EU Publishes AI Act Implementation Rules

Why it matters

- The Act establishes a four-tier risk classification: systems deemed "unacceptable risk," such as government-led social scoring or predictive policing, are prohibited. High-risk systems used in areas like critical infrastructure, employment, and law enforcement are subject to the most stringent requirements. - A new European AI Office, housed within the European Commission, has been created to oversee the Act's implementation and enforce the rules for general-purpose AI (GPAI) models. This office will support governance bodies in member states and develop evaluation methodologies for AI models. - Penalties for non-compliance are severe and are calculated based on a percentage of a company's global annual turnover. Fines for using prohibited AI systems can reach up to €35 million or 7% of global revenue, while violations for high-risk systems can incur fines of up to €15 million or 3% of global revenue. - The implementation timeline is staggered over several years. The ban on prohibited AI practices began in early 2025, obligations for providers of general-purpose AI models will apply from August 2025, and the comprehensive rules for high-risk systems will take effect on August 2, 2026. - Providers of "high-risk" AI systems must conduct a conformity assessment before their products enter the market. Depending on the specific use case and whether harmonized standards are used, this may require a third-party assessment from a nationally designated "Notified Body" or an internal self-assessment. - The regulation places specific obligations on providers of general-purpose AI (GPAI) models, often called foundation models. These providers must maintain detailed technical documentation, supply information to downstream developers integrating their models, and publish a summary of the content used for training. - GPAI models classified as having "systemic risk," which is presumed for models trained using a computing power greater than 10^25 floating-point operations (FLOPs), face additional mandates. These include performing model evaluations, assessing and mitigating systemic risks, and reporting serious incidents to the AI Office.

Key numbers

• The implementing regulation sets enforcement deadlines for 2026 and beyond.
• Fines for using prohibited AI systems can reach up to €35 million or 7% of global revenue, while violations for high-risk systems can incur fines of up to €15 million or 3% of global revenue.
• The ban on prohibited AI practices began in early 2025, obligations for providers of general-purpose AI models will apply from August 2025, and the comprehensive rules for high-risk systems will take effect on August 2, 2026.
• GPAI models classified as having "systemic risk," which is presumed for models trained using a computing power greater than 10^25 floating-point operations (FLOPs), face additional mandates.

What happens next

• This office will support governance bodies in member states and develop evaluation methodologies for AI models.
• The ban on prohibited AI practices began in early 2025, obligations for providers of general-purpose AI models will apply from August 2025, and the comprehensive rules for high-risk systems will take effect on August 2, 2026.
• Depending on the specific use case and whether harmonized standards are used, this may require a third-party assessment from a nationally designated "Notified Body" or an internal self-assessment.

Sources

• regulation sets
• The Act establishes
• A new European AI Office
• This office will support
• Penalties for non-compliance
• Fines for using prohibited
• The ban on prohibited
• Providers of "high-risk"
• Depending on the specific
• The regulation places
• GPAI models classified

Quick answers