2.5 · Sector-Specific Regulatory ConsiderationsDownload

Course 2 Key Takeaways

5 minCourse 02

A summary of the essential frameworks, principles, and action points from Course 2 — AI Governance, Compliance & Regulatory Strategy.

Course 2 Key Takeaways

The EU AI Act
  • The law is in force — prohibited practices have been enforceable since February 2025
  • Classification is everything: prohibited → high-risk → limited risk → minimal risk
  • High-risk AI requires: risk management, technical documentation, transparency, human oversight, conformity assessment, and EU database registration
  • Fines up to €35M or 7% of global turnover — higher than GDPR
GDPR & AI
  • Every AI system processing personal data is a GDPR system
  • Training data needs its own lawful basis — you cannot assume consent from the original collection
  • Article 22 applies to solely automated decisions with significant effects — "rubber stamp" human review does not satisfy it
  • DPIAs are mandatory for most AI systems processing personal data at scale
  • The right to erasure creates a technical challenge for trained models — plan for this before training
Internal Governance
  • Start with inventory, not policy
  • Your AI Register is the foundation of everything — it must be current and complete
  • Every system needs a named Business DRI and Technical DRI
  • Governance must be a process embedded in how new AI is deployed, not a document that gets reviewed annually
Accountability & Explainability
  • As an AI deployer, you bear liability for what your AI systems do — even if someone else built them
  • Document your due diligence: it is your legal defence
  • Explainability must be case-specific, plain-language, and genuinely faithful to the model's logic
  • Post-hoc explanations (SHAP, LIME) may not satisfy regulatory requirements without additional design-time explainability measures
Sector-Specific Compliance
  • Horizontal frameworks (AI Act, GDPR) stack on top of sector-specific regulation — they do not replace it
  • Financial services: AI Act + DORA + Consumer Duty + PRA model risk + EBA guidance
  • Healthcare: AI Act + MDR/IVDR + MHRA/EMA guidance + GDPR (special category data)
  • Map your full regulatory stack before building your compliance programme