EU Compliance for EdTech & Education

EdTech companies operating in the EU must comply with: GDPR (with heightened obligations for children's data under Article 8 and relevant Member State age of digital consent laws, typically 13-16 years); EU AI Act (AI systems used in educational and vocational training are high-risk under Annex III Section 3 — including adaptive learning systems that may affect educational outcomes); NIS2 if the company qualifies as a digital provider (cloud services, online platforms); and national transpositions of the Digital Education Action Plan requirements.

Yes. EU AI Act Annex III Section 3 classifies as high-risk AI systems intended to be used for determining access to, or the assignment of natural persons to, educational and vocational training institutions, as well as AI systems that evaluate the learning outcomes of natural persons in educational and vocational training institutions. Adaptive learning platforms that adjust curriculum difficulty, recommend content, or assess student performance and feed into grading or placement decisions are likely high-risk. These require conformity assessment, technical documentation, and registration in the EU AI database.

GDPR Article 8 requires a minimum age of 16 for consent to information society services, but Member States may lower this to 13. EdTech platforms must verify the age of users and obtain parental consent for under-age users where required. Processing children's data must be in plain, age-appropriate language (Articles 12-13). Data minimisation (Article 5(1)(c)) is especially important for education data — collect only what is strictly necessary. The GDPR-U UK framework and similar national guidance provide additional detail on privacy-by-design for EdTech.

EdTech platforms may qualify as NIS2 digital providers under Annex II if they operate cloud computing services, online marketplaces, or online search engines at medium or large enterprise scale. Digital provider essential services obligations under NIS2 include: implementing Article 21 security measures; reporting significant incidents within the three-stage timeline (24h early warning, 72h notification, 1 month final report); and cooperating with the national competent authority. ENISA has published sector-specific guidance for education sector cybersecurity.

EdTech companies with high-risk AI systems must produce Annex IV technical documentation including: a general description of the AI system and its intended purpose in education; detailed description of the algorithms, model architecture, and training data; information on monitoring and human oversight mechanisms; a risk management plan covering foreseeable misuse and bias risks; records of changes through the system lifecycle; and a post-market monitoring plan for tracking outcomes across diverse student populations. The documentation must be kept for 10 years after market placement and made available to supervisory authorities on request.