Privacy & Information Security Law Blog

On November 11, 2025, the European Data Protection Supervisor (“EDPS”) published new guidance for risk management of artificial intelligence systems (the “Guidance”). The Guidance aims to support European Union Institutions, Bodies, Offices and Agencies (“EUIs”) acting as data controllers in identifying and mitigating risks associated with the deployment of artificial intelligence (“AI”) systems. The EDPS stated that the Guidance is not intended to be exhaustive, instead encouraging EUIs to conduct their own tailored risk assessment, recognizing that the specific context of processing activities may yield unique challenges. The Guidance is issued in the EDPS’s capacity as data protection supervisor (not as market surveillance authority under the AI Act) and is provided without prejudice to the AI Act.

The Guidance suggests EUIs systematically assess and treat risks as follows:

• Risk Management Foundations: Drawing on ISO 31000:2018, the Guidance introduces a methodology for identifying, evaluating  and mitigating risks related to personal data processing within AI systems.
• AI Development Lifecycle: It outlines the typical stages of building and procuring AI solutions, aiming to help stakeholders pinpoint where risks may emerge.
• Interpretability and Explainability: Such concepts are highlighted as essential for transparency and compliance, influencing all aspects of risk management.
• Data Protection Principles: The Guidance breaks down four key data protection principles, considering specific risks and mitigation measures for each: fairness, accuracy, data minimization and security.

The Guidance is intended to complement and expand on previously published resources, such as the EDPS’s “Accountability on the ground” toolkit (Part II), which addresses data protection impact assessments and prior consultation requirements, as well as the June 2024 orientations on the use of generative AI by EUIs. The new Guidance is broader (addressing all AI types) and more focused (emphasizing technical mitigations). As a result, the EDPS recommends it should be used alongside these materials for a holistic approach to data protection in AI.

Read the Guidance here. Read the press release here.