A 124% surge in cyberattacks across Germany, Austria and Switzerland in 2025 has sharpened the urgency of compliance with the European Union’s Artificial Intelligence Act, whose first binding governance obligations for high-risk systems take effect on August 2, 2026. Companies that fail to meet the new rules risk fines of up to €35 million or 7% of their global annual turnover.
Nearly 78% of organizations have not yet launched concrete compliance steps, and more than half lack even a complete inventory of their AI applications, according to recent surveys. The requirements include detailed documentation of all AI systems, systematic risk analyses, and a functioning governance framework. Manual spreadsheet-based processes quickly reach their limits, though specialized AI assistants can ease the workload—without replacing legal scrutiny.
A possible reprieve is on the horizon. The so-called Digital Omnibus, a provisional agreement reached by EU negotiators in May 2026, would push some obligations for systems listed under Annex III to December 2027. But formal adoption by the European Parliament and the Council has not yet occurred.
Alongside the governance rules, the EU is tightening transparency for AI-generated content. On June 10, 2026, the EU AI Office published a code of conduct that fleshes out requirements under Article 50 of the Act, also effective from August. The code mandates multi-layered watermarks, standardized metadata, and visible symbols so that AI outputs are machine-readable and recognizable to users—especially at first contact.
National regulators are stepping up pressure. Germany’s financial watchdog BaFin and the DIHK, the association of chambers of commerce, are calling for uniform rules for AI chatbots, particularly in insurance sales. Liability questions in the event of faulty advice remain unresolved; the European Insurance and Occupational Pensions Authority (EIOPA) plans to issue an opinion later in 2026.
Labor law and data protection are also under strain. Many workplace AI systems qualify as high-risk under the Act, meaning works councils must actively participate in risk analyses and governance frameworks. The IG Metall union has already demanded clear rules for AI on the job. A recent ruling by the Hessian State Labor Court upheld the dismissal of a works council chairman who had forwarded sensitive data to private email addresses, underscoring the stakes.
Germany added to the regulatory complexity by missing the June 7, 2026 deadline to transpose the EU Pay Transparency Directive into national law, heaping more pressure on HR departments already grappling with AI compliance.
The link between AI governance and cybersecurity is becoming impossible to ignore. A data breach at Amazon’s health subsidiary One Medical between June 8 and 11, 2026, saw attackers steal 8.8 terabytes of patient data. Big tech is responding: Accenture has invested roughly $4.18 billion, partly to protect critical infrastructure, and Meta, since June 15, 2026, must grant rival AI providers access to WhatsApp under an interim European Commission order, even as it rolls out its own AI business agents globally.
