Sarah McCoy
Published on 11 November 2025
The C-level guide to EMEA AI and data regulations
Understand key AI and data compliance rules in EMEA and how new regulations affect business. Learn what leaders can do to stay compliant and adapt to evolving legal and ethical standards.
The EMEA region is complex, with both broadstroke EU policies and individual countries opting out or going beyond in their own localised policies. It can be difficult to stay up-to-date, and with the rise in AI products and services, the digital rulebook is constantly evolving, and many of our customers are finding themselves asking:
- Who is responsible if an AI system causes harm or violates a regulation?
- How do I procure compliant AI in EMEA?
- How do I build an audit-ready AI governance framework?
Historically, these concerns were primarily those of IT and legal teams, but increasingly, with the threat of substantial fines and reputational damage, they are concerns that trouble every business leader.
Here, we provide a high-level overview of the key policies impacting every business operating in EMEA with regard to AI.
What are the new regulations?
We all remember the introduction of GDPR in 2018; while it shook up your marketing and sales teams to no end, we all understood that protecting personal data was for the best. And now this new wave of compliance moves us into digital safety, resilience, and fairness.
The new regulations are setting safety standards for public services (AI Act), ensuring the power grid stays on (NIS2, DORA), defining rules (Data Act), and mandating that all is safe (Cyber Resilience Act). Like GDPR, they change how we do business, but we all agree that compliant procurement and governance frameworks are beneficial– perhaps even a competitive advantage.
The key regulations every business leader should know
| Regulation | What it covers | Why it matters for leaders |
|---|---|---|
| GDPR | The foundation of EU data privacy. Regulates the collection, storage, and processing of personal data. | Any AI system handling personal data must prove lawful use, explainability, and data minimisation. Non-compliance can result in fines of up to 4% of the company's global turnover. |
| EU AI Act | The first major legal framework for AI classifying systems by risk. | High-risk AI systems require human oversight, thorough documentation, and ongoing compliance. Transparency obligations apply to all AI that interacts with people. |
| Data Act | Ensures fairness and interoperability in the sharing of data between users, platforms, and devices. | Creates opportunities for ethical data sharing and improved AI model performance — without breaching user rights. |
| DORA (Digital Operational Resilience Act) | Focuses on the financial and ICT sectors. Strengthens resilience against operational and cyber threats. | If AI is used in financial or risk-related systems, it must meet DORA's resilience and reporting standards. |
| Cyber Resilience Act | Applies to all connected hardware and software in the EU. | AI systems embedded in products must adhere to "security by design" principles and be proactively patched to ensure optimal security. |
| NIS2 Directive | Expands cybersecurity obligations to critical and digital infrastructure. | Cloud AI providers and data platforms now fall within scope, requiring robust governance and incident reporting. |
| DMA / DSA (Digital Markets & Services Acts) | Regulates the behaviour of Big Tech and platform accountability. | Any AI-driven recommendations, rankings, or content moderation must be transparent and auditable. |
What are the risks?
It is too easy to weigh the effort versus the reward and opt out of compliance. Being ignorant of policy changes, their nuances, and their consequences is an expensive strategy. Just like GDPR, the fines are intentionally large to serve as a deterrent, often calculated as a percentage of a business's global revenue and can be as high as 7%.
A top line overview of risk of non-compliance
| Regulation | Financial risk | Reputational risk | Operational risk | Market access risk | Innovation risk | Primary C-Suite impact |
|---|---|---|---|---|---|---|
| EU AI Act | Tiered: Up to €35M or 7% of global turnover for banned AI. Up to €15M or 3% for non-compliance on high-risk systems. | Severe. Being publicly named for using a discriminatory, biased, or unsafe AI. Total erosion of customer and employee trust. | Medium. Risk of having to rip and replace a core AI-driven process (e.g., HR, credit scoring) at short notice | High. A non-compliant, high-risk AI system may be banned from deployment in the EU, stalling a major product or service launch. | High. Teams become "paralysed" by fear, refusing to use any AI, even low-risk tools, for fear of non-compliance. | CEO, CIO/CTO, Head of HR, CMO |
| NIS2 Directive | Up to €10M or 2% of global turnover (for "Essential Entities"). Crucially: Includes personal liability (e.g., suspension) for management. | High. Being named as a "weak link" in a nation's critical infrastructure. Loss of B2B contracts from partners who now see you as a supply chain risk. | Extreme. This regulation is operational risk. Failure means a crippling cyber-attack you can't respond to, leading to total service shutdown. | High. You may be deemed non-compliant and thus unable to bid for contracts in critical sectors or be "fired" as a supplier. | Low. This is less about new tech and more about protecting existing tech. The "risk" is a drain on resources that could go to innovation. | CEO/Board (Personal Liability), COO, CISO |
| DORA | Penalties set by national authorities. For critical third-party (CTP) providers, fines can be 1% of average daily global turnover | Extreme. For a financial firm, a resilience failure (e.g., "payments are down") is a fundamental breach of trust that can cause a run on the bank. | Extreme. The definition of this regulation. Failure to withstand or recover from an ICT incident means a complete halt to financial operations. | Medium. Primarily a risk of being shut down by regulators, but also of losing major corporate clients who cannot risk your instability. | Medium. A heavy focus on resilience and CTP management can slow down adoption of new FinTech tools that haven't been rigorously vetted. | CEO, COO, CFO, CRO |
| Data Act | Penalties to be aligned with the GDPR framework (up to €20M or 4% of global turnover). | Medium. Risk of being seen as "data hoarders" or uncooperative partners. Customer frustration if you don't provide their data from a connected product. | High. Creates new, mandatory data-sharing processes. Your systems must be able to securely provide data to third parties (like repair shops). | High. Your business model itself may be at risk if it relies on a "walled garden" for data. Opens the door to new competitors in your after-sales market. | Dual Risk/Opportunity. Risk: Competitors get your data. Opportunity: You get your suppliers' data. | CSO (Strategy), CDO (Data), COO |
| Cyber Resilience Act (CRA) | Tiered: Up to €15M or 2.5% of global turnover for non-compliance. | High. Your product (hardware or software) is publicly recalled for a vulnerability. Your brand becomes synonymous with "insecure." | High. A mandatory "stop-ship" order or a forced product recall is a massive, expensive operational event. Requires long-term patching support. | Extreme. This is a market entry regulation. If your "smart" product is not compliant, it will be illegal to sell it in the EU. | Medium. Adds new "security-by-design" steps to R&D. Can slow down "move fast and break things" product development. | Head of R&D, COO (Product), CISO |
What happened when businesses get it wrong
Meta Platforms Ireland Limited – Cross-border transfers under General Data Protection Regulation (GDPR)
What happened: In April 2023, the European Data Protection Board (EDPB) issued a binding decision ordering Meta Ireland (Meta IE) to cease certain data-transfer practices and imposed a €1.2 billion fine for the systematic and continuous transfer of EU personal data to the U.S. without adequate safeguards.
Key takeaway: Even large global organisations are exposed to substantial fines if they transfer EU data outside the region without meeting the standards outlined in Chapter V of the GDPR (e.g., approved mechanisms such as standard contractual clauses or data adequacy assessments).
TikTok – Data transfers to China and GDPR enforcement
What happened: In May 2025, the Irish Data Protection Commission (DPC) fined TikTok €530 million (€485m for data-transfer violations, €45m for transparency failures) because the app failed to ensure that personal data of EEA users transferred to China was protected to a level "essentially equivalent" to EU standards.
Key takeaway: Transfers to jurisdictions with significantly different regulatory regimes attract severe regulatory scrutiny and penalties — transparency in privacy policies and guarantees of data protection are non-negotiable.
What are the rewards for committing to an AI governance framework?
While the above outlines some of the risks associated with non-compliance when operating within EMEA, with great risk often comes great reward. The regulations demonstrate what customers expect from digital infrastructure, and when businesses comply, they can use them to gain a competitive advantage.
Digital trust: Companies spend years of their time and millions of their revenue on building trust with customers; however, with the rise of AI, over-marketing, misinformation, and DeepFakes, trust is more important than ever. Now proving your AI is ethical (AI Act) and your systems are resilient (NIS2/DORA) is a powerful market differentiator.
Governed innovation: The AI Act shouldn't be seen as an AI deterrent, but rather as a tool that forces you to take stock of your AI models, assess their risks, and govern their usage. By being compliant, you enable innovation without the risk of AI Liability. Guardrails for AI allow safe spaces for your company to innovate without risk.
Resilient enterprise: Certain regulations, such as NIS2 and DORA, serve as a stress test. They identify risks and potential points of failure in suppliers and develop recovery plans. Creating a governance framework, not just for AI, but for all digital tools, will ensure your business is resilient to threats.
Partner of choice: It is not a new question, but with an increase in high-visibility hacking, it is an ever-growing concern–can a customer trust your digital supply chain? If you can demonstrate your security and compliance, you will quickly rise to being the partner of choice for companies not just in EMEA, but globally.