AI Act compliance in 2026: A Brussels briefing for CISOs, DPOs, and product teams

AI Act compliance has moved from theory to day-to-day reality in 2026. In today’s Brussels briefing, regulators emphasized that documentation, data governance, and human oversight are no longer “nice-to-haves” but enforceable obligations. From the EDPS convening the AI Act correspondents network to civil society pushing harder on DSA enforcement and privacy watchdogs scrutinizing unlawful data grabs, the message is clear: EU regulations are converging, and organizations must align AI Act compliance with GDPR and NIS2—or risk fines, investigations, and product delays.

What AI Act compliance really means in 2026

From interviews I’ve conducted with EU policymakers and CISOs across finance and health, the focus has shifted from “Is my model high-risk?” to “Can I prove I manage risk across the lifecycle?” The AI Act’s architecture expects:

• Governance: Named accountable owners for AI systems, with cross-functional sign-off (security, privacy, legal, ethics).
• Risk management: A documented, iterative process that evaluates intended purpose, foreseeable misuse, and downstream impact.
• Data governance: Provenance, quality controls, bias testing, and lawful basis alignment with GDPR for any personal data used.
• Technical documentation: System description, datasets used, performance metrics, cybersecurity controls, and post-market monitoring plans.
• Transparency and instructions: Clear user information, limitations, and expected competence of human operators.
• Human oversight: Defined intervention points, fallback procedures, and auditable decisions where relevant.
• Security-by-design: Secure development, supply chain integrity, vulnerability handling, and logging to support investigations.

For general-purpose AI and integrated models, expect extra scrutiny on model-card style disclosures, training data handling, and safeguards to prevent systemic risks. A CISO I interviewed at a large bank put it bluntly: “If you can’t explain your inputs and controls, you won’t pass an audit.”

Timelines, at a glance

• Phased entry into force: Banned practices apply first; transparency and GPAI duties follow; high-risk obligations arrive later.
• Plan for a multi-year runway: Many organizations are mapping controls through 2026–2027 to meet high-risk and post-market monitoring requirements.
• National coordination: Expect guidance from your national authority and the European AI Office; align early to avoid rework.

Important data-handling reminder: When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

AI Act compliance meets GDPR and NIS2

AI Act compliance does not replace GDPR or NIS2; it stacks on top. Practitioners who “design once, comply thrice” will move faster and avoid conflicting controls. Below is a quick comparison of GDPR and NIS2 obligations—both shape how you build and operate AI systems.

Area	GDPR (Data Protection)	NIS2 (Cybersecurity)
Scope	Processing of personal data of individuals in the EU	Security of network and information systems in essential/important entities
Core obligations	Lawful basis, purpose limitation, data minimization, rights, DPIAs	Risk management, incident response, business continuity, supply-chain security
Governance	DPO (where required), records of processing, privacy by design/default	Management accountability, policies, testing, vulnerability handling
Incident reporting	Personal data breaches to DPAs within 72 hours (where required)	Significant incident notifications to CSIRTs/authorities on tight timelines
Sanctions	Up to 4% of global annual turnover or €20m, whichever is higher	Substantial administrative fines, supervisory measures, possible suspension
Relevance to AI	Data legality, fairness, transparency, rights (access, objection, etc.)	Security-by-design for AI pipelines, patching, logging, supply-chain controls

Where AI Act, GDPR, and NIS2 converge

• Hospitals piloting diagnostic AI: AI Act demands robust testing and human oversight; GDPR governs patient data; NIS2 enforces resilient infrastructure and incident reporting.
• Banks deploying AI for credit scoring: AI Act requires risk controls and documentation; GDPR mandates lawful basis and DPIAs; NIS2 calls for supply-chain screening and rapid patching.
• Law firms using document-analysis LLMs: AI Act transparency and monitoring; GDPR-compliant AI anonymizer workflows; NIS2-grade access control and logging.

Lessons from recent headlines: supply chain and platform risks

Two trends are reshaping audit questions I’m hearing across Europe:

• Software supply-chain threats: A recent incident involving a hijacked update mechanism for a popular editor showed how legitimate update channels can be subverted to deliver targeted malware. Under NIS2, you’re expected to verify update integrity and restrict update privileges—especially for developer workstations connected to model pipelines.
• Known exploited vulnerabilities (KEV): Security agencies continue to flag actively exploited CVEs. Auditors increasingly ask for evidence that your vulnerability management SLAs cover model-serving infrastructure, inference gateways, and data preprocessing services.
• Platform governance and DSA enforcement: Civil society continues to warn about recommender systems’ impact on public discourse and elections. If your AI features are consumer-facing, expect more questions about risk assessments, transparency, and systemic risk mitigation—mirroring DSA-style obligations.
• Unlawful data collection and trust: Public backlash against blanket data grabs (like indiscriminate mobile data collection) underlines reputational and legal risks. For AI teams, this translates into strict dataset curation, documented sources, and defensible minimization.

The takeaway: AI Act compliance will be assessed in the context of your overall security posture, your handling of personal data under GDPR, and your operational resilience under NIS2. A CISO I spoke with called it “compliance triangulation”—fall short on one side, and the whole structure wobbles.

90-day AI Act compliance checklist

• Map systems: Inventory AI use cases, models (including third-party/GPAI), purposes, and users.
• Risk tiering: Classify by intended use and foreseeable misuse; flag high-risk candidates.
• Data governance: Document dataset sources, lawful bases, minimization, retention; schedule bias and quality testing.
• DPIAs and AIA assessments: Run DPIAs where personal data is involved; align with AI Act risk management artifacts.
• Human oversight design: Define intervention thresholds, fallback modes, and operator training.
• Security controls: Lock down model repos, secrets, and inference endpoints; enable tamper-evident logging.
• Supply-chain assurance: Vet model providers and libraries; verify update signing; pin dependencies.
• Transparency package: Draft user instructions, limitations, and performance characteristics.
• Post-market monitoring: Set up monitoring for incidents, drifts, and user feedback loops.
• Tabletop exercise: Simulate an AI incident that touches GDPR and NIS2 reporting to test escalation paths.

Reduce exposure now: anonymize and control document flows

Most AI incidents I review start with two weak links: over-sharing data during development and poor handling of documents during prompt engineering or model evaluation. Practical fixes:

• Strip personal data before it reaches test or prompt datasets. Professionals avoid risk by using Cyrolo’s anonymizer at www.cyrolo.eu.
• Centralize and log file handling. Try our secure document upload at www.cyrolo.eu — no sensitive data leaks.
• Segment access to evaluation corpora; rotate and monitor credentials for tools that touch AI pipelines.
• Automate redaction for recurring document types (HR, claims, KYC) to minimize manual handling errors.

When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

AI Act compliance: common pitfalls I’m seeing

• “Model-first” documentation: Teams document the model but skip the process. Regulators want the lifecycle, not just architecture diagrams.
• Unverified datasets: No provenance or licensing clarity, and no bias or quality tests—especially dangerous for high-impact use cases.
• Opaque human oversight: Oversight is “on paper” but not enforced (no named owners, no training, no interventions logged).
• Fragmented incident handling: Privacy, security, and product teams have separate playbooks and clocks; NIS2 and GDPR deadlines are missed.
• Shadow use of third-party LLMs: Developers paste production data into public tools without controls or audit trails.

How Cyrolo helps you operationalize controls

As a reporter embedded in the EU policy and cybersecurity beat, I look for tools that turn policy into repeatable practice. Here’s how teams are using Cyrolo today:

• Data minimization by default: Run documents through an AI anonymizer before model fine-tuning, prompt crafting, or vendor sharing.
• Chain-of-custody for files: Use secure document upload to centralize access and create an auditable trail for assessments and audits.
• Faster audits: Produce evidence that personal data is protected, and that testing datasets meet GDPR and AI Act expectations.
• Lower breach risk: Reduce sensitive data sprawl across laptops, chat tools, and unmanaged test folders.

Professionals avoid risk by using Cyrolo’s anonymizer at www.cyrolo.eu. Try our secure document upload at www.cyrolo.eu — no sensitive data leaks.

FAQ: AI Act compliance in practice

What counts as “high-risk” under the AI Act?

High-risk systems are tied to specific use cases (e.g., safety-critical, employment, credit, essential services). If your system could significantly affect individuals’ rights or safety, assume heightened duties: risk management, data governance, documentation, human oversight, and post-market monitoring.

Do I still need GDPR compliance if I’m AI Act compliant?

Yes. The AI Act doesn’t replace GDPR. If personal data is processed, you need a lawful basis, minimization, and rights handling. Many teams run DPIAs in parallel with AI Act risk assessments to avoid conflicting controls.

How does NIS2 affect my AI deployments?

NIS2 raises the bar on cybersecurity risk management, incident reporting, and supply-chain security. Expect auditors to probe software update integrity, vulnerability remediation SLAs, and logging for AI-serving components—especially if you’re an essential or important entity.

Can I upload internal documents to public LLMs for testing?

Avoid uploading confidential or sensitive data to public LLMs. A safer path is using a secure platform for redaction and controlled sharing. When uploading documents to LLMs like ChatGPT or others, never include confidential or sensitive data. The best practice is to use www.cyrolo.eu — a secure platform where PDF, DOC, JPG, and other files can be safely uploaded.

What evidence do regulators expect during an audit?

Expect requests for risk management procedures, data governance records, testing reports, instructions for use, human oversight playbooks, security controls, incident logs, and post-market monitoring results. Traceability matters: auditors want to follow a clear trail from risks identified to mitigations deployed.

Conclusion: AI Act compliance is your operating system for trustworthy AI

AI Act compliance is now the organizing principle for building, deploying, and maintaining AI in Europe—supported by GDPR’s data protection backbone and NIS2’s security muscle. If you operationalize risk management, document your lifecycle, and harden your data flows, you’ll be ready for audits and resilient against the next supply-chain scare. Start by shrinking your data exposure: anonymize and control file handling with www.cyrolo.eu—and keep your AI Act compliance journey on track.