The Structure of the AI Act in 2026

The AI Act is the world's first comprehensive horizontal regulation of artificial intelligence. Its risk-tiered architecture is the key to understanding which obligations apply to which systems.

The Risk Tiers

The Act sorts AI systems into four tiers based on the risk they pose:

• Prohibited systems — practices that are banned outright, including manipulative subliminal techniques, exploitation of vulnerabilities, social scoring by public authorities, and certain forms of biometric categorization and emotion recognition
• High-risk systems — systems used in specified high-stakes contexts, subject to the bulk of the Act's substantive obligations including risk management, data governance, transparency, human oversight, and accuracy requirements
• Limited-risk systems — systems with specific transparency obligations, including most AI-driven content recommenders and chatbots that interact directly with users
• Minimal-risk systems — everything else, subject only to general voluntary codes of conduct

Where Advertising and Recommender Systems Sit

Most advertising-facing AI — audience scoring, programmatic bidding optimization, content recommenders, personalization engines — sits in the limited-risk tier rather than the high-risk tier. This sounds like a relief, but the limited-risk tier still carries meaningful transparency obligations, and several edge cases push specific systems into higher tiers. Critically, the prohibited-practices rules can reach advertising systems if they cross into manipulation or exploitation territory, and the EDPB has signaled willingness to interpret these provisions broadly.

The Phasing

The 2026 calendar matters: the high-risk obligations for new systems come into force in August 2026, the high-risk obligations for systems already on the market come into force in 2027, and the general-purpose AI provider obligations are already in force. Publishers and advertisers should map their AI inventory against this calendar to know which obligations apply when.

How the AI Act Layers on Top of the GDPR

The AI Act does not replace the GDPR. It sits on top of it. A system that processes personal data to produce AI-driven outputs has to satisfy both regimes, and the obligations are additive rather than alternative.

The GDPR Layer

The GDPR continues to govern the lawfulness of personal data processing. Consent for advertising profiling, lawful basis for measurement, the data subject rights cluster, the cross-border transfer obligations — all of these continue to apply unchanged.

The AI Act Layer

On top of the GDPR, the AI Act adds obligations specifically about the AI system itself: how it was trained, what data went into training, how its outputs are documented, what oversight mechanisms exist, what transparency the user receives. These obligations attach to the AI system regardless of whether the underlying data processing is consent-based, contract-based, or some other lawful basis.

The Practical Implication

A publisher running a content recommender on personal data needs both a valid GDPR lawful basis for the data processing and a compliant transparency disclosure under the AI Act. Either alone is insufficient. The compliance surface is now genuinely two-dimensional, and the documentation chain has to cover both axes.

Prohibited Practices and Advertising

The Act's prohibited-practices list is short but consequential, and several entries have implications for advertising design.

Manipulative Techniques

The Act prohibits AI systems that deploy subliminal techniques, manipulative practices, or exploit vulnerabilities of specific groups in ways likely to cause significant harm. Most advertising design does not approach this line — but advertising that targets identified vulnerabilities (financial distress, mental health states, addiction patterns) using AI-driven profiling could cross it. The EDPB has flagged this in early guidance.

Biometric Categorization

The Act prohibits biometric categorization that infers sensitive attributes such as race, political opinion, trade union membership, religious belief, sexual life, or sexual orientation. Audience segments built from biometric data that infer these attributes are now in prohibited territory.

Emotion Recognition in Specific Contexts

Emotion recognition is prohibited in workplace and educational contexts. Advertising emotion-detection use cases outside those contexts may still be permissible but face heightened scrutiny.

Limited-Risk Transparency Obligations

This is where the bulk of the publisher and advertiser AI Act compliance work sits in 2026.

The Recommender System Disclosure

Content recommenders that personalize what users see — whether on a publisher's homepage, in an in-app feed, or in a programmatic ad placement — fall under the limited-risk tier. Users must be informed that they are interacting with an AI system, and the system must be designed so the AI nature of the interaction is clear.

The Chatbot Disclosure

Any AI system that interacts directly with users in conversational form must disclose its AI nature. Publishers and advertisers running AI chat interfaces — for customer support, content discovery, or any other purpose — need to satisfy this baseline.

The Synthetic Content Disclosure

AI-generated images, audio, video, and text content must be marked as such. Publishers using AI-generated visuals or text in editorial content, advertising creative, or product imagery need to apply the marking obligations. The 2026 implementation guidance has clarified the technical specifications for marking, including watermarking standards for visual content.

The Combined Consent Surface in 2026

The CMP and the privacy notice now have to do work for both regimes. The 2026 publisher CMP looks meaningfully more elaborate than its 2024 predecessor.

Granular Consent Purposes

The CMP exposes consent purposes that distinguish between general advertising, profiling for advertising, automated decision-making, and recommender personalization. Each maps to a specific AI Act and GDPR boundary, and each requires its own affirmative consent.

AI System Disclosures

The privacy notice or a companion AI disclosure document describes the AI systems in use, their purposes, the categories of input data, the broad logic of the outputs, and the human oversight mechanisms in place. This is more than the GDPR Article 22 automated-decision disclosure — it is a fuller AI transparency story.

The Right to Object

The GDPR's right to object to profiling continues to apply, and the AI Act adds further user rights around AI-driven recommender personalization. Users can opt out of recommender personalization without losing access to the underlying service, and the opt-out has to be at least as easy as the opt-in.

Operational Patterns That Work in 2026

Publishers and advertisers running mature 2026 programs are converging on a few operational patterns.

The AI Inventory

Maintain a live inventory of every AI system in use across the publisher or advertiser stack: the system, its risk tier under the Act, the personal data it processes, its lawful basis under the GDPR, the transparency disclosures applied to it, and the human oversight in place. This is the foundational compliance artifact and is what regulators will ask to see first.

The Combined Privacy Notice

A single combined privacy and AI transparency notice — Portuguese, German, French, or whichever language is appropriate for the audience — that addresses both the GDPR and the AI Act obligations in a coherent narrative. Trying to maintain two separate disclosures invites contradictions and reader confusion.

The Vendor AI Audit

For every advertising or analytics vendor processing AI-driven outputs on the publisher's behalf, the contract must address AI Act allocation of obligations, technical documentation access, and incident notification. Standard data processing agreements from 2023 do not address the AI Act and need to be refreshed.

Penalties and Enforcement Posture

The AI Act introduces a tiered penalty regime with administrative fines that can exceed the GDPR's maximums.

The Penalty Tiers

• Up to EUR 35 million or 7 percent of global annual turnover for prohibited-practice violations
• Up to EUR 15 million or 3 percent for most other substantive violations
• Up to EUR 7.5 million or 1 percent for supplying incorrect information

The Enforcement Architecture

Each Member State designates national competent authorities for AI Act enforcement, and the European AI Office coordinates supervision of general-purpose AI models. Enforcement against publishers and advertisers will primarily run through the national authorities, often in close coordination with the existing data protection authorities. The first significant AI Act enforcement actions are expected through 2026 as the high-risk obligations come fully into force.

Audit Checklist for AI-Driven Advertising in 2026

• Live inventory of every AI system in the stack with risk-tier classification
• GDPR lawful basis documented for every AI system processing personal data
• AI Act transparency disclosures applied to every limited-risk system, including recommender personalization and chatbots
• Synthetic content marking applied to AI-generated creative, images, audio, and video
• Combined privacy and AI transparency notice in the relevant local language
• CMP exposes profiling, automated decision-making, and recommender personalization as separately-consentable purposes
• Audience segments are reviewed against the prohibited biometric categorization list
• Vendor contracts updated to address AI Act allocation of obligations
• Human oversight mechanisms documented for any system that approaches the high-risk boundary
• Data subject and AI-Act user rights workflow can respond to opt-out, explanation, and human-review requests within the applicable response windows

The 2026 Outlook

The AI Act does not replace the GDPR — it stacks on top of it, and the combined surface is meaningfully more elaborate than either regime alone. For publishers and advertisers running AI-driven personalization, profiling, recommender systems, or generative content, 2026 is the year the compliance architecture has to mature beyond a pure GDPR posture. The ones treating the AI Act as a future-state concern will find the future arrives faster than expected, with national authorities issuing their first enforcement actions through 2026 and into 2027. The ones building combined compliance from the start will find the architecture pays back: the AI Act's transparency obligations, well-implemented, also strengthen the GDPR consent and trust story, and the operational discipline of maintaining a live AI inventory turns out to be useful well beyond regulatory compliance.