EU AI Act Officially Becomes Law

The EU AI Act's tiered, risk-based approach categorizes systems as unacceptable, high, limited, or minimal risk. Prohibited "unacceptable risk" applications, banned as of February 2025, include government-run social scoring, predictive policing based solely on profiling, and untargeted scraping of facial images from the internet or CCTV to create facial recognition databases. Also forbidden are AI systems that use subliminal techniques or exploit vulnerabilities to materially distort behavior and cause harm. High-risk systems, such as those in critical infrastructure, medical devices, and employment, are not banned but face stringent requirements before and during their market lifecycle. These obligations include comprehensive risk assessments, high-quality data governance to minimize bias, detailed technical documentation, activity logging for traceability, and ensuring a high level of accuracy, robustness, and cybersecurity. These rules for high-risk systems will become fully applicable in August 2026. The regulation introduces specific rules for "general-purpose AI (GPAI) models," also known as foundation models. Providers of all GPAI models must maintain detailed technical documentation and provide summaries of the copyrighted data used for training. Models identified as posing "systemic risk"—a designation presumed for models trained using more than 10^25 FLOPs—face tougher obligations, including model evaluations, reporting serious incidents to the new EU AI Office, and ensuring robust cybersecurity measures. To oversee the new rules, a central EU AI Office has been established within the European Commission. This body will play a crucial role in enforcing regulations for general-purpose AI, supporting the uniform application of the Act across member states, and promoting trustworthy AI innovation. It will also assist in developing standards and codes of practice to guide compliance. Penalties for non-compliance are severe and structured in tiers. The highest fines, for violations involving prohibited AI practices, can reach up to €35 million or 7% of a company's total worldwide annual turnover, whichever is higher. Breaches related to high-risk systems can incur fines of up to €15 million or 3%, while providing incorrect information can lead to penalties of up to €7.5 million or 1% of global turnover. The Act includes provisions for "regulatory sandboxes" to foster innovation. These controlled environments, which each member state must establish by August 2026, allow companies to develop, test, and validate innovative AI systems for a limited time under the supervision of national authorities. This is intended to provide legal certainty and support market access, especially for SMEs and startups. The regulation offers some exemptions for open-source AI to support research and innovation. The Act generally does not apply to AI systems released under free and open-source licenses unless they are marketed as high-risk, fall into a prohibited category, or have specific transparency requirements. However, the practical scope of these exemptions may be limited, as many open-source applications could still fall under these regulated categories. The EU AI Act is expected to have a significant global impact, creating a "Brussels effect" where it becomes a de facto international standard, much like the GDPR for data privacy. Its extraterritorial reach means it applies to any company providing AI systems or services used within the EU, regardless of where the company is based. This is likely to influence AI policy development and international cooperation worldwide.