AI is no longer a pilot or a standalone tool. It is becoming part of the core business infrastructure and at the same time, part of one of the most heavily regulated environments in the EU.
For business leaders, the key question is no longer what AI can do, but how it can be deployed in a legally sound and controlled way.
In practice, AI is not governed by a single regulation. The EU framework is layered: the AI Act, GDPR, NIS2 and DORA can all apply simultaneously to the same deployment
This means AI adoption cannot be treated as a separate compliance exercise. It is a structural issue -how data, technology, responsibilities and contracts are designed and aligned across the organisation.
Your Role Determines Your Obligations
Under the AI Act, obligations are not assigned generically to organisations, but based on their role.
A company may act as a provider, a deployer, or a distributor, and each role comes with a different level of responsibility. These range from documentation and risk assessments to ongoing monitoring and accountability.
In practice, the distinction is not always clear. Organisations can unintentionally move into a provider role, for example by modifying the intended use of a system or embedding it into their own offering.
Identifying the correct role is therefore not a legal formality, it is the starting point for any compliant AI strategy.
Data Protection Remains Central
AI does not replace data protection obligations. It makes them more complex.
Key GDPR questions become more critical in an AI context: what is the lawful basis for data use, who acts as the controller, and how are automated decisions handled in line with regulatory requirements.
A recurring risk arises in vendor relationships. AI providers are often assumed to act as processors, while in reality they may operate as independent or joint controllers. This has direct implications for liability, governance and risk allocation
Contracts Make Compliance Operational
Regulation becomes real through contracts. Without clear contractual structures, legal obligations do not translate into practice. In AI deployments, core issues include data usage rights, ownership of outputs, allocation of liability, and audit and transparency mechanisms. These are not technical details, they determine whether AI can be used safely and at scale.
AI adoption is not just a technology decision. It is a legal and operational transformation. Organisations that understand their role, control their data, and structure their contracts correctly are able to capture the value of AI while managing regulatory risk.
We also covered these topics in a TRUST webinar, focusing on the practical implications of AI regulation, contracts and deployment from a business perspective.