Technology and telecommunications | Artificial intelligence

On November 11, 2025, the European Data Protection Supervisor (“EDPS”) released the “Guidance for Risk Management of Artificial Intelligence systems” (the “Guidelines”) focused on the management of personal data protection risks throughout the lifecycle of artificial intelligence (“AI”) systems used by EU institutions, bodies, offices, and agencies (“EU Institutions”) under Regulation (EU) 2018/1725 of October 23, 2018 (“EUDPR”).

Although the Guidelines are primarily intended for EU Institutions, they also provide a range of highly valuable technical and practical recommendations for companies that develop, implement or manage AI. These Guidelines prove especially useful for organizations seeking to align AI governance, data protection and the requirements set out in the AI Regulation.

From ISO 31000:2018 to practice: a technical framework for AI compliance

The EDPS adopts the methodology and architecture of the ISO 31000:2018 standard for risk management (identify-analyze-evaluate-treat), articulating it with the obligations of proactive responsibility (accountability) of the EUDPR.

The guidelines cover all stages of the AI lifecycle, from data acquisition/preparation to data withdrawal, and locate the most likely risks and the respective technical controls at each stage. To this end, the EDPS translates the data protection principles (what) into concrete technical controls (how), structured along the following lines, which must guide the risk assessment:

• Fairness principle: Identify, measure and mitigate biases arising from lack of data quality/representativeness, bias in training data, algorithmic bias, and bias in interpretation, with audits and the use of fairness metrics and testing with edge cases.

• Accuracy principle: Ensure the accuracy of the data and validation of the model’s statistical accuracy; prevent data drift and inaccurate outputs (including “hallucinations”).

• Data minimization principle: Only process data that is appropriate, relevant and limited to what is required; avoid indiscriminate collection/storage; justify each category processed and, where possible, use representative sampling and anonymization/pseudonymization (and synthetic data with caution).

• Security principle: Prevent data leaks (including recall/reproduction by the model), exposure through application programming interfaces (APIs), and storage breaches; apply encryption, access control, monitoring, and specific measures for AI, such as differential privacy and output filters.

In the same section on the risks associated with data protection principles, one of the biggest challenges for data controllers is highlighted: protecting data subjects’ rights. Locating, accessing, rectifying, and deleting data incorporated into models—especially deep networks and large language models—is technically complex. The EDPS proposes operational mechanisms for access, rectification and erasure, including data identification strategies, metadata maintenance and retrieval tools, and, where feasible, machine unlearning techniques.

Without interpretability and explainability, there is no accountability and no real transparency for data subjects

The Guidelines raise interpretability and explainability to essential conditions of compliance and identify the specific risk of “uninterpretable or unexplainable” systems. Specifically, they establish (i) mitigation measures applicable in selection/supply, such as adequate technical documentation, explainable AI (“XAI”) techniques (e.g., LIME/SHAP), and statistical analysis of outputs; (ii) verification and validation; (iii) operation/monitoring; (iv) ongoing validation; and (v) reassessment.

For the purposes of the guidelines, the following definitions apply:

• Interpretability: The ability to understand the model’s logic and the factors that determine the results (outputs) from the input data (inputs).

• Explainability: The ability to meaningfully communicate the reasons for the results to end users.

In terms of framework, interpretability and explainability support compliance but do not replace transparency obligations for data subjects. Therefore, even when offering technical explanations of the model, it is crucial to clearly state what is being done with the data and why.

AI procurement

As regards AI procurement, the EDPS Guidelines raise the level of due diligence required of suppliers, who must provide (i) technical and data governance documentation, including the architecture/model, data provenance and quality, limitations, and metrics tested; (ii) performance metrics; (iii) security and API controls; and (iv) XAI requirements that mitigate the model’s opacity (black box) (e.g., LIME/SHAP), along with statistical support for the outputs. In practical terms, before an AI system goes into production, this must be reflected in tender specifications, award criteria, contract clauses, and acceptance tests.

From urgency to practice: the reason methodological adoption is no longer “optional”

1.   Operational execution

The EDPS Guidelines outline the data controller’s obligation to establish clear operational tasks and procedures, define roles, maintain documentary evidence, conduct risk assessments, implement treatment procedures aligned with ISO 31000:2018, and perform reassessment cycles proportionate to the identified risks. This structured approach enables teams to integrate interpretability and explainability, uphold data protection principles and data subjects’ rights, and carry out data protection impact assessments along with prior consultations when necessary. This ensures that accountability obligations are met in a systematic and auditable manner.

2.   Consolidated compliance (GDPR/EUDPR and AI Act)

This framework supports compliance with the EUDPR and, by extension, the GDPR, while serving as a preparatory measure for the AI Act requirements without replacing them. Specifically, it provides a strong alignment with risk management requirements.

3.   Evidence

Proactive aligning with the EDPS Guidelines demonstrates due diligence and robust corporate governance, enhancing stakeholder trust.

Conclusion

The EDPS Guidelines serve as a critical operational framework for entities developing and implementing AI systems within the European Union. They ensure the protection of fundamental rights and freedoms while providing concrete, auditable preparation for the risk management required by the EU regulatory framework.