EU AI Act

Quick Assessment

Key Links

Overview

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework regulating artificial intelligence, representing a landmark attempt to govern AI systems based on their potential risks to safety, fundamental rights, and society.¹² The regulation adopts a risk-based approach that classifies AI systems into four tiers—unacceptable risk (prohibited), high-risk (strict obligations), limited risk (transparency requirements), and minimal risk (largely unregulated)—with special provisions for foundation models and general-purpose AI (GPAI) systems.³⁴

Originally proposed by the European Commission in April 2021, the Act underwent intense negotiations before political agreement was reached on December 9, 2023.⁵⁶ The regulation entered into force on August 1, 2024, with phased implementation: prohibitions on unacceptable-risk systems took effect February 2, 2025, GPAI model obligations apply from August 2, 2025, and most high-risk provisions become fully applicable by August 2, 2026.⁷⁸

The regulation has sparked significant controversy, particularly regarding its approach to foundation models. Critics argue it may stifle European AI innovation while supporters contend it provides necessary safeguards and legal certainty. The Act's two-tiered framework for GPAI models—distinguishing between standard foundation models and those posing "systemic risk"—emerged from contentious negotiations between the European Parliament, Council, and member states including France, Germany, and Italy.⁹¹⁰

Legislative History

Proposal and Development (2021-2023)

The European Commission first proposed the AI Act on April 21, 2021, initiating the EU's effort to create comprehensive AI regulation focused on risk-based rules for AI systems.¹¹¹² The proposal was driven by concerns over AI's potential harms and aimed to balance innovation with safety through prohibitions on unacceptable risks and obligations for high-risk systems.

Key early milestones included:

• November 29, 2021: EU Council presidency shared the first compromise text, adjusting rules on social scoring, biometrics, and high-risk AI¹³
• December 1, 2021: European Parliament assigned lead negotiators Brando Benifei (S&D, Italy) and Dragoş Tudorache (Renew, Romania)¹⁴
• September 5, 2022: Parliament's JURI committee adopted its opinion on the AI Act¹⁵
• December 6, 2022: EU Council adopted its general approach for negotiations¹⁶

Foundation Models Controversy (2023)

Foundation models became highly controversial during the legislative process, marking a significant shift from the initial 2021 Commission proposal, which had focused on risk-based categorization of AI applications rather than regulating the models themselves.¹⁷ The emergence of powerful systems like ChatGPT in late 2022 catalyzed intense debate over how to regulate these general-purpose systems.

The European Parliament introduced formal provisions on foundation models in June 2023 when it adopted its negotiating position.¹⁸ This set up a fundamental conflict:

• Parliament's position: Advocated for treating foundation models similar to high-risk systems, with quality management systems, EU database registration, and strict obligations¹⁹
• Council/Commission position: Favored lighter regulation through voluntary codes of conduct, with delayed and less stringent requirements²⁰

France, Germany, and Italy emerged as key opponents of strict foundation model regulation, arguing it would harm European AI competitiveness and innovation.²¹ Negotiations broke down in November 2023 as these member states opposed tiered rules for high-impact models developed mostly by non-EU firms, threatening to derail the entire Act.²²

Political Agreement and Adoption (2023-2024)

After marathon negotiations, political agreement was expected to be reached in Late 2023.²³²⁴²³ The compromise distinguished between:

1. General GPAI models: Subject to transparency obligations, copyright disclosure requirements, and technical documentation
2. Systemic risk GPAI models: Additional requirements for risk assessments, incident reporting, evaluations, and cybersecurity measures

Subsequent milestones included:

• February 13, 2024: Parliament committees approved the draft (71-8 vote); EU member states unanimously endorsed²⁵
• February 21, 2024: European AI Office launched within the Commission to oversee GPAI implementation²⁶
• March 13, 2024: European Parliament passed the Act (523 for, 46 against, 49 abstentions)²⁷
• May 21, 2024: European Council formally adopted the regulation²⁸
• July 12, 2024: Published in the Official Journal of the European Union²⁹
• August 1, 2024: Entered into force³⁰

Risk-Based Regulatory Framework

Four-Tier Classification System

The AI Act establishes four risk levels for AI systems, each with corresponding obligations:

Prohibited AI Practices

The Act bans AI practices deemed to pose unacceptable risks to fundamental rights:³⁵³⁶

1. Subliminal manipulation techniques that exploit vulnerabilities
2. Social scoring systems by public authorities
3. Real-time biometric identification in public spaces (with limited law enforcement exceptions)
4. Emotion recognition in workplaces and educational institutions
5. Untargeted scraping of facial images from the internet or CCTV
6. Inference of sensitive characteristics (race, political opinions, sexual orientation)
7. Biometric categorization systems that discriminate
8. AI systems that manipulate human behavior to circumvent free will

These prohibitions took effect on February 2, 2025, making them the first enforceable provisions of the Act.³⁷

Foundation Models and GPAI Regulation

Defining General-Purpose AI

The Act regulates foundation models under the category of "general-purpose AI" (GPAI) models, defined as AI systems trained on large amounts of data that can perform a wide variety of tasks across different applications.³⁸³⁹ This includes large language modelsCapabilityLarge Language ModelsComprehensive analysis of LLM capabilities showing rapid progress from GPT-2 (1.5B parameters, 2019) to GPT-5 and Gemini 2.5 (2025), with training costs growing 2.4x annually and projected to excee...Quality: 60/100 like GPT-4, Claude, and Llama, as well as multimodal foundation models.

GPAI models are regulated separately from application-specific AI systems because of their adaptability across multiple downstream uses, some of which may be high-risk even if the model itself was not designed for those purposes.⁴⁰

Two-Tier GPAI Framework

The Act establishes a two-tier approach for regulating foundation models, distinguishing between standard GPAI and "systemic risk" GPAI:⁴¹⁴²

Tier 1: All GPAI Models (Standard Obligations)

Applicable to all general-purpose AI model providers, regardless of size or capability:⁴³⁴⁴

• Technical documentation detailing model architecture, training data, and capabilities
• Transparency to downstream deployers about model limitations and intended uses
• Information summaries about copyrighted training data content
• Policy to comply with EU copyright law (Directive (EU) 2019/790)
• Data governance and quality management practices
• EU database registration for models integrated into high-risk systems

Tier 2: Systemic Risk GPAI Models (Enhanced Obligations)

Designated based on compute thresholdsPolicyCompute ThresholdsComprehensive analysis of compute thresholds (EU: 10^25 FLOP, US: 10^26 FLOP) as regulatory triggers for AI governance, documenting that algorithmic efficiency improvements of ~2x every 8-17 months...Quality: 91/100 (>10²⁵ FLOPs for training) or Commission assessment of capabilities, market impact, and potential for widespread harm:⁴⁵⁴⁶

• Model evaluations and adversarial testing to identify systemic risks
• Assessment and mitigation of risks to health, safety, fundamental rights, environment, democracy, and rule of law
• Serious incident reporting to the AI Office
• Cybersecurity measures and monitoring of downstream applications
• Enhanced quality management systems
• Regular reporting to the AI Office on risk management measures

Implementation Timeline for GPAI

The EU AI legislation will be made applicable via a phased approach:^47484748

• August 2, 2026: GPAI obligations take effect for all general-purpose AI models
• August 2, 2027: Existing GPAI models placed on the market before August 2025 must achieve full compliance⁴⁹

New GPAI models released after August 2, 2025 must comply immediately, while existing models receive a two-year grace period.⁵⁰

GPAI Code of Practice

To facilitate compliance, the AI Office developed a voluntary GPAI Code of Practice through a multi-stakeholder process involving nearly 1,000 participants.⁵¹ The code provides guidance on:

• Transparency requirements for training data
• Copyright compliance mechanisms
• Risk assessment methodologies
• Governance structures for systemic risk models

The Chairs and Vice-Chairs were a crucial component of the Code of Practice drafting process:^52535253

The Commission and AI Board have confirmed this code as an adequate voluntary compliance tool that may serve as a mitigating factor when determining fines for violations.⁵⁴

Governance and Enforcement

European AI Office

The AI Office, established within the European Commission's Directorate-General for Communication Networks, Content and Technology (DG CNECT), serves as the primary enforcement body for GPAI models.⁵⁵⁵⁶ Launched on February 21, 2024, it became operational for enforcement purposes on August 2, 2025.⁵⁷

In general, the AI Act is enforced at EU level by the European Commission mainly in form of its so-called AI Office with regard to general-purpose AI (GPAI) and, otherwise, at the level of the EU Member States.⁵⁸

• Lucilla Sioli: Heads the AI Office (former DG CNECT Director for AI)
• Dragoş Tudorache: Heads the unit on risks of very capable GPAI models (former co-leader of the AI Act in Parliament)
• Kilian Gross: Leads the unit on compliance, uniform enforcement, and investigations (key EU AI Act negotiator)
• Juha Heikkilä: AI Office Adviser for International Affairs

The AI Office has significant enforcement powers:⁵⁹⁵⁹

• Requesting information and documentation from GPAI providers
• Conducting model evaluations and capability assessments
• Requiring risk mitigation measures
• Recalling models from the market
• Imposing fines up to 3% of global annual turnover or €15 million, whichever is higher

Multi-Level Governance Structure

National authorities within the EU will govern the Act more directly, using qualified market surveillance:^60616061

• AI Board: Comprises representatives from EU member states; coordinates national enforcement and provides technical expertise
• Advisory Forum: Brings together stakeholders from industry, academia, civil society, and social partners
• Scientific Panel: Independent experts advise the AI Office on evaluating foundation model capabilities and monitoring material safety risks
• National Authorities: Handle complaints and enforcement for high-risk AI systems not covered by the AI Office
• European Data Protection Supervisor (EDPS): Has authority to impose fines on EU institutions for non-compliance

Penalty Structure

The Act establishes tiered penalties based on violation severity:⁶²

For startups and SMEs, caps are available to prevent disproportionate financial burden.⁶³ The turnover-based calculation means violations by major technology companies could result in penalties exceeding hundreds of millions of euros.

Controversies and Criticisms

Innovation vs. Regulation Tensions

The Act's approach to foundation models has sparked intense debate over whether it strikes the right balance between safety and innovation. France, Germany, and Italy actively opposed strict GPAI regulations during negotiations, arguing they would harm European AI competitiveness against US and Chinese firms.⁶⁴⁶⁵ French startup Mistral AI, German company Aleph Alpha, and other European AI developers expressed concerns that compliance burdens would disadvantage them against better-resourced non-EU competitors like OpenAIOrganizationOpenAIComprehensive organizational profile of OpenAI documenting evolution from 2015 non-profit to Public Benefit Corporation, with detailed analysis of governance crisis, 2024-2025 ownership restructuri...Quality: 62/100 and AnthropicOrganizationAnthropicComprehensive reference page on Anthropic covering financials (\$380B valuation, \$19B ARR), safety research (Constitutional AI, mechanistic interpretability, model welfare), governance (LTBT struc...Quality: 74/100.

Critics warn the Act's regulatory approach contrasts sharply with the US, where voluntary industry standards and executive orders provide more flexible governance frameworks.⁶⁶

Conversely, proponents argue the Act creates legal certainty that will ultimately attract investment and protect downstream deployers from compliance burdens, enabling a trustworthy AI ecosystem.⁶⁷⁶⁸ Regulatory sandboxes and the AI innovation package (launched January 2024) aim to support European startups and SMEs in developing compliant AI systems.⁶⁹

Definitional Ambiguities and Scope Concerns

There is sufficient lack of clarity that it is possible that fine-tuning an existing model would constitute bringing a novel foundation model to market:^70717071

• "Systemic risk" definition: The criteria for designating models as posing systemic risk—including compute thresholds, capabilities, market impact, and scalability—lack precision and may become outdated as technology advances
• "Substantial modification" threshold: Uncertainty about when fine-tuning or adaptation of foundation models triggers full compliance obligations
• Training data disclosure: Requirements for "summaries" of copyrighted training data content remain poorly defined, creating intellectual property disputes
• Dual-use potential: Even controlled foundation models retain dual-use capabilities, raising questions about the effectiveness of use-case-based regulation

The Act's broad definition of AI systems, derived from OECD frameworks, applies to virtually all EU organizations using AI, creating significant compliance challenges.⁷²

Epistemic and Methodological Limitations

Academic critics have identified fundamental epistemic gaps in the Act's risk assessment approach.⁷³ Traditional risk assessments fail for probabilistic, socio-technical foundation models, the argument goes, creating false regulatory confidence. Specifically:

• The Act overlooks deployment contexts, institutional oversight, and governance structures in favor of technical fixes
• Fixed AI categories risk rapid obsolescence as technology evolves, unlike more adaptive governance frameworks
• Causal links between model capabilities and societal harms are assumed without robust evidence, ignoring real-world socio-technical factors
• The Act lacks anticipatory mechanisms for iterative revision based on emerging AI research

Stanford's Center for Research on Foundation Models (CRFM) noted that the compute-based threshold for systemic risk (10²⁵ FLOPs) diverges from their proposal to focus on demonstrated market impact, potentially missing dangerous models that don't meet the compute threshold.⁷⁴

Missing Safeguards for Advanced AI Safety

AI safety researchers have criticized the Act for insufficient provisions addressing existential risks from advanced AI systems.⁷⁵⁷⁶ While the Act mandates evaluations for systemic risks, it includes:

• No requirements for AI alignmentApproachAI AlignmentComprehensive review of AI alignment approaches finding current methods (RLHF, Constitutional AI) show 75%+ effectiveness on measurable safety metrics for existing systems but face critical scalabi...Quality: 91/100 research (ensuring advanced systems' goals match human values)
• No provisions for third-party researcher access to models for safety evaluations
• No adverse event reporting mechanisms comparable to pharmaceutical or aviation safety systems
• No explicit coverage of scenarios involving misaligned superintelligent systems

The focus on immediate deployment risks (manipulation, discrimination, privacy violations) rather than model-level capabilities means the Act may not adequately address risks from future highly capable AI systems. Organizations like the AI Now Institute (in a report by 50+ experts) warned that foundation models have inherent risks in their training data and architectures that use-case regulation cannot fully address.⁷⁷

Enforcement Challenges and Implementation Delays

Member States will designate very different national competent authorities, which will lead to very different interpretations and enforcement activities:^78797879

• Regulatory capacity: Whether the AI Office and national authorities have sufficient expertise and resources to effectively monitor rapidly evolving foundation models
• Extraterritorial reach: Questions about enforcing requirements on non-EU providers, especially for open-source models uploaded from outside the EU
• Compliance burden: Particularly for SMEs and researchers who may lack resources for extensive documentation and risk assessments
• Loopholes: Compute-intensive models may quickly become outdated as a metric; workarounds for training data disclosure requirements

Proposed amendments have sought to address some concerns by delaying high-risk system obligations to December 2027, but privacy advocates like Max Schrems have criticized provisions allowing AI training on special category data to fix bias as undermining GDPR protections.⁸⁰

The Act's phased implementation has also faced criticism. While prohibited systems were banned in February 2025, full GPAI compliance doesn't occur until August 2025-2027, creating a window where potentially risky systems can operate under legacy frameworks.⁸¹

Relationship to Other Regulatory Frameworks

⁸²

• GDPR: Data protection requirements for AI training data; controversies over "legitimate interests" basis for processing
• Digital Services Act (DSA): Enforcement of AI-generated content moderation; recent cases include €120M fines against platform X in December 2025 for failing to control AI-generated sexual content
• Copyright Directive: Article 50 transparency deadline in 2026 for training data disclosure
• Proposed Chat Control: Ongoing debates about scanning for child abuse material, with temporary measures extended to April 2026

The January 21, 2026 joint opinion by the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) criticized unclear divisions between the AI Office's role for GPAI supervision and EDPS oversight, calling for amendments to avoid governance overlaps.⁸³

Shifting Political Priorities (2025-2026)

Recent political discourse has shown a shift from the Act's original fundamental rights framing toward concerns about over-regulation harming competitiveness.⁸⁴ As of early 2026:

• European policymakers increasingly emphasize the risk that strict AI rules may cause Europe to fall further behind the US and China
• Proposals circulate for simplifying GPAI obligations and extending transition periods
• The contrast with US deregulation under recent executive orders raises questions about regulatory arbitrage
• Parliament debates in January 2026 focused on stronger DSA-AI Act synergies for enforcement against deepfakes and illegal AI-generated content

These developments suggest the Act's implementation may evolve significantly based on economic performance and global competitive dynamics.

International Cooperation and Global Impact

Extraterritorial Reach

The AI Act applies not only to providers and deployers operating within the EU, but also to organizations outside the EU whose AI systems target or affect EU users.⁸⁵⁸⁶ This extraterritorial scope, similar to GDPR's global reach, means:

• US, UK, and other non-EU AI companies must comply if their systems are used by EU customers
• American employers using AI for EU-targeted outputs (e.g., automated hiring tools processing EU applicants) fall under the Act's jurisdiction
• Multinational organizations must navigate compliance across different regulatory regimes

The Act's global influence extends through its potential to serve as a model for other jurisdictions considering AI regulation, though critics question whether it will inspire adoption or enable regulatory arbitrage as companies shift development to less restrictive environments.⁸⁷

Bilateral and Multilateral Engagement

The AI Office is leading the Commission's international engagement in the field of AI:⁸⁸⁸⁸

• Bilateral cooperation: Partnerships with Canada, US, India, Japan, South Korea, Singapore, Australia, and UK
• Multilateral forums: Participation in G7, G20, OECD, and Global Partnership on AI discussions
• US-EU AI collaboration: January 27, 2023 agreement to conduct joint research on AI applications in extreme weather forecasting, emergency response, health, electric grid optimization, and agriculture⁸⁹

The AI Pact, initiated in May 2023, fosters voluntary industry commitment to implement AI Act requirements ahead of legal deadlines and serves as a coordination forum across jurisdictions.⁹⁰

Support for Innovation

The legislators understand that AI tools and systems can be strong drivers of innovation in business, and do not want companies, especially SMEs, to be hamstrung by excessive regulation, or be pressured by industry giants with outsized industry influence.⁹¹⁹²⁹¹

• Regulatory sandboxes: National authorities establish controlled environments for testing AI before market launch
• AI innovation package: Launched January 2024 to support European startups and SMEs
• GenAI4EU initiative: Stimulates generative AI adoption across strategic EU industrial ecosystems
• AI Factories and Gigafactories: Infrastructure investments for AI development
• InvestAI Facility: Funding mechanism for trustworthy AI projects
• AI Skills Academy: Planned educational initiative to build EU AI talent

An AI Observatory tracks AI trends and assesses impacts across specific sectors, while the Apply AI Alliance serves as a coordination forum bringing together AI providers, industry, public sector, academia, and civil society.⁹³

Key Uncertainties

Several major questions remain about the Act's effectiveness and evolution:

1. Enforcement effectiveness: Will the AI Office and national authorities have sufficient capacity to meaningfully oversee rapidly advancing foundation models, particularly those developed by well-resourced non-EU companies?

2. Innovation impact: Will the regulatory framework ultimately protect European competitiveness by providing legal certainty, or will compliance burdens drive AI development and deployment to less restrictive jurisdictions?

3. Risk assessment validity: Can the Act's risk-based approach adequately address the rapidly evolving capabilities of foundation models, or will fixed categories and compute thresholds quickly become obsolete?

4. Advanced AI safety: Does the Act provide sufficient safeguards for potential risks from highly capable future AI systems, or does its focus on deployment-level harms miss model-level dangers?

5. Regulatory arbitrage: How will the Act's approach interact with US deregulation and Chinese state-directed AI development? Will global companies develop separate systems for different jurisdictions or push for regulatory harmonization?

6. Implementation consistency: Will the phased rollout and proposed delays (e.g., extending high-risk obligations to December 2027) undermine the Act's effectiveness, or will they provide necessary flexibility for organizations to adapt?

7. Systemic risk designation: How will the Commission operationalize its discretion to designate foundation models as posing systemic risk beyond the compute threshold? Will this process be transparent and predictable?

8. Open-source implications: How will the Act affect open-source foundation models like Llama, Mistral, and others? Will compliance burdens disproportionately affect open development compared to proprietary systems?

Sources