On August 2nd, 2026, the EU AI Act becomes fully operational. In April 2018 — eight years and four months ago — I wrote a piece arguing that GDPR would change behavior in a way no previous data regulation had managed. Most of what I wrote then turned out to be right. Some of it turned out to be conservative. All of it is now relevant again, because the EU AI Act is doing for AI what GDPR did for data.
Here is what GDPR actually accomplished, and here is the part you need to plan for now.
The Promise
GDPR did three things that mattered, and only one of them was the headline.
The headline was the fines: up to 4% of global revenue. That number drove board meetings everywhere in 2017 and 2018. Equifax, in retrospect, would have faced a level-two fine of roughly 164 million euros for the breach I wrote about back then. Real money, even at their scale.
But the actual behavior change was driven by the other two things. First, GDPR forced organizations to answer three basic questions: what data are we collecting, where is it stored, and how is it protected? Most organizations could not answer any of those questions in 2017. By 2020, most large enterprises could answer all three. That was not a marketing improvement. That was operational change at the foundation of the data layer.
Second, GDPR shifted accountability to the controller. You could not outsource your way out of responsibility. If you collected the data, you owned the obligation, regardless of which vendor was processing it. That single change rebuilt vendor due diligence as a discipline across the entire EU economy.
The EU AI Act is following exactly the same architecture. Risk-tiered obligations. Real fines (up to 7% of global revenue for the most serious violations — higher than GDPR). Mandatory documentation of what AI systems you operate, what they do, what data they were trained on, and what risks they present. Article 4 specifically requires AI literacy across the organizations that develop or deploy AI systems.
If GDPR was a forcing function for data inventory, the EU AI Act is a forcing function for AI inventory. Most organizations cannot answer “what AI systems are we using” any better today than they could answer “what personal data are we collecting” in 2017.
The Risk
The risk is not the fines. The risk, again, is the second-order effect. Three things organizations should be planning for in the next 65 days.
First, agentic AI accountability. The Act’s general-purpose AI provisions create explicit obligations around how AI systems are deployed in real workflows. If your AI agent makes a decision, takes an action, or interacts with a customer, you need a documented chain of accountability. The “we just used the model the vendor provided” defense will not work, exactly as the “we just used the data processor the vendor provided” defense did not work under GDPR. You are the deployer. The obligations attach to you.
Second, the literacy gap will become a discoverable issue. Article 4’s AI literacy requirement is currently being treated by most organizations as a training-budget item. It will become a discovery item in litigation and a documentation item in regulatory inquiry. If your board approved an AI deployment without being able to demonstrate it understood the risks, you will see that in a deposition. The boards that built AI literacy programs in 2025 and early 2026 will be the ones whose minutes look defensible. The ones still scheduling the first session in August will not.
Third, the SME effect will be significant and underweighted. GDPR was designed with large organizations in mind. The actual operational burden landed disproportionately on SMEs that did not have the resources to build full data-mapping programs. The EU AI Act is following the same pattern. Large organizations will absorb the compliance cost. Smaller organizations using AI in customer-facing decisions will be the ones who learn — through a regulatory inquiry — that they did not realize they were a deployer of a high-risk system.
The Verdict
GDPR did not destroy the European data economy. It restructured it, raised the cost of careless behavior, and created a new vocabulary that boards now use fluently. The EU AI Act will do the same for AI. The companies that built data governance after 2018 are now using the same governance muscle to build AI governance in 2026. The companies that ignored the GDPR transition are now compounding the same debt at twice the velocity.
The pattern repeats: the deadline is what gets the budget approved, but the second-order effects — inventory, accountability, vendor due diligence, board-level literacy — are what actually change how the organization operates.
Eight years ago I wrote that GDPR represented a significant change because it required organizations to demonstrate they were in control of the data they were using. The EU AI Act requires the same demonstration for AI. The deadline is 65 days away. The work is the same work. The cost of starting late is the same cost.
After 25 years in cybersecurity, I have watched this pattern play out across every major technology transition. Cloud. Mobile. Data. Now AI. The organizations that build governance in parallel with deployment win. The ones that wait for the regulator pay twice — once for the fine, and once for the operational restructuring they should have done before they were forced to.
Start now.