From GDPR to the EU AI Act.
Why the firms that built GDPR muscle between 2015 and 2018 are positioned to own the next compliance era — and why the window to move is open now.
"Regulations don't create good governance. They reveal whether you already had it." — Aissatou Ciré Diallo, MDM & Data Governance Program Manager
Between 2015 and 2018, the IT services firms of Northern Europe split into two groups without quite noticing it. One group was quietly putting its own data house in order — and, increasingly, helping clients do the same. The other was waiting to see whether GDPR would really bite. When 25 May 2018 arrived, the first group had a product to sell. The second had a problem to solve. Eight years on, the firms that turned GDPR readiness into a named practice in those years are still billing for it — at premium rates, with clients who find them very hard to leave.
We are watching the same split begin again, this time around the EU AI Act. The shape is familiar. The pace is faster. And the window to be in the first group is open now.
This piece is for the IT services firms positioned to be the calm in the storm — the ones with a mature GDPR practice, a client base in the regulated sectors the AI Act names, and competitors who have not yet connected what they already do to what the Act is about to require.
The firms that were ready, and the firms that weren't
GDPR did not invent data governance. It set a deadline for it. The disciplines the regulation demanded — knowing what data you hold, who is accountable for it, where it came from, how long you keep it — had been available to any organisation that wanted them for two decades. Most did not want them. They were unglamorous, carried no revenue, and were championed by people who sat in IT rather than in the boardroom.
On 25 May 2018, that two-decade choice came due all at once. Organisations that had treated governance as optional discovered the regulator's questions were not. The ones that had quietly done the work answered them in an afternoon. The ones that had not spent the following eighteen months, and a great deal of money, building under deadline pressure what is far cheaper to build calmly.
For IT services firms, that split was a market. A firm with its own governance practice already in order — better still, one that had been quietly helping clients order theirs — was not selling a panic response. It was selling competence that already existed, at the precise moment the market would pay a premium for it. The firms that saw this between roughly 2016 and 2018 did not merely survive GDPR. They built a line of business on it that is still running, still profitable, and still difficult for a latecomer to dislodge. (The structural reason a practice like that is so hard to displace is the argument we set out in capacity versus continuity.)
The lesson is not that regulation is coming. Everyone knows regulation is coming. The lesson is that the value is captured in the gap between when a capability becomes buildable and when a regulation makes it mandatory — and that gap closes quietly, well before the deadline reaches the news.
The pattern is repeating
The EU AI Act is the next GDPR — close enough in shape that the lesson transfers cleanly. The differences are worth being precise about.
The Act entered into force on 1 August 2024 and applies in stages. The prohibitions on unacceptable-risk AI, and the Article 4 obligation that deployers ensure their staff have a sufficient level of AI literacy, have applied since 2 February 2025 — that training duty is a statutory requirement today, not a future one. Rules for general-purpose AI models followed in August 2025. The bulk of the Act applies from 2 August 2026.
The obligations for high-risk AI systems are the part still in motion. Under the original text they applied from August 2026; in May 2026 EU lawmakers reached a provisional agreement to postpone them — Annex III high-risk systems (biometrics, employment, credit scoring, public-sector functions) to December 2027, and high-risk AI inside regulated products to August 2028. That agreement is not yet formally adopted. The honest reading: the high-risk deadline is moving, but it is not disappearing — and a postponed deadline is a longer runway for the firms building the practice, not a reason to wait.
Article 10 of the Act is, in effect, a data-governance clause. It requires the datasets used to train, validate and test a high-risk system to be relevant, sufficiently representative and examined for bias, and it requires documentation of where that data came from and how it was prepared. An IT services firm reading that requirement is reading a description of GDPR-era work — pointed at model training data instead of customer records.
The penalties are tiered. Prohibited AI uses carry the headline ceiling of €35 million or 7% of global annual turnover. The high-risk obligations that govern data quality, documentation and oversight — Article 10 among them — sit one tier down, at €15 million or 3%. For comparison, GDPR's top tier is €20 million or 4%. So the AI Act is not simply "bigger fines." It is broader scope: more systems caught, a statutory training mandate, and — critically — accountability that does not transfer. Unlike a GDPR processor relationship, AI Act compliance does not let vendor conformity flow through to the deployer. A client using OpenAI's or Anthropic's APIs for a customer-facing decision system is independently accountable for Article 10, whatever conformity declaration the model vendor issues. Most clients today assume vendor compliance is enough. The first regulator visit will end that assumption.
The AI Act also does not arrive in isolation. The EU Data Act, in force since September 2025, pushes organisations to treat their data as portable — movable between cloud providers without losing control of it. The US CLOUD Act, meanwhile, lets US-headquartered providers be compelled to produce data they hold regardless of which country the servers sit in. A client running EU customer data on a US provider's infrastructure now has a question to answer that is as much about jurisdiction as about architecture. The regulatory surface around AI is widening, not narrowing.
What the window looks like
A few numbers worth holding in mind:
- €7.1 billion in cumulative GDPR fines since 2018, with roughly €1.2 billion issued in 2025 alone.
- €35 million or 7% of global turnover — the AI Act's headline ceiling, reserved for prohibited uses.
- €15 million or 3% — the ceiling for the high-risk obligations most IT services clients will actually face.
- 2 February 2025 — the date the AI-literacy obligation became enforceable. Already in force.
- 2 August 2026 — the date the bulk of the Act applies.
The fines make the headlines, but for most organisations they are not the largest cost. The larger cost is everything a fine implies: help procured in a hurry and at a premium, internal work paused to staff the response, client relationships that now open with an apology. The firms that governed their data before GDPR landed paid none of that — they answered the question and moved on. AI governance will reward the same foresight the same way.
The bridge
The most valuable thing we can offer any IT services firm reading this is the observation that the bridge from a data-governance practice to an AI-governance practice is shorter than it looks. Almost every competency required to deliver AI governance to a client is already in the firm — it is simply unnamed, unpackaged, and unpriced.
We have walked through the following ten-row evolution with the firms we have advised over the past eighteen months. The pattern is consistent: firms score four or five out of five on the left, one or two on the right. That gap is not a weakness. It is the work.
| Data governance — already deliver | AI governance — need to deliver |
|---|---|
| Data Quality Management | Model Reliability Prediction |
| Data Lineage Tracking | Bias Detection & Audit Trails |
| Access Controls | Ethical Use Boundaries |
| Data Cataloging | Model Registry & Discovery |
| Compliance Frameworks (GDPR) | Regulatory Readiness (EU AI Act) |
| Data Stewardship Roles | Model Ownership & Accountability |
| Schema Standards | Training Data Specifications |
| Versioning & Change Control | Model Drift Monitoring |
| Security & Encryption | Adversarial Defense |
| Data Quality Metrics | Explainability Requirements |
The transfer is not metaphorical. A firm that already maintains a data catalog for clients is most of the way to a model registry. A firm that documents data lineage is the same distance from defensible bias detection. Three rows are worth dwelling on, because they are the ones we see most consistently underdeveloped.
Data Lineage → Bias Detection & Audit Trails. Tracking where data came from extends naturally into tracking what decisions were made from it, and why. A regulator asking "show us how this AI decision was made" is asking the same kind of question as a regulator asking "show us where this personal data came from" in 2019.
Data Stewardship Roles → Model Ownership & Accountability. The named data steward — the person accountable for a data domain — has a direct AI counterpart in the named model owner. Most firms we see have not yet named the second role. When the AI deployment goes wrong, no one's phone rings.
Versioning & Change Control → Model Drift Monitoring. Software firms have versioning. AI deployments rarely have its equivalent — a system that detects when a model's behaviour has drifted from its calibrated baseline. The discipline is a test suite, not a one-off audit; we have written separately on why eval harnesses are the new test suite. The same infrastructure that catches a regression in a client's AI feature is the infrastructure that produces the evidence an Article 10 auditor will ask for.
The reason most firms have not crossed from the left column to the right is not capability. It is naming, packaging and pricing. The firms that name the bridge first will own it.
Why IT services firms are positioned for this
Three structural facts converge to make this moment significant for firms with a mature GDPR practice.
The language of governance is already in the firm. Lineage, stewardship, audit, classification, accountability is daily vocabulary for any senior consultant who has delivered GDPR work. The AI Act uses the same vocabulary, applied to model artifacts rather than data artifacts. The conceptual translation takes hours, not months.
The client base is already exposed. Most boutique-and-mid-market IT services firms serve finance, healthcare, legal and other regulated sectors — exactly the sectors the AI Act names as likely high-risk. These clients will need AI-governance work whether or not their current partner offers it. If the existing partner doesn't, a specialist moves in. The retention math is straightforward.
The specialists have not yet emerged at scale. The boutiques competing for this work today are mostly generalist AI consultancies — firms that talk about prompt engineering, model selection, tool integration. Few speak the language of governance. Firms with GDPR heritage have a structural advantage in this segment, and that advantage is most valuable now, before the deadlines force every firm to compete for the same clients.
What the work looks like
The move from a mature data-governance practice to a named AI-governance service line is concrete work, not a positioning exercise. It is the construction of a handful of specific capabilities: an AI system inventory — a live register of every model, tool and agent in the organisation, including the shadow deployments leadership doesn't know about; a reusable eval-harness template for automated regression detection; an AI-literacy curriculum to satisfy Article 4, which a client will need every year; governance documentation standards for Article 10; and a vendor-risk assessment that tells a client which AI deployments are independently accountable and which vendor declarations they are over-relying on.
Each is a billable component. Together they constitute the service line. None of it is exotic. All of it is work that can begin this quarter.
What we propose
We are a boutique AI consultancy based in Bangkok. We work with firms across Southeast Asia and Europe on the parts of AI that don't show up in launch announcements — governance, evaluation, and the named failure modes that quietly break deployments. We are practitioners: we audit, we name, and we build.
We have been having the version of this conversation with mid-market IT services firms for months, and we have built it into a new offering: an AI Governance diagnostic. It is a focused audit — not a multi-month implementation. We map every AI touchpoint, across your own systems and a sample of your client engagements, against the five failure modes in our Pattern Library and the ten governance concepts above. You get back a written assessment, a remediation plan, and the seed of an AI Governance service line you can take to your own client base.
It is deliberately short. The point of a diagnostic is to tell you where you actually stand before you spend a krone building anything — the same principle behind everything else we do, which we set out in built with care, billed with clarity.
If your firm recognises the pattern, the lightest first step is a short AI advisory conversation — a single call to calibrate where the bridge is shortest for you. From there, the AI Governance diagnostic is the deeper pass. Either way: we hope this piece has named something useful — and we hope to read your version of it on the other side of the next compliance era.
— GrowBeyond Solutions, Bangkok