EU AI Act moves from law to rules

Europe finished the headline fight over its Artificial Intelligence Act last year. Now it is doing the part companies actually lose sleep over: turning a 450-article law into checklists, guidance, and procedures that engineers and lawyers can follow on specific dates. (digital-strategy.ec.europa.eu) The shift is easiest to see around general-purpose artificial intelligence models, which the European Commission treats as the foundation models behind many downstream products. The Commission opened a targeted consultation on 22 April 2025 to help write guidance on what counts as one of these models and who in the chain is responsible. (digital-strategy.ec.europa.eu) That sounds technical, but it decides whether a company is just selling a tool or carrying legal duties for every business that builds on top of it. The Commission’s own guidance says these obligations for providers of general-purpose models started applying on 2 August 2025 across the European Union. (digital-strategy.ec.europa.eu) The law itself arrived in stages. The Artificial Intelligence Act entered into force on 1 August 2024, rules on prohibited practices began to apply on 2 February 2025, and the general-purpose model rules followed on 2 August 2025. (digital-strategy.ec.europa.eu, artificialintelligenceact.eu) For ordinary model providers, the core duties are not abstract ideas like “be responsible.” The Commission says they include keeping technical documentation, giving downstream companies enough information to integrate the model, publishing a summary of training data content, and setting a policy to comply with European Union copyright law. (digital-strategy.ec.europa.eu) For the biggest models, Europe adds another layer called systemic risk. The Commission says those providers must run model evaluations, assess and reduce systemic risks, report serious incidents, and protect against cybersecurity threats. (digital-strategy.ec.europa.eu) This is where “rules” start to matter more than “law.” A statute can say a provider must give enough information, but guidance has to spell out what “enough” means, which documents count, when access can be limited, and what a regulator will accept during an inspection. (digital-strategy.ec.europa.eu) The European Union has been building those details through a code of practice as well as formal guidelines. The general-purpose artificial intelligence code of practice was published on 10 July 2025 as a voluntary compliance tool, and the Commission paired it with guidelines on 18 July 2025 to clarify key concepts before the 2 August deadline. (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu) Another example of this move from law to procedure is training data rights. On 2 December 2025, the Commission launched a consultation on protocols for reserving rights from text and data mining, which is the machinery providers need to recognize when rightsholders have said “do not use my material for training.” (digital-strategy.ec.europa.eu, ai-act-service-desk.ec.europa.eu) Enforcement is moving from theory to institutions too. The European Union created an Artificial Intelligence Office inside the Commission to help supervise general-purpose models, while national authorities handle much of the rest of the act, so companies now have to prepare for both central European Union oversight and country-level enforcement. (digital-strategy.ec.europa.eu) That is why this phase matters more than the original applause lines about Europe “regulating artificial intelligence first.” The expensive choices now are practical ones: what logs to keep, what access to grant, what safety tests to run, what copyright signals to honor, and how much evidence to hand a regulator when the knock comes. (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu)