AI Governance Framework
Compliance with AI Act requirements involves establishing a comprehensive governance framework covering organizational structures, policies, and procedures, which is distinct from individual compliance obligations.
AI governance governance framework compliance framework regulatory framework AI management organizational requirements implementation framework
Overview
Legal Framework
The AI Act establishes its governance framework primarily through Recitals 148 and 173. Recital 148 outlines the foundational principle that the regulation requires a multi-level governance structure to coordinate application at the national level, build central Union-level expertise, and integrate stakeholders. This is operationalized through the establishment of the AI Office, whose mission is to develop and support this framework. Concurrently, Recital 173 establishes the adaptive nature of the governance framework by granting the European Commission delegated powers to amend key aspects of the Act, such as the list of high-risk AI systems and technical documentation requirements, ensuring the rules can evolve with the technology.
Practical Application
While the Recitals set the structural vision, the practical governance framework is implemented through the Act's operational articles and the authority of the AI Office. The framework is distinct from an individual provider's compliance obligations; it refers to the overarching regulatory and institutional ecosystem. This includes national competent authorities, the European Artificial Intelligence Board, and the Commission's enforcement mechanisms. The AI Office, as the central Union body, is tasked with building expertise, issuing guidance, and ensuring consistent application across Member States, thereby giving practical effect to the coordination mandate stated in Recital 148.
Key Considerations
- Distinguish Governance from Compliance: An organization's internal AI governance policies are a compliance obligation, but they operate within the broader external AI Act governance framework of authorities, boards, and EU-level coordination.
- Monitor for Regulatory Evolution: Given the delegated powers in Recital 173, organizations must monitor amendments to delegated acts by the Commission, as changes to the high-risk list or technical standards can directly alter compliance requirements.
- Engage with the Multi-Level Structure: Compliance may involve interaction with both national supervisory authorities and the EU-level structures (e.g., the AI Board for standards or the AI Office for guidance), understanding their respective roles within the coordinated framework.
Laws (9)
Case Law (3)
Privacy International v Secretary of State
C-623/17 (Privacy International)
General and indiscriminate transmission of traffic data to security agencies incompatible with EU law.
Bundesverband der Verbraucherzentralen v Planet49 GmbH
C-673/17 (Planet49)
Pre-ticked checkboxes do not constitute valid consent. Consent must be active.
Digital Rights Ireland Ltd v Minister for Communications
C-293/12 (Digital Rights Ireland)
Invalidated Data Retention Directive as incompatible with fundamental rights.
Guidance (10)
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Versiegeschiedenis
guidelines doorgifte van persoonsgegevens tussen overheidsinstanties en -organen binnen en buiten de EER
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
Guidelines on technical scope of art. 5(3) of ePrivacy Directive
Version history
Guidelines on the accreditation of certification bodies
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
VERSIEGESCHIEDENIS
binding corporate rules voor verwerkingsverantwoordelijken
Versiegeschiedenis
guidelines accreditatie
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Richtsnoeren 2/2023 over het technische topassingsgebied van artikel 5, lid 3, van de eprivacyrichtlijn
guidelines technische toepassingsgebied van artikel 5(3) e-privacyrichtlijn
News (4)
Digital Omnibus: EDPB and EDPS support simplification and competitiveness while raising key concerns
Brussels, 11 February - The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have adopted a Joint Opinion on the Digital Omnibus Regulation proposal.* This proposal aims to simplify the EU's digital regulatory framework, reduce administrative burden and enhance the competitiveness of European organisations. The EDPB and the EDPS focus on the aspects concerning the GDPR, the EUDPR, the ePrivacy Directive, and the Data Acquis.** More specifically, they asses
Register now for our conference on cross-regulatory cooperation in the EU (17 March)
The European Data Protection Board (EDPB) invites you to register for its conference, “Cross-regulatory interplay and cooperation in the EU: a data protection perspective”, taking place on 17 March 2026 in Brussels. This event will offer a high-level overview of the EDPB’s work in the EU’s cross-regulatory landscape, focusing in particular on how regulatory frameworks interact and how cooperation between authorities is ensured. Registration is open until 26 February 2026 and can be completed by
DeFine is a calculator for GDPR fines based on method of the EDPB
> DeFine is a translation into a calculator of part of the methodology proposed by the European Data Protection Board to calculate GDPR fines (see EDPB, Guidelines 04/2022 on the calculation of administrative fines under the GDPR, 12 May 2022, available online; it was subject to a public consultation until 27 June 2022).
Data Protection Officer or Chief Privacy Officer?The rise of the Data Protection Officer
> Do we need an Chief Privacy Officer, a Data Protection Officer, or do we need both?In the following article, I will examine the benefits of both roles, but I will also look at some of the challenges related to each of the roles and why these have impelled both Data Protection Officers and organisations to question what the ideal setup is for them.