What is the EU AI Act?
The EU AI Act is the European Union's comprehensive regulatory framework governing the development, deployment, and use of artificial intelligence systems. It is the world's first broad AI regulation and applies to any organization placing AI systems on the EU market or using them in ways that affect EU individuals — regardless of where the organization is headquartered. It entered into force in August 2024, with provisions applying progressively through 2026 and beyond.
Risk-based framework
The Act classifies AI systems into four tiers based on their potential for harm. Unacceptable risk systems are prohibited entirely — this includes AI that manipulates people subliminally or enables mass surveillance. High-risk systems are subject to strict requirements before deployment — including AI used in employment decisions, credit scoring, biometric identification, education, and law enforcement. Limited risk systems face transparency obligations. Minimal risk systems are largely unregulated.
Data governance requirements for high-risk AI
The Act imposes specific data governance requirements on high-risk AI systems that are directly relevant to enterprise security and compliance teams. Training data must be relevant, representative, and free from errors that could cause discriminatory outputs. Providers must maintain documentation of training datasets, including their characteristics, sources, and preprocessing steps. Data lineage traceability throughout the AI lifecycle is required. Data minimization — using only data necessary for the system's purpose — must be demonstrated.
What this means for enterprise security teams
Organizations need to be able to answer: What data are our AI systems trained on? Does that training data contain sensitive or regulated personal data? Who has access to the data stores feeding our AI systems? Are we applying data minimization principles to our AI training sets? How is sensitive data protected in AI pipelines and inference environments?
These are foundational data security questions requiring DSPM and DSPM for AI capabilities to answer at enterprise scale. Manual data inventories and periodic audits cannot keep pace with dynamic AI environments where training datasets are updated, models are retrained, and new AI tools are deployed continuously.
Shadow AI and EU AI Act compliance
The Act's requirements apply to AI systems an organization deploys, not just those it knows about. Shadow AI deployments — AI tools adopted by business teams without IT or security review — create compliance exposure if those systems process personal data or are used in high-risk decision contexts. Discovering and inventorying all AI systems in the environment is a prerequisite for AI Act compliance, not an optional governance exercise.
Penalties
Non-compliance penalties are significant. Violations related to prohibited AI practices: fines up to €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with obligations for high-risk AI systems: fines up to €15 million or 3% of global annual turnover. These penalties are comparable in scale to GDPR fines, reflecting the seriousness with which the EU regards AI governance failures.
Relationship to GDPR
The EU AI Act does not replace GDPR — both frameworks apply simultaneously and must be complied with together. GDPR governs personal data processing broadly; the AI Act governs AI systems specifically. An AI system that processes personal data in a high-risk context must comply with both. The data governance requirements of the AI Act are largely consistent with GDPR's data minimization, accuracy, and accountability principles, but extend them explicitly into the AI context for the first time.
→ Learn how Sentra supports EU AI Act compliance