Summary statistics
Overlaps: 2 · Conflicts: 0 · Gaps: 2
4 article-level crossrefs catalogued between AI Act and Data Act from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| AI Act Art 10 | Data Act Art 18 | overlap | low | [entity affected: provider] Both regulations require data holders/providers to handle personal data with specific privacy safeguards, such as anonymization or pseudonymization, when processing or shar |
| AI Act Art 12 | Data Act Art 11 | overlap | low | [entity affected: provider] Both regulations impose obligations on providers to maintain technical and organizational measures for data security and integrity, including logging and protection against |
| AI Act Art ? | Data Act Art ? | gap | medium | [entity affected: provider] Neither regulation explicitly defines the compliance obligations for AI systems that generate synthetic data which is then used as training data for other AI systems, creat |
| AI Act Art ? | Data Act Art ? | gap | high | [entity affected: public sector body] There is no clear guidance on how public sector bodies should reconcile the Data Act's requirement to erase data when no longer necessary with the AI Act's requir |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 2 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- AI Act Art 10 vs Data Act Art 18 (low severity) — [entity affected: provider] Both regulations require data holders/providers to handle personal data with specific privacy safeguards, such as anonymization or pseudonymization, when processing or sharing data.
- AI Act Art 12 vs Data Act Art 11 (low severity) — [entity affected: provider] Both regulations impose obligations on providers to maintain technical and organizational measures for data security and integrity, including logging and protection against unauthorized alteration.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between AI Act and Data Act. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 2 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- ai act art 17 provider obligations
- ai act art 70 commission obligations
- ai act authorized representative
- ai act automotive
Check your full compliance exposure with the 5-minute Fontvera diagnostic →