Europe moves to AI enforcement

Europe’s AI law is moving from rule-writing to enforcement, and companies are now preparing for regulators instead of policy drafts. (pinsentmasons.com) In the Netherlands, the government opened a consultation this week on draft legislation that would split oversight of the European Union’s Artificial Intelligence Act across 10 regulators. The consultation closes on June 1, 2026, before the bill goes to the Dutch House of Representatives. (pinsentmasons.com) Under the draft, the Dutch Data Protection Authority and the State Inspectorate of Digital Infrastructure would act as coordinating supervisors, working with sector regulators including the Health and Youth Care Inspectorate, the consumer product safety authority and the Dutch Labour Inspectorate. (pinsentmasons.com) The AI Act took effect on August 1, 2024, but its obligations arrive in phases. The first requirements started applying from February 2025, including bans on certain AI uses and a duty for organizations using AI to ensure staff have enough AI literacy. (commission.europa.eu) (autoriteitpersoonsgegevens.nl) The biggest compliance deadline still on the calendar is August 2, 2026, when the main rules for high-risk AI systems are due to apply under the current law. The European Commission has also proposed targeted changes through its Digital Omnibus on AI package, published January 19, 2026, to smooth implementation. (pinsentmasons.com) (digital-strategy.ec.europa.eu) High-risk AI covers systems used in areas like hiring, critical infrastructure, education admissions, biometric identification and eligibility decisions for public benefits, as well as AI that serves as a safety component in products like medical devices. Those systems face requirements on risk management, data quality, technical documentation, transparency and human oversight. (nldigitalgovernment.nl) (commission.europa.eu) For companies, the AI Act does not replace the General Data Protection Regulation. The International Association of Privacy Professionals said on April 21, 2026, that the two laws follow different logics — the AI Act as a product-safety regime and the General Data Protection Regulation as a rights-based data protection law. (iapp.org) That overlap shows up in day-to-day compliance. The International Association of Privacy Professionals said deployers of some high-risk systems must carry out a fundamental rights impact assessment under Article 27 of the AI Act, while the General Data Protection Regulation can separately require a data protection impact assessment under Article 35. (iapp.org) The same mapping notes another pressure point: the AI Act allows processing of sensitive personal data when it is strictly necessary to monitor, detect and correct bias in high-risk systems, while the General Data Protection Regulation still starts from a general ban on processing that kind of data unless an exception applies. (iapp.org) A European Parliament study published October 30, 2025, said the AI Act’s interaction with laws including the General Data Protection Regulation, the Data Act and the Cyber Resilience Act creates “significant regulatory complexity.” That is the backdrop as member states start assigning real supervisors and businesses shift from legal interpretation to audit trails, filings and inspections. (europarl.europa.eu)