EU AI Act. A Reality for All AI Users, wherever you are located.

The EU AI Act, enforced as of 1^st August, 2024 introduces a risk-based framework with phased implementation:

• Prohibitions and general provisions began from 2^nd February 2025.
• General-purpose AI models face new obligations from 2^nd August 2025.
• High-risk AI systems must now comply by 2^nd August 2026.
• Further requirements phased in through 2027 for legacy systems.

You may be asking why is this relevant to us as we are not in the EU. The regulation applies globally, if your AI reaches EU users, compliance is not optional.

Key Compliance Demands

• Risk classification – All AI systems are grouped into prohibited, high-risk, limited-risk, or minimal-risk.
• High-risk mandates – Must include risk management, quality training data, documentation, human oversight, cybersecurity, and CE (Compliance in the EU) marking.
• General-purpose AI obligations (post 2^nd August 2025), notification to the AI Office for systemic-risk models, adherence to transparency guidelines, and participation in voluntary Codes of Practice.
• Transparency rules – AI systems must declare to users they are interacting with an AI system, generative content must be labelled machine‑detectable.

Penalties are steep, up to €35 million (A$62 million) or 7% of global turnover, so a robust compliance strategy is critical.

Australia’s Privacy Shakeup

Australia introduced its most sweeping privacy reform in decades via the Privacy and Other Legislation Amendment Act 2024, effective 10^th December 2024.

Major Changes Include

• Automated decision transparency – From December 2026, organisations must disclose AI or algorithm-based decisions affecting individuals.
• New privacy tort – Started on 10^th June 2025, individuals can sue for serious invasions of privacy, creating litigation risk and reputational exposure.
• Huge penalties: Up to A$50 million, or 30% of adjusted turnover, for major breaches; mid-tier penalties cap at A$3.3 million, and infringement notices at A$330,000.
• Criminalising doxxing – Publishing private information maliciously may now incur prison terms and significant fines.
• Children’s Online Privacy Code – OAIC must develop a code by end of 2026 to protect minors, echoing international standards.
• Stricter data security and breach response – Mandatory “reasonable steps” measures, faster breach notifications, and right-to-erasure rights for individuals.

A notable example: Australian Clinical Labs recently faced a A$5.8 million fine for a massive data breach, the first under the revamped framework.

Spotlight on NSW Privacy

The Information and Privacy Commission NSW unveiled its regulatory priorities for 2025-2028, highlighting targeted compliance campaigns and surveillance for NSW government entities.

Focus areas include:

• Ensuring public agencies implement privacy-by-design in systems and data practices.
• Monitoring adherence to the state’s Government Information (Public Access) Act 2009.
• Proactive regulatory action on emerging risks, such as biometric technologies and privacy tech intrigue.

Any IT or AI-related project in NSW must now consider both national and state-level scrutiny.

What You Need to Know

As an IT change partner, our clients must confront a tripod of regulatory forces –

1. Think global, act local – EU regulations require AI transparency and safety. Australian law mandates data privacy, consent, and breach handling. NSW agencies face scrutiny under state privacy mandates.
2. Revamp governance and documentation – Equip systems with risk registers, robust data pipelines, audit logs, and human oversight controls. Be ready to publish privacy impact assessments and Data Protection Impact Assessments (DPIAs).
3. Enhance transparency – Deploy AI models labelled clearly to users. Ensure privacy policies disclose automated decision-making and integrate opt-outs or human assistance where AI makes significant determinations.
4. Train, test, repeat – Invest in AI literacy and privacy awareness programs. Audit your systems regularly. Roll out sandbox testing and real-world risk assessments in line with regulation.
5. Prepare for enforcement – Build breach response plans and tighten cybersecurity. You need to act quickly should a data incident occur. Be ready for penalties and public accountability.

“Rules get real” isn’t just a slogan, it’s a directive for IT and compliance leaders. The EU AI Act sets the global tone for trustworthy AI. Meanwhile, Australia and NSW in particular, are hardening defences around personal data.

For Bushey IT Change clients, this means turning regulation into an opportunity, one where trusted change management underpins compliance, trust, and innovative transformation.

We embed compliance into our service offerings (not bolted on as an afterthought), to protect you not only from hefty fines but also elevate your role as a trusted guardian in an increasingly regulated world. IT is not just about technology but there is a huge Governance overhead that is attached to everything project and operation we do these days.

This Bushey IT Change thought leadership piece explores how in 2026, the EU AI Act and Australia’s new privacy laws are reshaping compliance, demanding transparency, risk management, and stronger data protections. For businesses, this means embedding governance and privacy-by-design into every AI and IT change initiative to avoid hefty penalties and build trust. (www.busheyitchange.com).

Bushey IT Change provides expert solutions to help enterprises manage complex IT transformations with confidence. Our services cover structured change management to reduce risk and ensure compliance, comprehensive project management for end-to-end governance and delivery, and seamless Data Centre migration to modern infrastructure with minimal disruption. We focus on designing and executing strategies that align with business objectives, leveraging proven methodologies and deep technical expertise to create secure, efficient, and future-ready IT environments.