European Union: European Data Protection Supervisor adopted Guidance for Risk Management of Artificial Intelligence Systems

On 11 November 2025, the European Data Protection Supervisor (EDPS) adopted the Guidance for Risk Management of Artificial Intelligence Systems, aiming to guide EU Institutions, Bodies, Offices and Agencies (EUIs) acting as controllers in identifying and mitigating risks raised by the processing of personal data when developing, procuring and deploying AI systems. The Guidance presents an overview of the risk management methodology according to ISO 31000:2018, outlines the development lifecycle of AI systems and the steps involved in their procurement, and examines interpretability and explainability as cross-cutting concerns that condition compliance with all provisions covered in the Guidance. It details risks associated with fairness, accuracy, data minimisation, security and data subjects’ rights, breaking these principles into specific risks paired with technical measures that controllers can implement to mitigate them. The Guidance is issued by the EDPS in its role as a data protection supervisory authority and is without prejudice to the Artificial Intelligence Act.