The DPDP Act and the EU AI Act: Doubling Down on Compliance for Indian Enterprises

Jun 2, 2026

Article by

GoTrust

The consent-based and risk-based frameworks that anchor both the DPDP Act and the EU AI Act rest on the premise that organisations can be held accountable for how they collect personal data and how they design, deploy, and monitor automated systems. For an Indian IT services firm, a health-tech SaaS company with European users, or a financial institution processing personal data at scale, these are not regulatory abstractions operating in different jurisdictions. They are concurrent compliance obligations with overlapping timelines, distinct enforcement bodies, and separate documentary requirements. An organisation that satisfies one does not, as a matter of law, satisfy the other. 

The DPDP Framework: What Is Now Operational 

The DPDP Act 2023 received Presidential assent on 11 August 2023. The DPDP Rules 2025, notified by MeitY on 13 November 2025, converted its provisions from legislative intent into enforceable operational mandates. The Act establishes two central roles: the Data Fiduciary, any person, company, or state entity that determines the purpose and means of processing personal data and the Data Principal, the individual whose data is processed. The territorial scope is broad: any entity processing digital personal data within India, or offering goods and services to Indian residents, falls within scope regardless of country of incorporation. 

The Rules impose a phased compliance structure. The Data Protection Board of India (DPBI), to be constituted as a fully digital, paperless independent body under Section 18 of the Act, will become operational immediately upon notification. Consent Manager registration requiring a minimum net worth of INR 2 crore and India-incorporated status opens in November 2026. All substantive obligations become mandatory on 13 May 2027, with no grace period thereafter. These include notice and consent mechanisms, breach reporting, data principal rights, security safeguards, and automated data erasure once the stated purpose is fulfilled. 

The penalty structure is calibrated to compel change, not to function as a routine cost of doing business. Failure to implement adequate security safeguards leading to a personal data breach attracts a penalty of up to INR 250 crore. Failure to notify the DPBI or affected Data Principals of a breach attracts up to INR 200 crore. Non-compliance specific to Significant Data Fiduciaries (SDFs) entities designated by the Central Government based on the volume and sensitivity of data processed attracts up to INR 150 crore. General violations attract up to INR 50 crore. The DPDP Act provides no cure period: the DPBI may impose penalties from the first instance of established non-compliance, subject to the right to be heard. Appeals lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days of the DPBI order, and further to the Supreme Court of India. 



Obligation 



Requirement 



Applies To 



Consent & Notice 



Standalone notice in plain language; available in all 22 Scheduled languages of India; consent must be free, specific, informed, and unambiguous (Rule 3, DPDP Rules 2025) 



All Data Fiduciaries 



Breach Notification 



Notify the DPBI and affected Data Principals upon a personal data breach; penalty up to ₹200 crore for failure to notify (s.8, DPDP Act) 



All Data Fiduciaries 



Data Erasure 



Erase personal data once the stated purpose is fulfilled or consent is withdrawn; automated lifecycle management required 



All Data Fiduciaries 



Children’s Data 



Verifiable parental consent before processing; prohibition on tracking or behavioural monitoring of minors (s.9, DPDP Act) 



All Data Fiduciaries 



DPO & Audit 



India-resident Data Protection Officer; periodic DPIA; independent audit; reporting of significant gaps to DPBI (s.10, DPDP Act) 



Significant Data Fiduciaries (SDFs) only 



Cross-Border Transfers 



Transfers permitted to MeitY-whitelisted countries only; Transfer Impact Assessments required for non-whitelisted jurisdictions 



SDFs heightened obligation 

The EU AI Act: A Risk-Stratified Framework Now Activating 

The EU AI Act operates on a different conceptual plane from the DPDP Act. Where the DPDP Act governs the processing of personal data, the EU AI Act governs AI systems by the nature and magnitude of the risk they pose, irrespective of whether personal data is involved. An AI-driven credit-scoring algorithm processing no personal data may still qualify as a high-risk system under Annex III. Conversely, a database of employee records may trigger full DPDP obligations without engaging any EU AI Act requirement. The two instruments can and frequently do overlap, but their core obligations are legally distinct and require separate compliance exercises. 

The Act’s phased implementation is now substantially underway. Since 2 February 2025, AI systems posing unacceptable risks are prohibited outright under Article 5. These include real-time remote biometric identification systems in public spaces, subject to narrow law enforcement exceptions; social scoring by public authorities; emotion recognition in workplaces and educational institutions; and AI that exploits psychological vulnerabilities to distort individual behaviour. Since 2 August 2025, General Purpose AI (GPAI) model providers are subject to transparency, technical documentation, copyright compliance, and systemic risk obligations under Chapter V. The EU AI Office has published a GPAI Code of Practice which, while technically voluntary, creates a presumption of regulatory conformity for signatories. 

The most consequential pending deadline for Indian enterprises is 2 August 2026, when high-risk AI system obligations under Annex III apply to standalone use cases, including employment and recruitment tools, credit scoring, access to essential services, and biometric categorisation systems. The European Commission proposed deferring this deadline through the Digital Omnibus Package on AI, published November 2025. However, the second political trilogue between the European Parliament, the Council of the EU, and the Commission on 28 April 2026 ended without agreement. Until the Omnibus is formally adopted, the 2 August 2026 deadline stands as originally enacted. Organisations must plan and execute compliance against that date and cannot rely on a deferral that has not yet materialised. 



Date 



Provisions in Force 



Impact on Indian Entities 



2 Feb 2025 



Prohibited AI practices operative: real-time biometric identification in public spaces, social scoring by public authorities, emotion recognition in workplaces and educational institutions, manipulation of vulnerable groups (Art. 5, EU AI Act) 



Immediate withdrawal of in-scope systems serving EU users; no transitional relief available 



2 Aug 2025 



GPAI model obligations apply transparency, technical documentation, copyright compliance, systemic risk assessment for models above 10¹25 FLOPs training compute (Ch. V, EU AI Act) 



Indian GPAI providers and deployers serving the EU market must comply; GPAI Code of Practice creates presumption of conformity for signatories 



2 Aug 2026 



High-risk AI systems under Annex III: standalone uses including recruitment, credit scoring, biometric categorisation, and critical infrastructure management. Digital Omnibus deferral unresolved as of May 2026; original deadline stands 



Conformity assessments, CE marking, EU AI database registration, and post-market monitoring mandatory for Indian IT, BPO, and SaaS companies supplying high-risk AI to EU clients 



2 Aug 2027 



High-risk AI systems embedded in regulated products (Annex II); GPAI models placed on the EU market before August 2025 



Extended transition period applies; continuous post-market monitoring and incident reporting mandatory from this date 

India’s Approach to AI Governance: Principles Over Prescription 

Unlike the EU, India has not enacted a standalone AI statute. MeitY’s AI Governance Guidelines adopt a principles-based posture, emphasising responsible, safe, inclusive, and trustworthy AI, without embedding enforcement directly within the guidelines themselves. India relies instead on existing legal instruments: the DPDP Act for data-related AI harms; cybersecurity obligations under CERT-In directions; sector-specific oversight from the Reserve Bank of India for financial services AI, IRDAI for insurance, and TRAI for telecommunications; and consumer protection law for AI-driven deceptive commercial practices under the Consumer Protection Act, 2019. 

This is a deliberate regulatory choice, not a legislative gap. Entities classified as SDFs under the DPDP Act are already subject to algorithmic risk verification and periodic reporting of significant observations to the DPBI, meaning the Act functions as partial AI governance without requiring a separate statute. The practical consequence for compliance teams is that the absence of a dedicated domestic AI Act does not equate to the absence of AI-related regulatory exposure. The DPDP Act’s SDF obligations already reach algorithmic processing, and sector regulators are progressively issuing AI-specific guidance within their domains. 

Where the Two Regimes Converge for Indian Enterprises 

For Indian enterprises, the most operationally demanding intersection of the two frameworks lies in AI systems that simultaneously process personal data of Indian residents and are deployed in, or offer outputs to, the EU market. Three categories of Indian enterprise are particularly exposed. 

  1. IT Services and BPO Companies supplying AI-powered recruitment, performance evaluation, or worker monitoring tools to European clients simultaneously fall within Annex III of the EU AI Act (employment and worker management, applicable from August 2026) and within the DPDP Act’s scope if those systems process personal data of Indian residents. 


  2. Fintech and Credit Platforms using machine learning for credit risk assessment of Indian users on behalf of European financial institutions may engage Annex III high-risk AI obligations alongside DPDP consent, security, and SDF requirements simultaneously. 


  3. Health-tech SaaS Companies processing sensitive health data of Indian users while offering AI-assisted diagnostics or triage tools to EU healthcare providers engage both the DPDP Act’s heightened obligations for sensitive data and potentially the EU AI Act’s Annex III classification for AI systems used in access to essential services. 

The critical structural point is that a Data Protection Impact Assessment (DPIA) prepared for DPDP compliance does not substitute for a conformity assessment under the EU AI Act. The DPDP DPIA is concerned with the risks of data processing to Data Principals. The EU AI Act conformity assessment is concerned with AI system design, training data governance, error rates, human oversight mechanisms, and post-market monitoring protocols. These exercises have different documentary requirements, different institutional audiences, and different legal consequences.  

Conclusion 

The DPDP Act and the EU AI Act together represent the most significant dual compliance challenge for Indian enterprises since the Information Technology Act 2000. The DPDP Rules 2025 have activated the enforcement clock with a hard deadline of 13 May 2027 and no cure period thereafter. The EU AI Act’s high-risk AI provisions are due to activate in August 2026, with the Digital Omnibus deferral unresolved as at the date of this publication. The organisations that build genuinely distinct, legally sound compliance programmes for each regime, grounded in accurate statutory reading rather than analogical retrofitting, will not only manage the financial exposure both laws carry but will position themselves as trusted partners in a global market that is increasingly selecting vendors on the quality of their data governance and AI accountability frameworks. The window for proactive compliance is open, but it is narrowing.