Thirty-Five Million Reasons the EU AI Act Is Already Reshaping German Business Deals
23.06.2026 - 02:03:12 | boerse-global.de
Time is running out for companies using high-risk artificial intelligence. The EU AI Act’s first compliance deadline falls on 2 August 2026, and the penalties for missing it are staggering: up to €35 million or 7% of global annual turnover. That alone has thrust data governance to the top of boardroom agendas — but it’s only one piece of a much larger puzzle.
Germany’s small and midsize firms face a triple bind. By the end of 2028, roughly 532,000 such businesses will need to find a successor, joining the 215,000 that were already searching by the end of 2025. Each handover involves transferring customer data — and that transfer is now entangled with everything from GDPR obligations to the brand-new AI Act.
Asset Deal or Share Deal: The Data Privacy Divide
The legal complexity hinges on the deal structure. In a Share Deal, the legal entity remains unchanged, so the existing contractual relationship — including data-processing consents — carries over smoothly. The Asset Deal is a different story. When a buyer acquires only the assets, customer data must be shifted to a new owner. Because that data is usually personal, the transfer triggers strict rules.
The German Data Protection Conference (DSK) clarified the requirements in a September 2024 resolution. For data tied to ongoing contracts, Article 6(1)(b) GDPR can serve as the legal basis. In other cases, the legitimate-interest clause often applies — but customers must be given the right to object.
Health data is the hardest case. Explicit consent is mandatory. The Federal Court of Justice ruled as early as November 2021 that an isolated sale of patient records is null and void.
Employee Data: New Clarity from Luxembourg
A 18 June 2026 judgment from the European Court of Justice (Case C-484/24) added another layer. The case concerned employee data gathered during legal disputes — common after business transfers or restructurings.
The ECJ held that the GDPR does not automatically create a bar on using evidence that was collected unlawfully. National courts must still weigh proportionality and data minimisation. But the ruling means an employer who obtained data illegally does not automatically have that evidence thrown out of court. Redactions to protect privacy may be required, and judges must balance the circumstances carefully.
AI in Due Diligence: Vibecoding and the New Risk Game
Investment firms are increasingly bringing artificial intelligence into the due diligence process. According to industry reports, Bain & Company has been using a technique called Vibecoding — essentially building AI-generated replicas of acquisition targets.
These digital prototypes allow far deeper scrutiny of a company’s platform and weaknesses. In the past, AI analysis has already caused investors to walk away from bidding processes after spotting structural flaws. The same tools are also being deployed internally — for example, to help with social selection criteria during mass layoffs.
Experts warn that the final decision must always rest with the employer. Moreover, the decision-making logic has to be transparent to prevent discrimination risks.
Liability for Data Breaches: A Firmer Line from German Courts
The Social Court of Nuremberg issued a June 2026 ruling on the MOVEit data leak from 2023. It dismissed a claim, stating that a third-party hacker attack can only be attributed to the responsible party if that party’s specific breach of duty enabled the attack. A purely hypothetical risk of harm does not justify compensation.
The ruling underscores that companies cannot be held liable for every cyber incident — but it also sharpens the need for documented compliance.
The AI Act Clock Is Ticking
With the 2 August 2026 deadline approaching, companies must now inventory their high-risk AI systems and build governance structures. There has been discussion about postponing some obligations for embedded AI until August 2028, but that does not exempt firms from checking their current high-risk applications right now.
For any company involved in a takeover, a succession plan, or simply running AI-driven processes, the cost of getting it wrong is no longer theoretical. It begins at €35 million.
