PSL Avocat supports AI deployers, SaaS publishers and platforms in mapping their obligations, drafting contract documentation, negotiating LLM provider contracts and managing risks. Operational practice built on fifteen years of in-house advisory at international organisations (OECD, ESA, ITER Organization, ADP, CMA CGM). In French, English and Spanish.
AI Act: phased application timeline
The AI Act has been entering into force progressively since February 2025. The political agreement of 7 May 2026 on the Digital Omnibus AI regulation reshapes the application calendar for high-risk system obligations, subject to formal adoption by the European Parliament and the Council and publication in the Official Journal of the European Union. Until that adoption is finalised, the reference calendar remains that of Regulation (EU) 2024/1689.
Entry into application of Article 5 of Regulation (EU) 2024/1689 (prohibited AI practices) and of the AI literacy obligation (Article 4).
Entry into application of obligations for general-purpose AI models (Chapter V) for models placed on the market from this date. Transition until 2 August 2027 for pre-existing models (Article 111(3)). European governance in place (AI Office, European Artificial Intelligence Board).
Entry into application of obligations for high-risk AI systems listed in Annex III of Regulation (EU) 2024/1689, including biometrics, critical infrastructure, education and vocational training, employment and HR management, access to essential private services and essential public services and benefits, law enforcement, migration, asylum and border control, administration of justice and democratic processes, under the political agreement of 7 May 2026 on the regulation amending Regulation (EU) 2024/1689 (Digital Omnibus AI). Subject to formal adoption by the European Parliament and the Council of the EU and publication in the Official Journal of the European Union.
Entry into application of obligations for AI systems integrated into products covered by Union harmonisation legislation (Article 6(1) of Regulation (EU) 2024/1689 and Annex I), including lifts, toys, machinery, radio equipment, medical devices, under the political agreement of 7 May 2026 on the Digital Omnibus AI. Subject to formal adoption.
HR AI and ed-tech: the two sectors on the front line
HR AI tool providers and ed-tech publishers fall within two domains explicitly listed in Annex III of the AI Act (education and vocational training, employment and HR management). High-risk classification is likely for the majority of use cases. The deployer carries obligations distinct from those of the provider, in addition to the GDPR baseline.
Adaptive learning platforms, automated scoring tools, AI tutors, exam monitoring systems, algorithmic guidance of learning pathways.
High-risk classification likely under Annex III for the majority of academic and university use cases.
Enhanced information to students and families, particularly where end users are minors (interaction between GDPR provisions on minors' data and AI Act transparency obligations).
Effective human oversight over any decision affecting assessment, guidance or selection.
LLM provider contracts reviewed to cascade deployer obligations downstream.
Sourcing tools, application scoring, video interview analysis, algorithmic performance management, turnover prediction, schedule optimisation.
High-risk classification likely under Annex III (recruitment, HR management).
Fundamental rights impact assessment prior to deployment (Article 27 AI Act FRIA obligation).
Information to candidates and employees on the existence and logic of processing (GDPR Article 14 and AI Act Article 50 from 2 August 2026).
Bias audit and test register, in the wake of the Foundever ruling of the Audiencia Nacional (SAN 2867/2025, 4 July 2025), subject to appeal before the Tribunal Supremo.
Information and consultation of employee representatives (France-specific: information and consultation of the works council under Article L.2312-38 of the Labour Code; Spain: Article 64.4.d of the Estatuto de los Trabajadores as amended by Law 12/2021).
Key decisions
Three decisions structuring current practice for AI deployers in France, Spain and at European level.
Article 22 GDPR applies to algorithmic scores produced by a third party and used to underpin an automated individual decision, even where the user of the score is not the one who calculated it. Direct read-across for HR AI and ed-tech deployers relying on third-party scoring tools.
Read the decisionFirst Spanish ruling recognising the right of employee representatives to access the parameters of algorithms used in employment relations. Alignment between French and Spanish law on transparency of automated assessment and algorithmic career management tools.
Read the decisionFirst major GDPR sanction against a generative AI provider in Europe. The decision establishes that training a large language model constitutes processing of personal data in its own right, subject to identification of a legal basis, information of data subjects and incident management. Central reference for any third-party LLM deployer.
Read the decisionNIS2: cybersecurity for essential and important entities
Directive (EU) 2022/2555 (NIS2) extends cybersecurity obligations to a significant number of tech companies, particularly managed service providers, cloud services, marketplaces and SaaS publishers exceeding SME thresholds. Essential and important entity categories are defined in Annexes I and II of the Directive. The transposition deadline was 17 October 2024. As of 12 May 2026, France and Spain have not completed transposition. In France, the bill on critical infrastructure resilience and cybersecurity reinforcement is before Parliament, with enactment expected during 2026. In Spain, the preliminary bill on Cybersecurity Coordination and Governance is under parliamentary review. The European Commission issued a reasoned opinion against both Member States on 7 May 2025 for failure to notify. Affected companies are nonetheless exposed to the Directive's regime and its direct vertical effect for unconditional provisions, as well as to requirements from European counterparties already applying NIS2 standards in their procurement specifications.
Are you in scope for NIS2?
Three binary questions. Three positive answers indicate likely applicability and justify a full analysis.
Does your activity fall within a sector listed in Annexes I or II of Directive 2022/2555 (energy, transport, banking, health, digital infrastructure, ICT managed services, cloud providers, marketplaces, search engines, social networks, manufacturing, research, etc.)?
Does your company reach the threshold of a medium or large enterprise (at least 50 employees or EUR 10 million annual turnover)? Certain entities are in scope regardless of size.
Are your services provided to at least one recipient established in the European Union?
Related regulations
Frequently asked questions
My company is established outside the EU but sells to European clients. Does the GDPR apply?
Yes. The GDPR applies as soon as you target individuals residing in the EU, whether you are established in Europe or not.
How do I know if my AI system is subject to the AI Act?
The AI Act classifies AI systems based on their level of risk (unacceptable, high, limited, minimal). The classification determines the applicable obligations. A preliminary analysis quickly identifies what applies to your concrete situation.
What is the maximum penalty under the AI Act?
The AI Act provides three levels of administrative fines depending on the nature of the infringement. Placing on the market or use of an unacceptable-risk AI system (such as general-purpose social scoring or real-time facial recognition in public spaces for law enforcement) exposes to fines up to 35 million euros or 7% of annual worldwide turnover, whichever is higher. Non-compliance with obligations applicable to high-risk systems is sanctioned up to 15 million euros or 3% of turnover. Breaches of transparency obligations (notably for AI systems interacting with humans) may lead to fines up to 7.5 million euros or 1.5% of turnover. For SMEs and start-ups, ceilings are calculated on effective turnover where this results in an amount lower than the fixed thresholds.
Our company is a deployer of a third-party LLM (OpenAI, Anthropic, Mistral). What are our obligations?
The deployer of an AI system carries obligations distinct from those of the provider. Main ones: use in accordance with the provider's instructions, adequate human oversight, information to users when AI interacts with them, traceability of outputs, residual risk management. For high-risk systems (such as recruitment, education, scoring), obligations are reinforced: impact assessment, registration, operator training. Mapping your use cases quickly calibrates your compliance programme.
We already have a data protection policy. Are we compliant?
Not necessarily. GDPR compliance does not boil down to a document published on a website. It involves internal organisation, contracts with your processors, management of data subjects' rights and incident response capability. A quick audit identifies actual gaps.
How long does GDPR compliance take?
For an SME or start-up, an initial operational compliance level can be reached in 4 to 8 weeks depending on the complexity of processing activities.
DSA and DMA: is my company a platform covered by these rules?
The DSA applies to all online platforms operating in the EU. The DMA applies only to gatekeepers (very large platforms designated by the Commission). A targeted analysis of your business model and audience identifies your obligations precisely.
Last updated 12 May 2026
Request a first call
Describe your need in a few lines. Response within 24 business hours.