Converging transatlantic regulation is forcing multinational banks and hospitals to overhaul how they document, track, and govern AI training data. The European Union's AI Act and related frameworks impose binding data provenance and audit trail requirements with staggered deadlines running through 2028.
Background
The regulatory convergence stems from two parallel tracks. In the EU, the AI Act entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026, with some exceptions: prohibited AI practices and AI literacy obligations took effect on 2 February 2025, and governance rules for general-purpose AI models became applicable on 2 August 2025. The Act's global reach means AI providers and financial institutions operating in or interacting with users in the EU must comply regardless of where they are incorporated.
On the healthcare side, the European Health Data Space (EHDS), effective since 26 March 2025, introduces a two-tiered framework for health data use: a "Primary Use" framework facilitating cross-border patient care via the MyHealth@EU infrastructure, and a "Secondary Use" framework governing data utilization for research, policy-making, and innovation. Healthcare AI is classified as high-risk under the EU AI Act, mandating transparency and human oversight of algorithms.
In the US, the regulatory picture remains sector-specific and state-driven. Updates to HIPAA have tightened de-identification standards. In 2025, a US hospital faced a $4.2 million HIPAA fine for using patient data from 500,000 individuals to train an AI diagnostic tool without proper anonymization, underscoring the risk of re-identification. For health data specifically, the European Medicines Agency and the US Food and Drug Administration published joint guidelines in January 2026 outlining principles for "good AI practice in drug development."1Data Clean Rooms: The Future of Privacy-Compliant Data Collaboration - Obhan & Associates
Details
The core compliance challenge for cross-border institutions centers on data lineage. Under the EU AI Act, every training dataset must have a documented provenance trail covering origin, collection methodology, transformations applied, and data quality checks performed. This applies equally to first-party data and third-party datasets sourced from external providers or public repositories. Any AI system used for financial profiling, behavioral analysis, or other high-impact decisions must be classified as high-risk, with tracking and audit processes available in real time and rigorous data governance documentation in place.
The penalty structures are significant. The EU AI Act employs a tiered penalty framework: non-compliance with prohibited AI practices can result in fines up to €35 million or 7% of global revenue, while violations of high-risk obligations can incur fines up to €15 million or 3% of global revenue. GDPR fines have exceeded €7.1 billion since 2018, with €1.2 billion levied in 2025 alone.
Institutions most exposed are those operating AI-enabled services on both sides of the Atlantic. Cross-border transfers of sensitive data are likely to grow more difficult, with ongoing transfers requiring significant auditability and segmentation between EU and non-EU data-driving up costs. Geopolitical tensions have increased scrutiny of transatlantic operations, while doubts over the sustainability of future EU-US data flows and the rise of digital sovereignty as a policy priority make navigating AI and health data governance increasingly complex.
To meet traceability requirements without violating data residency rules, regulated institutions are turning to data clean rooms and virtual data rooms. In healthcare, researchers and pharmaceutical companies use clean rooms to analyze patient data collaboratively, identifying trends and developing treatments while maintaining HIPAA compliance. Banks similarly use clean rooms for fraud detection and risk assessment while protecting customer privacy. Under the EU AI Act, AI systems using medical data are classified as high-risk and must document lineage, consent, and safeguards. Device makers must ensure their APIs and exports preserve metadata supporting these obligations; hospitals will need governance platforms that reconcile GDPR, the Data Act, and the AI Act simultaneously.
A key shift in the compliance timeline arrived on 7 May 2026, when negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the Digital Omnibus on AI-the first set of amendments to the EU AI Act since its adoption in June 2024. The agreement reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes. For high-risk AI systems under Annex III (use-based), obligations are postponed from 2 August 2026 to 2 December 2027-a deferral of 16 months.
Outlook
The Digital Omnibus amendments are expected to proceed through formal adoption in the coming months, with final approval anticipated in June and publication expected in July. The EU has emphasized the amendments must be in force ahead of the next key implementation milestone in August 2026. Despite the deferral, compliance experts caution against delays. Companies-including those using health data-must build sufficient internal governance structures to meet upcoming deadlines, requiring greater documentation, traceability, and oversight of AI models before deployment. Even organizations outside the EU should build multi-jurisdiction readiness into their AI data privacy compliance programs in 2026.
