Artificial Intelligence Act

• In force since 1 August 2024
• Application on 2 August 2026 (2 years after its entry into force) of generally all rules of the AI Act including obligations for high-risk systems defined in Annex III (list of high-risk use cases), with certain exceptions where obligations are applicable earlier/later. Exceptions in detail:
  • 2 February 2025: Member States shall phase out prohibited systems and companies need to comply with the AI literacy requirement;
  • 2 August 2025: obligations for new general purpose AI models become applicable;
  • 2 August 2027: obligations for high-risk systems defined in Annex I (list of Union harmonisation legislation) apply.

Level II legislation and guidance

Published/Expected:

• Commission guidelines on the definition of ‘AI system’, published on 6 February 2025 (potential update to be published in May 2026) and on prohibited practices, published 4 February 2025
• Code of Practice for providers on General Purpose AI (incl with systemic risks): first draft published on 14 November 2024, second draft published on 16 December 2024, third draft published 11 March 2025, final draft published 10 July 2025
• Commission guidelines on the scope of obligations for providers of general-purpose AI models under the AI Act published on 17 July 2025
• Commission template for training content summary of GPAI models: published on 24 July 2025
• Harmonised standards for requirements of high-risk AI system to be published by European standardization organization CEN-CENELEC: likely to be published in H2 2026/ H1 2027.
• Commission guidance on the classification of high-risk AI systems: first draft published on 19 May 2026.
• Commission guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 of the AI Act: first draft published on 8 May 2026, subject to consultation until 3 June 2026
• Code of Practice for providers and deployers of AI systems on the obligations regarding the detection and labelling of artificially generated or manipulated content: first draft published on 17 December 2025, second draft published on 5 March 2026, final version expected in late June 2026
• Assessment report of Annex III and prohibited practices: expected in May 2026

No date yet:

• Commission guidelines on:
  • Commission guidance on serious incident reporting for providers of high-risk AI systems: originally expected on 2 August 2025, no new publication date yet
  • obligations for high-risk AI systems and obligations along the AI value chain,
  • the provisions related to substantial modification, and
  • the interplay of the AI Act and the product safety legislation listed in Annex I of the AI Act.
• Commission templates on post-market monitoring plan and fundamental rights impact assessment.

Summary

The AI Act introduces EU-wide minimum requirements for AI systems and proposes a sliding scale of rules based on the risk: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ will be strictly prohibited and those considered as ‘high-risk’ will be permitted but subject to the most stringent obligations. The AI Act is also regulating foundation models and generative AI systems under the label of ‘General Purpose AI’ with a specific set of obligations.

Scope

Applies in varying degrees to providers, users, end-product manufacturers, importers or distributors of AI systems, depending on the risk.

Key elements

• Risk-based approach to AI systems: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ to European fundamental rights, like social scoring by governments, will be strictly prohibited. ‘High-risk’ systems, like automated recruitment software, will be subject to the most stringent obligations and limited-risk systems, like chatbots and deep fakes, will be subject to transparency rules. Free use of minimal-risk systems like AI enabled video games or SPAM filter.
• Specific regulation on General Purpose AI (foundation models), tiered approach with baseline obligations for all General Purpose AI (GPAI) systems and models, and add-on obligations for GPAI models with ‘systemic risks’.
• Developers of high-risk AI systems must conduct a self-conformity assessment. High-risk AI systems and foundation models must be registered in an EU database.
• Fines:
  • up to €35m or 7% of global annual turnover for infringements on prohibited practices or non-compliance related to requirements on data;
  • up to €15m or 3% of global annual turnover for other requirements or obligations of AI Act, including the rules on general-purpose AI models;
  • up to €7.5m or 1% of global annual turnover for providing incorrect information, incomplete or misleading information.

Challenges

• Legal uncertainty from self-conformity assessment
• High administrative burden from documentation obligations, including: 
  • Risk management system
  • Registration of stand-alone AI systems in EU database
  • Declaration of conformity needs to be signed
  • For generative AI: Sufficiently detailed summary of copyrighted material training data, safeguards to ensure legality of output

• Overlap with GDPR / redundancies