EU AI Act Seen as Comparable to GDPR in Terms of US Regulatory Influence

The EU AI Act’s compliance requirements have come into force on a staggered timeline, with mandates for general-purpose AI models going into effect in August. Almost all remaining provisions come into effect in August 2026, but obligations related to using AI as a safety component will be active in August 2027.

Attorney Brian Alexander noted that when the GDPR came into effect, many U.S. companies weren’t highly concerned about complying, but then California and dozens of other states enacted privacy laws with European concepts. If you currently operate in the EU or have plans to operate there, “then your company should be considering the [EU AI Act] compliance requirements now,” he said, noting the Colorado AI Act, the first comprehensive AI regulation in the U.S., borrowed from the EU AI Act. “We’ll see these same concepts start to appear in state laws, similar to what happened with privacy laws.”

Attorney Susan Duarte noted that the bulk of the 180-page EU AI Act is aimed at high-risk AI systems. Accordingly, she recommended data governance systems that use high-quality, relevant and “error-free” data; comprehensive technical documentation; automated recordkeeping with six-month logs; and transparency for deployers to “interpret” outputs. “If you do have a high-risk system, you’re going to need a risk management system” with continuous risk identification, analysis and mitigation, which will require regular reviews, she added.

At a different event Tuesday, a Future of Privacy Forum official said she didn't expect the EU AI Act to influence the rest of the world in the same way as GDPR (see 2510210035).