The final report of the series analysing different aspects of the new AI rulebook examines the interaction of the AI Act with existing or draft legislation on data protection and cybersecurity.
The report addresses the references in the AI Act to the General Data Protection Regulation (GDPR), the Law Enforcement Directive (LED), the draft Cyber Resilience Act (CRA) and the Digital Services Act (DSA).
The new AI rulebook provides a new legal basis for further processing lawfully collected personal data in the context of regulatory sandboxes. Such processing will nevertheless need to be compatible with the GDPR requirements.
Moreover, providers of high-risk AI (HRAI) systems are allowed to process special categories of personal data as defined under the GDPR only exceptionally. Providers can resort to such processing only to correct biases in the datasets, and subject to safeguards additional to those foreseen in the GDPR.
For HRAI systems which fall within the scope of the draft CRA and fulfil its cybersecurity requirements, a presumption of conformity will apply vis-a-vis the mandatory cybersecurity requirement for HRAI systems under the AI Act (e.g. resilience against unauthorised use by third parties).
Further, if AI systems are embedded into very large online platforms or very large search engines under the DSA, the AI Act clarifies that such systems are subject to the risk assessment obligations in the DSA.
See also:
Part 1: Scope
Part 2: Obligations
Part 3: Enforcement
For more information and to access our AI Act report series, please click on “Access the full content” - or on “Request Access”, in case you are not subscribed to our European Digital Economy service.
more news
29 July 25
New benchmark on provisioning timers and SLAs for wholesale local access over fibre in Europe
Our new benchmark covers service level agreements (SLAs) for the provisioning of wholesale local access (WLA) over fibre unbundling and virtual unbundling (VULA) across 18 European countries.
28 July 25
Privacy in the digital age
This Global Trends benchmark compares key aspects of data protection laws across 14 jurisdictions: Australia, Brazil, Canada, China, the EU, India, Indonesia, Japan, Kenya, Korea, Singapore, South Africa, the UK and the US.
25 July 25
Few EU countries have yet designated authorities to enforce new EU rules on data and AI
Our new benchmark maps the authorities designated to enforce the Data Governance Act, the Data Act and the Artificial Intelligence Act across all the 27 EU member states.