The EU AI Act becomes fully applicable on 2 August 2026. Here is how DPOs can build an audit-ready AI programme before the deadline.
Topics: AI Act, DPO, AI Governance, EU, Compliance
The clock is ticking. On 2 August 2026, the bulk of the EU AI Act becomes fully applicable, and Data Protection Officers are now in the firing line. Furthermore, fines reach up to 7% of global turnover, so the cost of drift is enormous.
Meanwhile, most organisations still treat AI governance as a side project. However, regulators expect a live register, documented risk classification, and human oversight. Consequently, DPOs need a practical operating model, not another policy PDF.
Why this deadline is different
First, the AI Act is extraterritorial, much like GDPR. Therefore, any system whose output reaches EU users falls in scope. In addition, the Digital Omnibus package has clarified obligations rather than removed them.
Second, GPAI model rules already applied from 2 August 2025. As a result, downstream deployers must now evidence vendor due diligence. Moreover, transparency duties for AI-generated content land by 2 December 2026.
Finally, AI literacy obligations under Article 4 are already live. So every team touching AI needs documented training, not just the data team.
The four gaps DPOs keep hitting
Despite good intentions, the same four gaps appear in nearly every audit:
- No live AI inventory. Spreadsheets go stale within weeks.
- No risk classification logic. Teams guess between "limited" and "high" risk.
- No vendor evidence trail. Procurement signs deals before privacy reviews.
- No human-oversight proof. Policies exist, but logs do not.
Above all, regulators want evidence, not assertions. Therefore, DPOs must shift from documents to defensible workflows.
A practical 90-day playbook
To begin with, build a single AI register. Specifically, capture purpose, data categories, model provider, risk tier, and oversight owner. The Privacy360 AI Governance & Risk module, aligned to the NIST AI RMF, gives you that register out of the box.
Next, run a triage assessment on every system. In practice, that means a short threshold test before a full impact assessment. Subsequently, escalate any "high-risk" system into a full FRIA and DPIA workflow inside the Privacy360 DPIA module.
Then, tighten vendor controls. Importantly, the Privacy360 Vendor Assessment Module flags weak responses in real time and stores audit-ready evidence. Equally, it links each vendor to the AI systems they support, which closes a common audit gap.
After that, lock in AI literacy. The Privacy360 LMS triggers role-based training automatically when a new high-risk system is registered. Therefore, completion records sit next to your risk register, not in a separate HR tool.
Finally, schedule quarterly board reporting. Generate executive dashboards directly from the platform so the board sees risk drift early.
Where outsourced DPOs add the most value
For lean teams, an outsourced DPO accelerates every step above. In particular, Formiti's Outsourced DPO service brings legal, privacy, and operations specialists together. Likewise, Formiti's Enterprise AI Governance & Compliance practice delivers EU AI Act risk audits with executive-level findings.
Additionally, non-EU companies often need an EU GDPR Article 27 Representative and a UK Representative. Without that footprint, regulators have no local contact, which raises enforcement risk.
What "audit-ready" really looks like
To clarify, audit-ready does not mean "we have a policy." Rather, it means a regulator can ask three questions and get instant evidence:
- Which AI systems do you operate, and which are high-risk?
- Who reviewed them, when, and on what basis?
- How do you monitor drift, bias, and human override?
If you cannot answer these in minutes, the deadline is already a problem.
Key takeaway
The 2 August 2026 deadline rewards operators, not authors. Consequently, DPOs who replace static documents with live registers, automated assessments, and connected training will pass audits with confidence. To explore the operating model in action, book a Privacy360 walkthrough or read our companion piece on building a unified global privacy programme.