The EU AI Act + your AI GTM stack: a 2027 audit map

TL;DR

There are seven places in your AI GTM stack that are either already non-compliant with the EU AI Act, will be by August 2026, or will be by December 2027 if the Digital Omnibus passes the trilogue. Your DPO will not find them. Your CMO definitely will not. This is the audit, by stack layer.

• Article 5 prohibited practices and Article 4 AI literacy obligations have been in force since February 2025.
• Article 50 transparency obligations (chatbot and AI-content disclosure) take effect August 2026.
• Annex III high-risk obligations take effect August 2026, with Digital Omnibus likely shifting parts to December 2027 (Council 13 March 2026; Parliament 569 votes in favour, 26 March 2026; trilogue ongoing).
• Article 99 fines reach €35M or 7% of global annual turnover for prohibited-AI violations.

Introduction

The EU AI Act is no longer a future regulatory event. It is a current contract risk on every AI vendor on your stack, a current disclosure obligation on every outbound email your AI agent sends, and a current liability surface for every European-deployed lead-scoring model.

This article is for the European B2B CMO, Head of Growth, RevOps lead and in-house counsel who needs an honest map of where the regulation touches their stack; without the law-firm-newsletter framing that summarises 200 pages of regulation into “consult your legal counsel”. The audit covers seven concrete points across your stack, the regulation that applies, the deadline that matters, and the practical mitigation.

We will be specific about Belgian, Dutch and German nuance because those three jurisdictions have the most divergent enforcement profiles in the EU. As Stijn Van Daele puts it from Falora’s perspective:

“EU compliance is not a constraint on autonomous GTM. It is the spec for what real autonomy needs to look like. Anything that does not pass the audit is not actually a Level 4 product. It is a Level 2 product that is about to attract a fine.”

The AI Act timeline that actually matters for GTM

The full Regulation (EU) 2024/1689 entered into force on 1 August 2024. Application is staggered. Five dates matter for B2B GTM teams.

February 2025. Article 5 prohibited practices in force. Includes social scoring, untargeted scraping of facial images, exploitation of vulnerabilities, predictive policing based solely on profiling, and emotion recognition in workplace and education contexts. Article 4 AI literacy obligation also in force. Every organisation deploying AI must ensure a sufficient level of AI literacy among the staff who operate it.

August 2025. General-Purpose AI Model (GPAI) obligations in force. Affects model providers (OpenAI, Anthropic, Google, Mistral, Meta) more than deployers, but creates downstream documentation obligations for vendors that build on top.

August 2026. Article 50 transparency obligations in force. AI-generated content must be detectable as such; chatbots must disclose AI nature; deepfakes must be labelled. Annex III high-risk system obligations in force for many use cases.

August 2027. Full applicability for AI systems integrated into products covered by EU harmonisation legislation (Annex I).

December 2027 (proposed). The Digital Omnibus, voted favourably by the European Parliament with 569 votes in favour on 26 March 2026 and passed by Council on 13 March 2026, is currently in trilogue. If adopted, it shifts certain Annex III categories to December 2027 and refines the high-risk classification methodology.

The implication for GTM teams is that August 2026 is the live deadline for the disclosure and transparency obligations that touch outbound, content and chatbots. Audit now, fix by Q2 2026.

Audit point 1: Your AI SDR or AI agent

The question: does the recipient of your AI-sent outbound know it was sent by AI?

Article 50 of the AI Act requires that natural persons interacting with AI systems be informed they are interacting with AI, and that AI-generated text intended to inform the public on matters of public interest be labelled as such. The B2B cold-email case sits in a partially clarified perimeter: case law is still forming, the European Commission’s transparency guidelines are scheduled for Q3 2026, but the safe-harbour interpretation for B2B outbound is to include an explicit AI disclosure where the message is materially AI-generated and AI-sent.

Belgian, Dutch, French and German enforcement will diverge. Germany’s UWG and BGH case law set the strictest baseline: misleading commercial practices include omitting material information about the nature of a communication. France’s CNIL has signalled a permissive read where the message is genuinely informational and identifiable as commercial. Belgium and the Netherlands sit in between.

The mitigation for Falora customers and for any team running AI-driven outbound: include an AI disclosure footer (“This message was drafted with AI assistance and reviewed by a human”) for any message where the agent generated the body without per-message human approval, and document the workflow for the audit trail.

Audit point 2: Your lead scoring or intent data

The question: does your lead-scoring model take solely-automated decisions about individuals that have legal or similarly significant effect?

For most B2B lead scoring, the answer is no; a score that determines whether a sales rep gets a notification is not a decision with legal effect on the data subject. The score is a prioritisation signal, not a denial of service.

The boundary moves when the score determines access. If a lead score determines whether an individual gets onboarded to a free trial, gets pricing access, or is rejected from a programme entirely, the system likely falls under Article 22 GDPR (right not to be subject to solely-automated decisions with legal or similarly significant effect) and may approach Annex III high-risk classification under the EU AI Act.

The European Data Protection Board’s Opinion 28/2024 (18 December 2024) sets out the case-by-case framework: anonymity of the model output is not sufficient if individuals are re-identifiable in the input or downstream use; legitimate interest as the lawful basis requires a documented Legitimate Interest Assessment (LIA); the assessment must consider less-intrusive alternatives.

Mitigation: maintain a written LIA for any model that scores natural persons, document the human-in-the-loop layer that converts scores into decisions, and surface re-identification risk in the vendor due-diligence questionnaire.

Audit point 3: Your AI-generated content

The question: is the AI content you publish or send labelled and watermarked?

Article 50(2) requires providers of generative AI systems to ensure that outputs are marked in a machine-readable format and detectable as AI-generated. Deployers (your team using the model) have a transparency obligation when publishing AI-generated text on matters of public interest.

For B2B GTM, the practical applications are: AI-generated blog posts (transparency disclosure best practice; legal obligation for matters of public interest), AI-generated ad creatives (provenance metadata where the underlying tool supports it), AI-generated video where the human likeness is synthetic (deepfake labelling required), and AI-generated emails (Audit Point 1).

Mitigation: standardise an AI-content disclosure policy across your content stack now. Falora and most credible vendors now expose provenance metadata at the API level. Use it.

Audit point 4: Your conversation intelligence and call recording AI

The question: where is your call-recording AI deployed, and what does it analyse?

Three interlocking constraints apply. First, the Belgian wiretapping law (Article 314bis of the Belgian Penal Code) requires consent for recording private conversations; in commercial settings the case law accepts implicit consent on continuation after disclosure. Second, the EU AI Act Article 5(1)(f) prohibits emotion-recognition systems in the workplace; which means using Gong, Chorus, Avoma, Salesloft Conversations, Fathom or similar to infer emotional state of internal sales staff is in the prohibited zone for EU-employed reps. Customer-side analysis (sentiment of the prospect) is permitted but subject to GDPR purpose limitation.

Mitigation: configure your conversation intelligence vendor to disable emotion-recognition features for internal participants. Document the configuration. For Belgium specifically, ensure the call opener includes recording disclosure.

Audit point 5: Cold email under ePrivacy and GDPR

The question: under what lawful basis are you sending B2B cold email, and have you documented it?

Cold B2B email in the EU rests on legitimate interest (GDPR Article 6(1)(f)) plus the ePrivacy Directive’s national transpositions plus per-country B2B carve-outs. The patchwork is uncomfortable but workable.

Belgium: Article XII.13 of the Code of Economic Law allows opt-out B2B email to legal persons; opt-in required for natural persons. Practical implication: B2B-targeted cold email to a companyname.com address is generally permissible; targeted cold email to a clearly personal address is opt-in.

Netherlands: the Telecommunicatiewet allows opt-out B2B with similar logic; an existing customer relationship grants more latitude.

France: more permissive for B2B.

Germany: stricter; UWG case law treats unsolicited B2B email as unfair commercial practice unless prior business relationship or explicit consent exists.

GDPR Article 14 requires source disclosure: where the personal data was not collected from the data subject, the controller must provide the source within a reasonable period (typically the first contact).

Mitigation: maintain a per-country cold-email playbook with the lawful basis, the LIA, the source disclosure language, and the suppression list mechanism. The Belgian DPA’s guidance “AI Systems and the GDPR” (19 September 2024) is the closest-to-canonical interpretation for AI-driven outbound in Belgium.

Audit point 6: AI literacy obligation

The question: does the staff operating your AI GTM tools have documented AI literacy?

Article 4 of the AI Act has been in force since February 2025. Every organisation deploying AI must ensure a sufficient level of AI literacy among the staff who operate it. There is no certification standard yet; the obligation is principle-based.

Practical implication: the marketing operations lead who deploys your AI SDR, the RevOps owner of the lead-scoring model, the customer success rep using AI summaries. All need documented AI literacy. The European Commission has signalled that “documented” includes recorded internal training; off-the-shelf certifications from credible providers (Anthropic, Microsoft, IBM, EIT Digital) are a good baseline.

Mitigation: stand up an internal AI literacy track, log completion, refresh annually. Falora customers receive a baseline literacy module on deployment.

Audit point 7: Vendor due diligence

The question: do your AI GTM vendor contracts contain the right warranties and information rights?

Five contract clauses are now table-stakes for any AI GTM vendor:

1. AI Act compliance warranty; vendor warrants the system is conformity-assessed where required, that documentation is available on request, and that conformity is maintained throughout the term.
2. Subprocessor disclosure; full list of model providers, data hosting, third-party data sources, with notification rights on changes.
3. Training-data exclusion; explicit prohibition on using customer data to train models without separate consent.
4. Article 50 disclosure tooling; vendor exposes AI-detection metadata and supports deployer disclosure obligations.
5. Audit rights; annual or on-incident audit, with reasonable notice.

Mitigation: rebuild your vendor onboarding checklist around these five clauses. Cognism’s GDPR-compliant data positioning is the closest market precedent for what credible EU compliance posture looks like; your AI GTM vendors should match or exceed it.

What the Digital Omnibus changes

The Digital Omnibus (COM(2025) 836, 19 November 2025) is the European Commission’s package to simplify and reschedule parts of the AI Act and adjacent regulations. The Council adopted its position on 13 March 2026; the Parliament voted favourably with 569 in favour on 26 March 2026; trilogue is ongoing with adoption expected in June 2026.

The relevant changes for GTM teams: certain Annex III high-risk categories (notably some employment-adjacent and education-adjacent categories) shift to December 2027; the high-risk classification methodology gains a “significant role in decision-making” filter that may reduce false-positive high-risk classifications; and the obligations on deployers of GPAI models clarify that downstream deployment in standard SaaS contexts does not automatically inherit GPAI-provider obligations.

Net effect for B2B GTM: the August 2026 transparency-and-disclosure deadline holds. The high-risk perimeter narrows slightly, which is good for most lead-scoring deployments. The vendor due-diligence requirements gain clarity, which makes the contract checklist above more enforceable.

A 90-minute audit checklist

If you have 90 minutes and a notebook, here is the order. Each step takes 10–15 minutes.

1. List every AI tool in your GTM stack. Tag each with its primary function (drafting, scoring, sending, analysing, recording).
2. For each tool, identify the highest-risk action it can take without per-action human approval.
3. Map each tool to the relevant audit point above (1–7).
4. For each audit point, note current state (compliant, gap, unsure) and required mitigation.
5. Flag every tool whose vendor contract is missing one of the five clauses in Audit Point 7.
6. Identify the named owner for each gap and the due date (most should be Q2–Q3 2026).
7. Schedule the AI literacy session for staff identified in Audit Point 6.

Charlie Cowan, author of AI for Revenue Teams, summarises the European baseline well:

“EU GTM teams that treat compliance as a feature, not a constraint, will out-execute teams that treat it as a checkbox in 18 months.”

Falora’s product position is that compliance-native is faster, not slower, because the audit work is amortised across deployments.

Conclusion

The EU AI Act is not a future risk. It is a current set of obligations with a hard August 2026 deadline for the parts that matter most to B2B GTM. The 7-point audit above is the work for the next two quarters. The vendor contracts are the work for the next renewal cycle.

The teams that do this audit early will pay 10–15% premiums on tooling that does not need to be replaced in 12 months, and will avoid the much larger cost of a non-compliant outbound motion that draws regulatory attention.

If you want a co-led audit; Falora plus a Belgian law firm partner; we run the 7-point review on real stacks each month. Book the EU AI Act compliance review →

Sources

• Regulation (EU) 2024/1689 on Artificial Intelligence (the EU AI Act)
• EDPB Opinion 28/2024 on AI and GDPR (18 December 2024)
• Belgian Data Protection Authority, AI Systems and the GDPR (19 September 2024)
• BIPT designation as Belgian AI Market Surveillance Authority
• Digital Omnibus, COM(2025) 836
• GDPR, Regulation (EU) 2016/679, Article 22
• Belgian Code of Economic Law, Article XII.13
• Cognism, GDPR-compliant B2B data positioning

Related reading on Falora

• The Autonomous GTM Maturity Model
• AI SDRs vs human SDRs: 7 conditions where AI loses
• Schaalbare B2B groei zonder bureau (NL)
• The anatomy of a GTM engineering system

About the author

Stijn Van Daele is co-founder of Falora and a partner at Stretch Innovation. He works with European B2B scale-ups on autonomous GTM and EU AI Act-conformant deployments. He writes on LinkedIn.