Blog
News

European AI regulation: a regulatory goose game?

Complying with the GDPR is a challenge for all businesses. A dedicated RGPD software allows you to automate your legal obligations, centralize the management of personal data and significantly reduce the risks of sanctions.

By
Alessandro Fiorentino
1
Min
Share this article
Computer system with human shadow
Summary
Heading 2

The European Artificial Intelligence Regulation (RIA), which has been in force since August 2024, constitutes a major advance in the regulation of digital technologies. It aims to regulate the uses of AI according to their level of risk, while guaranteeing the protection of fundamental rights and the safety of citizens.

The European AI regulation provided for the appointment of a competent national authority in each member country of the European Union on 2 August 2025. The French draft for the designation of authorities published on 9 September 2025 is based on a complex administrative architecture, based on a plural designation of competent national authorities, each responsible for a specific part of the system. This choice, which favors sectoral specialization, raises issues of coordination, readability and effectiveness for a text that no lawyer can describe as simple.

French governance: multiple authorities and roles

While the CNIL has been working on the subject since May 2023, has published good practice sheets and has already opened a dedicated service to analyze the various use cases and the various threats that this new technology could generate, the cleaver has fallen.

It is finally the DGCCRF which is expected to play the role of market surveillance authority, by ensuring the control of the AI systems put into circulation and by coordinating the actions of other regulators. La EDGE would be responsible for strategic coordination, in particular in the context of exchanges with European authorities. THEANSSI would intervene on the cybersecurity aspects of AI systems, in particular those integrated into critical infrastructures. The PerEn would provide transversal technical expertise, in particular for the evaluation of algorithms and the compliance of high-risk systems. La CNIL And theARCOM would be mobilized depending on the use case, in particular for systems involving personal data or audiovisual content.

This model, while technically relevant, could very well have been generated by a “prompt” from a myriad of meetings where everyone came to preach for their parish.

This multiplicity of regulators creates significant administrative complexity: overlaps of competences, extended processing times and legal uncertainty for economic operators.

Grey areas and concrete examples

  • Biometrics : the CNIL would be competent to supervise prohibited uses (biometric identification in real time in public spaces). Authorized but high-risk uses, such as facial recognition in airports or schools, fall under a shared monitoring, without a clearly identified one-stop shop
  • Critical infrastructures : ANSSI for cybersecurity, HFDS for national defense
  • Industrial equipment integrating AI : DGPR for pressure or gas vessels

For businesses, understand the distribution of roles under the European AI regulation is crucial to anticipate obligations and avoid legal risks.

An approach by risk level

The European AI regulation Introduce a classification by risk level, imposing increasing obligations on suppliers and users of AI systems:

Niveau de risque Exemples Obligations
Pratiques interdites Manipulation cognitive, notation sociale, inférence émotionnelle Interdiction totale
Haut risque Santé, éducation, justice, sécurité, biométrie autorisée Transparence, traçabilité, robustesse, supervision humaine
Risque minimal Chatbots, IA générative simple Codes de conduite volontaires, pas d’obligation contraignante
Niveau de risque Exemples Obligations
Pratiques interdites Manipulation cognitive, notation sociale, inférence émotionnelle Interdiction totale
Niveau de risque Exemples Obligations
Haut risque Santé, éducation, justice, sécurité, biométrie autorisée Transparence, traçabilité, robustesse, supervision humaine
Niveau de risque Exemples Obligations
Risque minimal Chatbots, IA générative simple Codes de conduite volontaires, pas d’obligation contraignante

RIA challenges

Juridical

  • Increased vigilance in the classification of systems
  • Complete documentation of compliance with European AI regulation

Economical

  • Regulation perceived as a A brake on innovation, especially for startups and SMEs
  • Significant technical and administrative compliance burden, often adapted to large groups

Societal

  • Objective: to establish a Trusted AI, respectful of fundamental rights and democratic values
  • Depends on cooperation between national authorities, sharing of expertise and legibility of the system for economic actors

Practical implementation for businesses

In a practical and practical way, public and private organizations must get started quickly: artificial intelligence is already present in many services and departments.

Recommended steps

  1. Map all the use cases of AI in the organization
  2. Evaluate benefits and risks
  3. Streamline compliance
  4. Initiate the AI systems registry :
    • List the models used
    • Ensure compliance according to the role taken and the level of risk, in accordance with European AI regulation

Once organizations can answer the questions “How and why is AI being used in our country?” , they are ready to document and secure their systems in accordance with European AI regulation.

Conclusion

The implementation of RIA in France illustrates the tensions between:

  • Regulation and innovation
  • Specialization and coordination
  • European ambition and national realities

The success of the framework will depend on the ability of the authorities to overcome administrative silos, simplify procedures and support actors towards a ethical, secure and competitive artificial intelligence, in accordance with the European AI regulation.

Article appeared in the magazine Archimag no. 388.

The latest news

Interviews

AI and GDPR compliance in health: feedback from Artic with Adequacy

Compliance with the GDPR and the AI Act is a major challenge for health and clinical research actors. In this exchange, Eve Lepicard and Sophie Malabous from the Artic association explain how the use of Adequacy compliance software allows them to structure their processing register in an agile way. Thanks to an educational interface and the support of Calixte Descamps, they transform regulatory constraints into concrete operational deliverables.

Calixte Descamps
GDPR compliance and best practices

AI in health: risks, AI Act compliance and GDPR challenges

The integration of AI in health imposes new compliance challenges related to the GDPR and the AI Act. While the ergonomics of the tools facilitate care, it should not lead to medical disempowerment. For DPOs and CISOs, the challenge is to guarantee effective human surveillance and data sovereignty in the face of legal and technical risks. Learn how to secure your AI deployments while respecting medical confidentiality.

Calixte Descamps
Secteur de la santé

AI Act et RGPD en santé : comment concilier les deux réglementations avec Adequacy ?

L'entrée en vigueur de l'IA Act ne doit pas être vue comme une contrainte supplémentaire mais comme une extension naturelle du RGPD, particulièrement dans le secteur de la santé où les systèmes sont souvent classés à haut risque. La réussite de cette double mise en conformité repose sur l’AIPD, pivot central permettant d'intégrer la transparence et la supervision humaine. Grâce à Adequacy, cette interopérabilité réglementaire devient un levier d'innovation éthique et de gain de temps opérationnel.

Calixte Descamps

They have trusted us for years

Used by over 10,000 legal entities

Discover Adequacy

One of our experts introduces Adequacy to you in a real situation.
Request a quote