The implementation of the EU Data Act and the Digital Omnibus on AI is forcing hardware manufacturers and AI developers to overhaul compliance frameworks. With fines reaching €35 million or 7% of annual turnover and new personal liability for executives, companies must adapt to strict transparency requirements and evolving data access laws.
How is the EU Data Act changing hardware compliance?
Hardware manufacturers are already modifying their systems to meet new regulatory standards. AVM, the Berlin-based router manufacturer, became one of the first major companies to respond to the EU Data Act. On July 5, 2026, the company released FritzOS 8.25, which introduced 25 new terms of use.
These updated rules cover several technical data points, including MAC addresses, provider identifiers, operating system versions, country settings, diagnostic information, and smart home data. AVM stated that this information will not be used for marketing purposes or shared with third parties.
Users retain the right to object to this data collection. However, AVM noted that while the router remains functional, certain individual services may face limitations if a user opts out of data collection.
What are the penalties for non-compliance with the Digital Omnibus on AI?
The EU Council passed the “Digital Omnibus on AI” on June 29, 2026, establishing strict compliance timelines and heavy financial consequences. Transparency obligations are set to take effect on August 2, 2026, with a transition period ending in early December. By December 2, 2026, specific deepfake applications will face outright bans.
High-risk AI systems must adhere to a longer compliance schedule. The following table outlines the mandatory deadlines for these systems:
| AI System Type | Compliance Deadline |
|---|---|
| Standalone High-Risk Systems | December 2027 |
| Embedded High-Risk Systems | August 2028 |
Violations carry significant financial risks. According to the EU Council, fines can reach up to €35 million or 7% of a company’s total worldwide annual turnover. Furthermore, the legislation introduces personal liability for corporate executives.
Will data protection oversight become simpler in Germany?
The fragmentation of data protection supervision in Germany has long been a point of contention for businesses. To address this, Hamburg has launched a Bundesrat initiative scheduled for discussion on July 10, 2026. The proposal suggests that companies and research institutions operating across multiple states should only have to deal with a single data protection authority.
Under this plan, the decisions made by that single authority would be binding nationwide. The initiative has received support from data protection commissioners in Berlin and Lower Saxony.
Additionally, the Vergabebeschleunigungsgesetz, which went into effect on July 1, 2026, aims to bolster digital sovereignty. This law allows public sector buyers to place higher importance on criteria such as data location during the procurement and tendering process.
How are ECJ rulings affecting GDPR access rights?
The European Court of Justice (ECJ) recently provided clarity on the limits of data access requests. In a ruling on March 19, 2026 (Case C-526/24), the court determined that an initial GDPR information request can be classified as excessive if it is submitted with an abusive intent to gain an advantage.
The court also clarified requirements for compensation. To claim damages, affected individuals must prove a concrete harm; the mere possibility or fear of harm is insufficient under the current ruling.
In Germany, these developments have sparked debate. A decision made on July 2, 2026, proposes linking access rights to a “legitimate interest” and calls for the redaction of names of administrative staff in government agencies. Former federal data protection officers have criticized these proposed changes, arguing they represent a step backward for transparency.
Is the EU-US Data Privacy Framework at risk?
Transatlantic data exchanges face new uncertainties. A recent US Supreme Court ruling regarding the independence of the Federal Trade Commission (FTC) could potentially jeopardize the EU-US Data Privacy Framework. Because the FTC serves as the primary supervisory authority for this agreement, its legal standing is critical to the continued flow of data between the two regions.

As regulatory landscapes shift, businesses are increasingly looking toward localized data solutions to ensure continuity.
Frequently Asked Questions
What is the maximum fine for violating AI regulations?
Companies can be fined up to €35 million or 7% of their total global annual turnover.
Can I opt out of AVM’s new data collection terms?
Yes, users can object to the collection of technical data, though some router services may have limited functionality as a result.
When do deepfake bans take effect in the EU?
Strict prohibitions on certain deepfake applications are scheduled to begin on December 2, 2026.
Stay updated on the latest regulatory changes. Subscribe to our newsletter or leave a comment below to share your thoughts on these new compliance requirements.
