Skip to content
Certified AI Practitioner

Module 8 · Responsible & Safe AI

The Global Regulatory Landscape: EU AI Act & India's DPDP

60 min

Learning objectives

  • Explain the EU AI Act's risk-based approach and what obligations attach to high-risk systems
  • Summarize what India's DPDP Act requires of organizations that process personal data
  • Recognize ISO/IEC 42001 as a voluntary AI management-system standard

Why regulation is now unavoidable

As AI moved into hiring, credit, healthcare, and policing, governments responded. The result is a fast-growing patchwork of laws. Two anchors every practitioner should know are the EU AI Act (the first comprehensive AI law) and India's DPDP Act (a major data-protection law). You do not need to be a lawyer, but you must know roughly what they require.

The EU AI Act: regulation by risk

The EU AI Act, in force since 2024 and phasing in through 2026 and beyond, regulates AI according to the risk it poses rather than the technology used. The higher the potential for harm, the heavier the obligations.

Risk tierTreatmentExamples
UnacceptableBanned outrightSocial scoring (by public or private actors); manipulative systems; untargeted scraping of facial images to build recognition databases
HighStrict obligations before and after deploymentAI in hiring, credit scoring, medical devices, critical infrastructure
LimitedTransparency dutiesChatbots and deepfakes must disclose that content is AI-generated or that users are talking to a machine
MinimalLargely unregulatedSpam filters, AI in video games
  • High-risk systems require risk management, high-quality data governance, technical documentation, logging, human oversight, and accuracy/robustness controls.
  • Providers must demonstrate conformity before placing a system on the market and monitor it afterward.
  • General-purpose AI (foundation) models carry their own transparency and, for the most capable models, systemic-risk obligations.
  • Penalties for serious violations can reach into the tens of millions of euros or a significant percentage of global annual turnover.

EU AI ActThe EU's risk-based AI regulation (in force 2024, phasing in 2026+) that classifies systems as unacceptable, high, limited, or minimal risk and assigns obligations accordingly.

India's DPDP Act, 2023

India's Digital Personal Data Protection Act is a data-protection law rather than an AI-specific law, but it governs the personal data that AI systems rely on. It frames the relationship as Data Principals (individuals) and Data Fiduciaries (organizations that decide how data is processed).

  • Processing of personal data generally requires consent or a recognized legitimate use, for a specified purpose.
  • Data Fiduciaries must secure data, limit retention, and notify breaches.
  • Data Principals have rights to access, correction, and erasure, and to grievance redressal.
  • Significant Data Fiduciaries face extra duties such as audits and Data Protection Impact Assessments.

DPDP ActIndia's Digital Personal Data Protection Act, 2023, governing how Data Fiduciaries process the personal data of Data Principals.

Watch out

Do not assume one law covers everything. The EU AI Act regulates the AI system; DPDP and the EU's GDPR regulate the personal data feeding it. A single deployment can be subject to several regimes at once, depending on where users and data are located.

ISO/IEC 42001: a standard, not a law

ISO/IEC 42001 (published 2023) is the first international management-system standard for AI. It is voluntary but certifiable, and gives organizations a structured way to govern AI — defining roles, risk processes, and continual improvement. Adopting it can help demonstrate due diligence toward regulators and customers.

Laws (EU AI Act, DPDP) tell you what you must do; standards (ISO/IEC 42001) help you show how you do it. Together they form the backbone of an organization's compliance story.

Knowledge check

Quick practice — not part of your exam score.

Under the EU AI Act, an AI system used to screen job applicants is most likely classified as:

In India's DPDP Act, an organization that determines the purpose and means of processing personal data is called a:

Which statement about ISO/IEC 42001 is accurate?

Sign in to track your progress and mark lessons complete.

Sign in
Privacy, Security & MisuseOperationalizing Responsible AI