EU AI Act Faces Scrutiny Over Implementation Concerns

The European Union’s landmark Artificial Intelligence (AI) Act, set to be fully applicable in August 2026, is facing increasing scrutiny from data protection authorities regarding its implementation. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have voiced concerns that the planned simplification of the regulation could compromise fundamental rights and create enforcement gaps.

Centralization of Power at the EU AI Office

A key point of contention centers on the proposed concentration of supervisory power within the new EU AI Office. This office is slated to have sole oversight of AI systems used by very large online platforms and search engines. Although data protection officers generally support the overall approach, they warn that insufficient cooperation with national authorities could hinder effective enforcement. The EDPB and EDPS emphasize that if the central office in Brussels acts slowly or remains inactive, crucial enforcement mechanisms will be lacking. EDPB and EDPS Joint Opinion highlights the necessity of close collaboration with national data protection authorities, particularly for AI applications that heavily involve personal data.

Delays in High-Risk AI System Guidelines

The EU Commission has already missed a critical deadline – the publication of a guide clarifying when an AI application is classified as “high risk,” which was due on February 2nd, 2026. This classification triggers stricter obligations for documentation, risk management, and human oversight. The Commission is currently integrating feedback on the guidelines. The EDPB and EDPS warn that any delay in establishing clear rules for high-risk systems is dangerous, potentially allowing such systems to enter the market in a legal gray area before protective regulations are in place. Digital Omnibus Regulation proposal

EU’s Global Promotion of the “EU Model”

Despite internal debates, the EU is actively promoting its AI regulation as a global standard. Executive Vice President Henna Virkkunen recently represented the Union at the AI summit in New Delhi, aiming to strengthen partnerships with countries like India and shape global AI governance. This strategy mirrors the successful promotion of the General Data Protection Regulation (GDPR), positioning the EU as a leader in secure and ethical AI development. The AI Office is expected to play a central role in this international outreach once it is fully operational.

Implications for Companies

The AI Act operates on a risk-based approach, categorizing systems into four levels: unacceptable risk (prohibited), high risk, limited risk (requiring transparency), and minimal risk. Bans on AI systems posing unacceptable risk have been in effect since February 2025. The focus is now shifting to the more complex categories, with August 2026 remaining the critical deadline for full compliance with obligations for high-risk systems. Certain AI applications in regulated products will not be subject to the rules until August 2027. Industry stakeholders are requesting improvements and additional time for developing technical standards.

Key Takeaways

• The EU AI Act is facing scrutiny over potential weaknesses in its implementation.
• Concerns center on the concentration of power in the EU AI Office and potential delays in establishing guidelines for high-risk AI systems.
• The EU is actively promoting its AI regulation as a global standard, similar to the GDPR.
• Companies must prepare for the August 2026 deadline for compliance with obligations for high-risk AI systems.

The joint statement from the EDPB and EDPS serves as a formal recommendation to EU legislators, highlighting the delicate balance between practicality and effective protection. The coming months will be crucial for finalizing the Commission’s guidelines and establishing robust national authorities. Companies should recognize that the regulatory timeline is firm and that proactive preparation is essential to avoid compliance risks.