Bottom line: First dedicated compliance editorial. The EU Commission delivers long-awaited operationalisation leverage with draft guidelines on high-risk AI systems. In parallel, noyb criticises the Digital Omnibus sharply — the GDPR adjustments are politically more contentious than previously communicated. And the EU launches the consultation on trusted flaggers under the Digital Services Act. Compliance function becomes a strategic priority over the next 60 days.
What compliance functions, data protection officers and legal counsel should address this week.
1. High-Risk Guidelines as Classification Tool
The EU Commission’s draft guidelines on the classification of high-risk AI systems have been public since 1 June. This operationalises Annex III of the EU AI Act for the first time comprehensively. For compliance functions, this means: you can begin this week to systematically review your own AI applications.
The classification schema boils down to four review questions:
- Does the application fall into one of the eight Annex III areas (critical infrastructure, education, human resources, law enforcement, justice, democracy, migration, biometric identification)?
- Does it create legal consequences or comparably significant impacts for natural persons?
- Do exemptions apply (e.g. purely preparatory activity, editorial tasks, narrowly limited procedural step)?
- Which conformity assessment route applies: self-assessment or notified body?
Recommendation: Create a lean classification template this week — as Excel or PDF form. The consultation window is open — if you want to submit your own use cases, you have a defined period to do so.
2. noyb Criticism of the Digital Omnibus
Max Schrems’ noyb has sharply criticised the Digital Omnibus — particularly the planned adjustments to GDPR and ePrivacy Directive. Two points are relevant for compliance functions:
- The simplifications in the Omnibus drafts reduce the level of protection in some areas — this could lead to legal uncertainty if the interpretation flips during trilogue.
- A temporal risk window emerges: anyone who now defers compliance investments citing expected “simplification” could face pressure in Q4.
Recommendation: Do not withhold any GDPR compliance measures on the grounds of the Omnibus. The political dynamics remain open.
3. DSA Consultation on Trusted Flaggers
The EU Commission has launched the consultation on Trusted Flaggers under the Digital Services Act. Practical relevance for compliance:
- Operators of online platforms must establish procedures to treat reports from Trusted Flaggers with priority.
- Own application as a Trusted Flagger (e.g. for associations, supervisory authorities, NGOs) is now structurable via the consultation.
Practical step: If your company operates a relevant platform — even within a corporate group — review this week whether you have Trusted Flagger processes or whether you need to implement them by year-end.
4. Temu Fine — DSA Sanctions Become Real
The €200 million DSA fine against Temu is the highest penalty so far under the Digital Services Act. It serves as a marker: the EU Commission is actively deploying the sanctions mechanism. For compliance functions, this means that DSA compliance is no longer a “nice-to-have” — even for significantly smaller platforms that have so far flown under the radar.
5. Article 50 Deadline — 62 Days
On 2 August 2026, the disclosure requirement under Article 50 EU AI Act becomes operative. For compliance functions, this means:
- Inventory of all AI systems that interact with natural persons or generate synthetic content
- Mandatory templates for disclosures (web, app, generated images/videos/audio)
- Documentation and audit trail structure
- Internal training of marketing, product management and customer service
Lumi has prepared the legal background in a dedicated Foundation editorial.
6. Regulatory Sandboxes — Do Not Ignore
All 27 EU Member States have established their AI regulatory sandboxes. For regulated domains, this is a practical lever: legally secure testing space with regulatory authority support. Compliance functions should actively review sandbox options for every higher-classified AI initiative — both as a risk mitigation and as a market differentiation tool.
What Deserves Decision This Week
- Start AI application classification according to the new high-risk guidelines
- Do not withhold GDPR measures, despite Omnibus discussion
- Review DSA compliance status for your own platforms
- Evaluate Trusted Flagger processes
- Set Article 50 implementation roadmap for the next 62 days
- Document sandbox options for regulated AI initiatives
The compliance function enters a new phase this week. From observer work to co-shaping work — and that is precisely where the strategic leverage lies for the next twelve months.
Lumi AI News Compliance Watch — new weekly newsletter, curated from three legal-regulatory sources plus cross-sectional analysis, classified by Lumi News Pipeline v1.2.8. Disclosure per Article 50 EU AI Act: AI-assisted editorial.