How the EU AI Act and India’s DPDP Act are writing the rules of trustworthy AI governance — together.

In boardrooms and risk committees across industries, a question is quietly becoming unavoidable: can we prove that our AI systems are trustworthy? Not just functional, not just profitable, but trustworthy in ways that regulators can verify, customers can act on, and boards can be held accountable for.

Two landmark frameworks are now demanding that answer in writing. The EU AI Act, in force since August 2024, governs what AI systems can do and holds deployers legally accountable for the outcomes they produce. India’s Digital Personal Data Protection Act, progressively coming into force, governs the personal data that powers those systems. Together, they form a closed governance loop. For any organisation operating across Europe and India, treating them as two separate compliance programmes is not just inefficient. It is a strategic mistake.

The Insight Most Organisations Miss

The surface differences between the two laws are real. The EU AI Act is risk-proportionate, classifying AI systems from minimal risk to outright prohibited, with fines reaching €35 million or 7% of global turnover for the most serious violations. India’s DPDP Act is consent-driven, positioning individuals as data principals with enforceable rights, and carrying penalties up to ₹250 crore per violation.

But beneath that surface, both converge on four shared pillars: transparency, consent and human oversight, board-level accountability, and individual rights. These are not accidental overlaps. They are the universal prerequisites of trustworthy AI.

Here is the insight that most compliance functions have not yet fully absorbed: satisfying one framework does significant heavy lifting for the other. An organisation with genuinely DPDP-compliant consent architecture, with clear purpose specification, granular and withdrawable consent, has already addressed a substantial portion of the EU AI Act’s transparency obligations. An organisation that has built human oversight into its high-risk AI workflows has already created the governance structure that DPDP auditors will look for. The compliance overlap is real and can be strategically leveraged for organisations that see it clearly.

These two laws were written in different rooms, for different political contexts. But they are converging on the same destination: a world where AI can be trusted.

The MeITY Dimension Nobody Is Talking About

Most global governance discussions focus on the EU AI Act and GDPR, and miss something significant about the Indian side of the equation.

India’s Ministry of Electronics and Information Technology, as the nodal authority behind both the DPDP Act and the IndiaAI Mission, is actively defining the practical operating boundaries for AI in India. Two obligations will prove decisive. First, the classification of Significant Data Fiduciaries, which will trigger stricter AI-related audit obligations for large platforms handling sensitive data at scale. Second, MeITY’s evolving guidance on cross-border data flows, which directly constrains how AI training data can move across jurisdictions.

Compliance with DPDP alone will not be sufficient. MeITY’s operational guidance will determine whether organisations are genuinely trusted actors in the Indian AI ecosystem, or merely technically compliant ones. The distinction will matter commercially, not just regulatorily.

Four Pillars, One Architecture

For organisations navigating both frameworks, the practical path forward is a unified governance architecture, not two parallel compliance programmes. That architecture sits on four pillars.

Transparency

Both frameworks demand that individuals know what is being done with their data and the AI systems making decisions about them. The EU AI Act requires high-risk AI systems to be explainable. The DPDP Act requires clear, plain-language notices at the point of data collection. Together, these requirements close the era of the black box and make transparency a legal obligation, not a design preference.

Consent and Human Oversight

The EU AI Act’s human oversight mandate and the DPDP Act’s consent framework are two sides of the same coin. One requires that a human can review and override AI decisions in high-stakes contexts. The other requires that a human agreed to their data being used in the first place. Both are fundamentally about keeping people in the loop as active participants with agency, not passive subjects. Most organisations have built their systems in the opposite direction, optimised for scale rather than human agency. Both laws require a structural rethink, not a compliance checkbox.

Board-Level Accountability

Both laws make it impossible for boards and C-suites to delegate compliance downward and walk away. The EU AI Act requires providers and deployers of high-risk AI to establish governance structures with leadership-level ownership. The DPDP Act holds Significant Data Fiduciaries to audit and impact assessment obligations that require executive sponsorship. AI risk is not an IT risk. It is a business risk, a reputational risk, and a leadership risk.

Individual Rights

At the centre of both frameworks sits the individual. The EU AI Act’s foundation in fundamental rights means no commercial interest can justify an AI system that discriminates, manipulates, or exploits. The DPDP Act’s data principal framework gives individuals real, enforceable rights: to access their data, correct it, withdraw consent, and seek redressal when it is misused. Both frameworks are correctives to the same failure: organisations that optimised for data utility while treating individual rights as an afterthought.

Where the Friction Is Real

The thorniest compliance issue is AI training on personal data. The EU AI Act places significant obligations on providers regarding training datasets for high-risk systems, including data governance requirements and bias testing. The DPDP Act’s consent requirements raise a difficult question: did every individual whose data was used to train a model consent to that specific use?

For organisations that have acquired training datasets at scale, the honest answer is that many existing models cannot be made fully compliant with both frameworks without significant re-engineering of either the model or its data provenance documentation. That is not a reason to delay. It is precisely the reason to start now.

Cross-border data flows create a second tension. DPDP restricts transfers of Indian personal data to non-notified countries, while the EU AI Act’s training data transparency requirements may simultaneously require sharing information about data origins across borders. Organisations will need to design data architectures that satisfy both constraints. It is not trivial. It is also not impossible, if designed for rather than retrofitted.

The honest answer is that many existing AI models cannot be made fully compliant with both frameworks without significant re-engineering. That is not a reason to delay. It is a reason to start now.

A Practical Playbook for Dual Compliance

For multinationals navigating both jurisdictions, a shared governance architecture means four practical commitments.

Appoint a Chief AI and Data Governance Officer, or an equivalent leadership role, that owns both AI risk and data protection at the executive level. The CISO who understands AI governance and its intersection with data privacy is unusually well-positioned for this role. Build a unified data and AI inventory that maps personal data flows, AI system classifications, and risk levels in a single view. This is the foundation everything else sits on.

Design consent architecture for the AI age, granular enough to cover AI training and inference use cases, not just traditional data collection. Data mapping, impact assessments, and vendor governance can all be designed once to satisfy both frameworks.

Integrate human oversight into AI deployment workflows as a design principle, not an audit afterthought. For high-risk AI systems, human review checkpoints must be built into the process from the start.

The Competitive Case

It would be easy to read the EU AI Act and the DPDP Act primarily as cost centres. That reading is both understandable and wrong.

AI systems that make opaque decisions in hiring, credit, or healthcare do not just cause harm to individuals. They destroy organisational credibility at a speed no communications strategy can match. Data collected without genuine consent does not just generate regulatory exposure. It breaks trust with customers and employees in ways that take years to rebuild. The cost of building governance in from the start is a fraction of the cost of retrofitting it after a public failure.

By 2027, AI governance is expected to be a standard component of ESG reporting. Boards that cannot demonstrate meaningful AI oversight will face investor and customer scrutiny in markets they currently take for granted. The organisations with genuine competitive advantage in AI deployment will not be those that waited for regulatory certainty. They will be those that built flexible, principled governance infrastructure now.

The organisations that will lead the AI age are not the ones that move fastest regardless of consequence. They are the ones that move confidently because their governance is sound.

Trust Is the New Morale

The EU AI Act and India’s DPDP Act are, at their core, trust restoration projects. They exist because technology moved faster than governance, because organisations optimised for scale while treating individual rights as a compliance afterthought, and because people were left without meaningful recourse when AI systems failed them or their data was misused.

But they are also an invitation. To build AI systems and data practices that people can actually trust. Not because a regulator demands it. Because trust is the precondition of everything else we want technology to do.

For leaders navigating this landscape: governance is not a constraint on AI strategy. It is the foundation of it. The frameworks converging across East and West are not asking organisations to slow down. They are asking us to build something that lasts. The window to do that proactively is narrowing. The question is not whether your organisation will comply. It is whether it will lead.

Disclaimer:

The post presents insights and reflections drawn from individual experience. The views expressed are my own and should not be attributed to or considered representative of any organizations, employers or institutions I am currently or have previously been associated with.