The Regulatory Stack — Why One Framework Is Never Enough
The EU AI Act and GDPR are horizontal frameworks — they apply across all sectors. But every regulated industry also has vertical, sector-specific regulation that interacts with and in some cases supersedes the horizontal frameworks. Understanding your full regulatory stack is essential.
Regulatory frameworks do not replace each other — they stack. A bank deploying AI for credit decisions must comply with the EU AI Act (horizontal), GDPR (horizontal), the Consumer Duty (UK financial services), PRA model risk guidelines, and EBA guidance on internal governance. Each layer adds obligations.
Why This Matters for AI Specifically
- ◆Sector regulators often move faster on AI than horizontal frameworks — the FCA published an AI discussion paper in 2024; the PRA published model risk expectations
- ◆Sector-specific obligations may impose stricter requirements than the AI Act — healthcare AI may require clinical evidence that exceeds AI Act documentation requirements
- ◆Enforcement is dual — you can be investigated by both the AI Act enforcement authority AND your sector regulator for the same incident
- ◆Some sector frameworks explicitly require AI governance programmes — DORA for financial services is a prominent example
The practical implication: when you classify an AI system, you need to assess it against ALL applicable frameworks simultaneously — not just the AI Act.
In the assignment at the end of this section, you'll map the full regulatory stack that applies to your highest-risk AI system. The next two lessons cover the most significant sector-specific frameworks you're likely to encounter.
