary, the AI Act is concerned with anyone making or using AI systems in the EU market, and the Data Act concerns anyone handling user-generated data from connected devices or providing data processing services. The two laws overlap in the sense that an organization deploying an AI-driven product may have to comply with both – for instance, a company selling a smart home appliance with AI features must respect Data Act rules on sharing device data, and if the appliance’s AI is deemed high-risk, meet AI Act requirements for that system.

Risk-Based Classification Under the EU AI Act

At the heart of the EU AI Act is a risk-based regulatory framework that categorizes AI systems into four distinct tiers—each with a corresponding level of legal obligation. This tiered approach ensures that the most potentially harmful AI applications receive the highest degree of scrutiny, while low-risk innovations are left unencumbered.

1. Unacceptable Risk (Prohibited AI Practices)

AI systems deemed to pose an “unacceptable risk” to fundamental rights, safety, or democracy are categorically banned. Examples include:

• Social scoring of individuals by governments based on behavior or personal characteristics.
• Real-time remote biometric identification in public spaces for law enforcement (with narrowly defined exceptions).
• Systems that exploit vulnerable populations (e.g., children or people with disabilities) through manipulative or deceptive techniques.

These AI systems are considered inherently harmful and cannot be placed on the EU market under any circumstance.

2. High-Risk AI Systems

High-risk systems are those that, while potentially beneficial, can significantly impact safety, human rights, or critical decisions in people’s lives. This includes AI used in:

• Healthcare (e.g., diagnostic algorithms).
• Education (e.g., exam scoring).
• Employment (e.g., résumé screening).
• Finance and services (e.g., credit scoring, benefits eligibility).
• Law enforcement and border control (e.g., predictive policing, crime risk tools).
• Transport (e.g., autonomous vehicles).

High-risk AI systems are not banned but are subject to stringent compliance requirements:

• A conformity assessment must be conducted (via self-assessment or a third-party body).
• Providers must implement risk management and testing protocols, ensure high-quality, bias-mitigated training data, and enable human oversight.
• Detailed technical documentation, audit trails, and logging mechanisms are mandatory.
• All high-risk systems must be registered in a central EU database prior to deployment.

This category is the regulatory core of the AI Act and serves as the primary compliance trigger for most enterprise AI applications.

3. Limited Risk (Transparency Obligations)

AI systems that interact directly with users or generate synthetic content fall under the limited-risk category. These systems are not inherently harmful but carry the potential to mislead or deceive without proper transparency:

• Chatbots and virtual assistants must clearly disclose that users are interacting with an AI.
• Generative AI that produces synthetic audio, images, or video (e.g., deepfakes) must include visible disclosures (like watermarks or notices).
• AI performing emotion recognition or biometric categorization must inform users about such functions.

Limited-risk systems are not subject to conformity assessments but must meet basic disclosure and transparency requirements. For example, labeling a chatbot as “AI-powered” or watermarking a synthetic image is sufficient to meet compliance under this tier.

4. Minimal or Low-Risk AI Systems

The majority of AI systems fall into this category. These include:

• Spam filters.
• AI NPCs in video games.
• Route suggestions in navigation apps.
• Grammar or spell-check tools.

Minimal-risk systems are not subject to specific obligations under the AI Act. While providers may adopt voluntary codes of conduct or best practices, the Act imposes no mandatory compliance requirements on these applications unless they intersect with other EU laws (e.g., GDPR, consumer protection).

Dynamic Risk Governance

Importantly, the EU AI Act’s classification system is intended to evolve. Regulators have the authority to revise or expand the risk categories based on emerging technologies, use cases, or real-world incidents:

• If a new application of AI is shown to endanger rights or safety, it may be added to the prohibited list.
• Conversely, proven safeguards and best practices may lower a system’s risk tier over time.

Thus, companies developing or deploying AI systems in the EU must continuously reassess their systems' classification and compliance posture.

‍Compliance Requirements 

Compliance under the EU AI Act is determined by the system's risk category, with the heaviest burden placed on High Risk and General Purpose AI (GPAI) providers.

High Risk Systems

Before entering the EU market, providers must undergo a Conformity Assessment. This involves establishing a continuous risk management system and ensuring robust data governance to mitigate bias in training datasets. Providers are legally required to maintain detailed technical documentation and automatic logging for traceability. Crucially, systems must be designed with human oversight interfaces, allowing operators to intervene or stop the AI if necessary.

General Purpose AI (GPAI)

Requirements for foundation models apply from August 2025. All GPAI providers must update technical documentation and adhere to EU copyright laws. Models classified as posing systemic risk, specifically those trained with cumulative compute power greater than 10**25 FLOPs, face stricter mandates. These include conducting adversarial testing (red teaming) to identify vulnerabilities, reporting serious incidents to the newly formed AI Office, and ensuring adequate cybersecurity protections.

Timeline and Penalties

While prohibitions on banned practices apply from February 2025, most High Risk obligations come into force in August 2026. Non-compliance can lead to fines of up to 35 million euros or 7% of global turnover.

Impact on Data Handling and Governance

The EU AI Act fundamentally reshapes how organizations manage data for High-Risk AI systems. Under Article 10, providers must establish a rigorous data governance framework before a model is even trained. 

This goes beyond standard GDPR compliance; it requires that training, validation, and testing datasets be relevant, representative, and, to the best extent possible, free of errors and complete.

To comply, companies must document their entire data pipeline. This includes the original design choices, data collection methods, and processing steps such as labeling, cleaning, and aggregation. 

A critical new obligation is bias mitigation. The Act explicitly mandates that providers examine datasets for biases that could affect health, safety, or fundamental rights. Uniquely, it permits the processing of sensitive personal data (like ethnicity or religion) strictly for bias monitoring and correction, provided appropriate safeguards are in place. 

This creates a legal pathway to use sensitive data to make AI fairer, a significant shift from previous privacy-first restrictions.

EU AI Act vs EU Data Act

Although often conflated under the misleading label “EU AI Data Act,” the EU AI Act and the EU Data Act are two distinct pillars of the EU’s digital strategy—each targeting a different axis of technological governance. Understanding how they differ—and how they complement each other—is essential for AI and data-driven organizations operating in Europe.

Regulatory Focus

• AI Act: Regulates the technology—specifically, AI systems and their associated risks. It’s a product safety law for algorithms, designed to ensure that AI is transparent, explainable, and safe.
• Data Act: Regulates data infrastructure—who owns, accesses, and controls data, particularly from connected devices and digital services. It addresses economic fairness and interoperability in the data economy.

Think of it this way: the AI Act governs the behavior of the algorithm, while the Data Act governs the flow of data into and out of those systems.

Preparing for Compliance

Complying with the EU AI Act and Data Act requires early, coordinated action across technical, legal, and operational teams. Here's a streamlined roadmap:

1. Audit Your AI Systems and Data: Inventory all AI systems and classify them by risk under the AI Act (e.g., high-risk, limited-risk). Simultaneously, identify device-generated data or services subject to the Data Act. Assess current documentation, risk controls, and data sharing policies.

2. Strengthen Data Governance: Implement policies for data quality, provenance, and bias testing. Ensure data can be accessed and exported securely. For the Data Act, enable user access to IoT data and appoint responsible data stewards. For the AI Act, align dataset usage with bias mitigation and traceability requirements.

3. Implement Monitoring and Audit Trails: Use tools to log model activity, monitor AI behavior post-deployment, and track data-sharing events. TrueFoundry’s AI Gateway can automate observability, enforce policies, and simplify audit readiness

4. Train Your Teams: Educate developers, product managers, legal, and customer support on compliance responsibilities. Build a culture of AI governance with checklists, internal guidelines, and designated compliance leads.

5. Review Contracts and Policies: Update user agreements, partner contracts, and data sharing terms to reflect fair use and transparency. Seek compliance assurances from vendors and provide clear AI and data use policies to users.

6. Leverage Tools and Experts: Adopt compliance-focused platforms (e.g., model monitoring, policy enforcement) and consult legal experts or audit firms. Stay ahead by participating in standardization consortia or regulatory sandboxes.

7. Monitor Regulatory Updates: Stay informed about evolving guidance, certification schemes, and timelines. Prepare for audits and adapt internal practices as standards mature.

By integrating compliance into your infrastructure and workflows early, organizations can reduce risk, streamline operations, and unlock strategic benefits—positioning themselves as trustworthy AI providers in a rapidly evolving regulatory landscape.

Conclusion

The EU AI Act and Data Act mark a paradigm shift in how technology is governed in Europe—and likely worldwide. These regulations aren’t just legal checklists; they’re a blueprint for responsible innovation in AI and data-driven ecosystems.

For organizations, the message is clear: compliance is mandatory, but the smart play is to treat it as strategic. Embedding governance, transparency, and user rights into AI and data operations can strengthen internal systems, reduce legal risk, and build long-term trust with customers and regulators alike.

Tools like TrueFoundry’s AI Gateway make this shift more manageable by offering observability, access controls, and auditable logs key elements for meeting regulatory expectations. Startups and enterprises that adopt a “compliance-first” mindset will not only meet the EU bar—they’ll position themselves as leaders in the emerging global market for safe, ethical, and explainable AI.

Ultimately, the Acts are not a brake on innovation, they are a filter. They reward organizations that build robust, high-quality, and human-centered technologies. Those that embrace this shift will be best placed to succeed in the era of trustworthy AI and open data.

‍