When Commercial Drones Go to Work: Out of Sight, Not Out of Scope

Authors: Maria Aholainen and Axel Hård af Segerstad Read time: 7 min

A logistics company sends a fleet of AI-powered drones across a city. Each one carries a high-resolution camera and machine-learning software to identify obstacles and find safe landing zones. Along the way, without anyone intending it, the drones capture footage of gardens, open windows, children in playgrounds, and people on their morning commute.

This is already happening.

Yet the legal conversation rarely keeps pace. The regulatory landscape for drones is more complex than it might first appear. This blog takes a closer look at what the rules on AI, cybersecurity and data protection require. Sector alone does not determine which rules apply. The starting point is always the intended purpose of the product or system in question.

The EU AI Act – In or Out?

When a drone is driven by an algorithm rather than a human pilot, the legal questions become more multifaceted. One of the first is whether the use case falls within the scope of the EU AI Act. If you are a commercial entity, such as a logistics company, the answer is most likely yes: the AI use case is in scope.

Drones are also used in the defence sector. The AI Act contains a carve-out that is often overlooked, or too readily relied upon. The AI Act does not apply to AI systems used exclusively for military, defence or national security purposes. However, operating in the defence sector does not, in itself, place an organisation outside the AI Act’s reach. A dual-use system, one placed on the market for both military and civilian purposes, is not automatically exempted. The question is always the same: what is the intended purpose of the AI system in question? Only once that question is answered can the exemption be properly assessed. Providers cannot rely on the military exemption to shield the product or the organisation as a whole.

The EU AI Act – Use Case Assessment

The AI Act has entered into force but applies in stages. Provisions governing prohibited AI systems, including restrictions on real-time remote biometric identification in publicly accessible spaces for law enforcement purposes, have applied since 2 February 2025. High-risk AI rules have, however, been delayed following the political agreement on the Digital Omnibus package. The new deadlines are 2 December 2027 for stand-alone high-risk AI systems (Annex III of the AI Act) and 2 August 2028 for high-risk AI systems embedded in products (Annex I of the AI Act).

Once the intended purpose is established, risk classification follows. Under the AI Act, purpose is the driver. On this point, the picture is more nuanced than it was. The Digital Omnibus on AI narrows the definition of “safety component”: AI systems whose functions merely assist users or optimise performance will not automatically be treated as high-risk if a failure or malfunction would not create health or safety risks. Here too, intended purpose and context are central to determining whether the exemption applies. Drones used as safety components in critical infrastructure, where AI failure could endanger life or disrupt essential services, may still fall within the high-risk classification. Operators of AI systems that assist navigation or optimise delivery routes without directly controlling safety-critical functions should, however, consider whether the narrowed definition changes their classification analysis.

AI is Caught by Product Liability

Liability is also shifting. The revised EU Product Liability Directive expressly brings software and AI systems within the concept of “product” for strict liability purposes. The new rules apply to products placed on the market or put into service from 9 December 2026. From that date, an AI navigation error causing a crash could expose the manufacturer or software developer to strict liability without the claimant needing to prove fault. Allocating that risk in contracts now is prudent rather than premature.

Cybersecurity by Default

The Cyber Resilience Act takes a related approach. The CRA does not apply to products with digital elements developed or modified exclusively for national security or defence purposes, or specifically designed to process classified information. The CRA is product regulation: it sets mandatory cybersecurity requirements governing how products are built and maintained throughout their lifecycle.

Regulation is accelerating. As of 11 September 2026, manufacturers are required to report actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements. This is a deadline that applies to drone manufacturers now. From 11 December 2027, the entire Cyber Resilience Act activates, applying to any new product placed on the EU market from that date onward.

Data Protection

On data protection, the position is clear. The moment a drone’s camera captures an identifiable person,whether it is their face, their car registration or their silhouette in context, it constitutes the processing of personal data. . Data protection law does not distinguish between intended subjects and incidental bystanders. The organisation deploying the drone is often the data controller.

For organisations operating in or alongside the defence sector, the scope question on data protection requires care. The GDPR does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law and names national security as the clearest example of such an activity. The exclusion is, however, strictly activity-based and not purpose-based. The CJEU has been clear: the exception covers activities that, by their nature, fall outside the scope of Union law. Processing that merely serves a national security objective does not qualify on that basis alone. A commercial drone operator providing services to a defence client does not escape the GDPR simply because the end use is a national security objective. The boundary between national security and other activities is not always straightforward and requires case-by-case assessment. Drone operations spanning both civilian and national security elements should not be assumed to fall outside the GDPR’s reach in their entirety.

In commercial drone operations, the default lawful basis would likely be legitimate interest. Consent is not a realistic option. Obtaining it from every person a drone might film in a public space is simply not practicable. On transparency, the GDPR requires privacy information to be given at the moment data is collected. The EDPB endorses a layered approach: first-layer signage positioned so people understand the surveillance before entering the monitored area, combined with readily accessible second-layer information, ideally also available via a digital link or QR code.

On data minimisation, operators should ask whether the surveillance is necessary and whether a less intrusive approach could achieve the same purpose. Where monitoring risks capturing irrelevant areas, technical measures such as masking or pixelating non-relevant zones should be considered. Retained footage should be erased, ideally automatically, after the shortest period necessary, with longer retention requiring clear justification. Privacy protections should be built in from the outset.

Where personal data is involved and the operation is carried out for surveillance-related purposes, drone deployments will meet the threshold for a mandatory data protection impact assessment (DPIA). A DPIA will also need to be updated when operations change.

Where drone operations are outsourced, for example, where a logistics company commissions a third-party drone operator rather than running its own fleet, the EU Data Act may also become relevant. Drones are likely to qualify as connected products within the meaning of the Data Act and the party commissioning the operation may qualify as a user with a right to access product data generated during operations. The Data Act has applied since 12 September 2025. Manufacturers and service providers are subject to fair access and data-sharing obligations as regards connected product data and these should be addressed at the outset of any commercial drone arrangement.

Start here

Drones may trigger multiple regulatory regimes simultaneously: the AI Act, the Cyber Resilience Act, the Product Liability Directive, the GDPR and, depending on how operations are structured, the Data Act. Each regime must be assessed separately. In each case, the assessment begins with the same question: what is the intended purpose of the product or system in question, and who is the end user? Sector alone is not the answer. An organisation cannot rely on its broader corporate identity or industry classification to determine its regulatory exposure. The assessment must be driven by use case.

Need help?