Summary statistics
Overlaps: 2 · Conflicts: 1 · Gaps: 1
4 article-level crossrefs catalogued between AI Act and ePrivacy Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| AI Act Art 10 | ePrivacy Directive Art 5 | overlap | medium | [entity affected: provider] Both regulations require providers to implement technical and organizational measures to ensure data quality and security, with the AI Act focusing on bias/error reduction |
| AI Act Art 12 | ePrivacy Directive Art 6 | overlap | medium | [entity affected: provider] Both regulations mandate the recording and processing of data logs; the AI Act requires logging for high-risk AI system monitoring, while ePrivacy restricts traffic data pr |
| AI Act Art 19 | ePrivacy Directive Art 6 | conflict | high | [entity affected: provider] The AI Act requires providers to keep automatically generated logs for at least six months, whereas ePrivacy requires traffic data to be erased or anonymized as soon as it |
| AI Act Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: deployer] Neither regulation explicitly addresses the liability or compliance obligations for deployers of AI systems that process personal data via electronic communications network |
Conflicts explained
The 1 article-level conflicts between AI Act and ePrivacy Directive mean a control that satisfies one can pull the wrong way on the other:
- AI Act Art 19 vs ePrivacy Directive Art 6 — [entity affected: provider] The AI Act requires providers to keep automatically generated logs for at least six months, whereas ePrivacy requires traffic data to be erased or anonymized as soon as it is no longer needed for transmission, potentially creating a conflict if logs contain traffic data.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between AI Act and ePrivacy Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 2 overlaps as design opportunities — one control, two regulatory anchors. Treat the 1 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 1 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- ai act art 17 provider obligations
- ai act art 70 commission obligations
- ai act authorized representative
- ai act automotive
Check your full compliance exposure with the 5-minute Fontvera diagnostic →