GDPR required organisations to redesign how they handled personal data. The legal requirements were clear. The timelines were generous. The penalties were significant.
The organisations that held compliance were the ones that treated GDPR as a structural problem, not a legal one. They redesigned data handling at the operational layer. They did not just write policies. They changed how work moved through the building.
The AI Act is the same pattern running again
Faster timeline. Higher penalties (7% of global annual revenue, not 4%). Less clarity (harmonised standards not expected until December 2026, four months after enforcement begins).
And a far more complex operational surface, because AI is not a single data process. It is embedded in workflows across the entire organisation.
Companies that start with structure will hold compliance when enforcement arrives. Companies that start with checklists will discover, months later, that their governance exists on paper but nowhere else.
Waiting for legal certainty before addressing structural readiness is the mistake GDPR already punished. The Act will punish it faster.
The enforcement date is fixed. The structural work can begin now.
Book a scoping conversation