EU AI Act Moves Into Implementation
The European Commission has closed consultation on draft procedure rules and is shifting from abstract lawmaking to concrete implementation of the AI Act. That means providers of general‑purpose models and any firm using high‑risk systems should be preparing documentation, model-access procedures and compliance controls ahead of enforcement windows. (European Commission consultation closes on draft AI Act procedure rules | Digital Watch Observatory) (The implementation of the EU AI Act with a focus on general-purpose AI models | Digital Watch Observatory)
Europe’s artificial intelligence law is no longer sitting on a shelf. The European Commission has finished one consultation on how the rules will work in practice, and the calendar now points to enforcement dates that start with banned uses in February 2025, general-purpose model rules in August 2025, and most high-risk system rules in August 2026. (digital-strategy.ec.europa.eu) (ai-act-service-desk.ec.europa.eu) The law itself is Regulation (European Union) 2024/1689, and it sorts artificial intelligence into buckets the way a building code sorts elevators, wiring, and fire exits. Some uses are banned outright, some are allowed with heavy paperwork and testing, and some face lighter transparency duties. (digital-strategy.ec.europa.eu) (eur-lex.europa.eu) The first bucket already bit on 2 February 2025. The Commission published guidelines that month on prohibited practices like certain manipulative systems, some social scoring uses, and some real-time remote biometric identification uses, which means this part of the law is already live. (digital-strategy.ec.europa.eu) (ai-act-service-desk.ec.europa.eu) The next bucket covers general-purpose models, which are the base engines behind tools that write text, generate images, or answer questions across many tasks. Their rules started applying on 2 August 2025, so the companies building foundation models are already inside the compliance window even if enforcement for some models comes later. (digital-strategy.ec.europa.eu) (ec.europa.eu) For those model providers, the European Commission says the core chores are technical documentation, a copyright policy, and a public summary of the training content. If a model is classified as having systemic risk, the list gets longer and includes risk assessment, incident reporting, and cybersecurity protections. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) To make that less abstract, the Commission backed a General-Purpose Artificial Intelligence Code of Practice written by 13 independent experts with input from more than 1,000 stakeholders. The code was published in July 2025, and the Commission later said it can serve as a voluntary way for providers to show they are meeting the law’s duties. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) (digital-strategy.ec.europa.eu 3) The office policing much of this is not a national regulator in Paris or Berlin but the European Artificial Intelligence Office inside the Commission. That office is the center of expertise for the law and directly enforces the rules for general-purpose models across the European Union. (digital-strategy.ec.europa.eu) The biggest date left for ordinary companies is 2 August 2026. That is when most of the law starts biting for high-risk systems listed in Annex III, along with transparency rules in Article 50 and national-level enforcement across the bloc. (ai-act-service-desk.ec.europa.eu) (eur-lex.europa.eu) High-risk does not mean “uses a lot of computing power.” It means systems used in sensitive areas named in the law, like employment, education, essential services, law enforcement, migration, and parts of critical infrastructure, where a bad model can act like a faulty gatekeeper for jobs, loans, exams, or border decisions. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) That is why the boring parts now matter more than the flashy demos. Companies using high-risk systems need risk management files, technical documentation, human oversight procedures, record-keeping, and conformity assessment work before August 2026, because those controls are the legal equivalent of showing the inspector your blueprints before the building opens. (ai-act-service-desk.ec.europa.eu) (eur-lex.europa.eu) The Commission is still filling in the operating manual around the edges. In late 2025 it opened consultations on transparency obligations, serious incident reporting, and text-and-data-mining rights reservations, which shows the law is moving from one big statute into a stack of templates, guidance notes, reporting forms, and process rules. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) (ai-act-service-desk.ec.europa.eu) So the change in Europe is not a new headline ban or a surprise vote. It is that the European Union has moved into the stage where model makers need auditable paperwork, deployers need internal controls, and regulators are building the checklists they will use when the deadlines hit on 2 August 2026 and after. (digital-strategy.ec.europa.eu) (ai-act-service-desk.ec.europa.eu)
