EU AI Act Triggers Global Compliance Scramble

The EU's phased implementation of the AI Act began with its entry into force in August 2024, but key obligations are staggered. Prohibitions on certain AI practices start applying in February 2025, rules for general-purpose AI (GPAI) models in August 2025, and full compliance for all high-risk systems is expected by August 2026. Enforcement will be handled by the newly formed European AI Office, which operates within the European Commission. This body has direct supervisory power over GPAI models and will coordinate with national authorities to ensure consistent application. Penalties for non-compliance are severe, with fines for prohibited practices reaching up to €35 million or 7% of a company’s worldwide annual turnover. The Act's extraterritorial reach affects any company whose AI systems are placed on the EU market or whose output is used within the Union. This directly impacts technology providers in China and elsewhere, who must now navigate the Act's requirements for risk management, data governance, and transparency to access the European market. In response, European standards organizations CEN and CENELEC are developing harmonized standards under a formal request from the Commission. Adherence to these standards, developed by the joint technical committee JTC 21, will grant a "presumption of conformity" with the AI Act's legal requirements, simplifying compliance. This elevates the strategic importance of participating in the standards development process. International standards are also playing a crucial role. ISO/IEC 42001, the first AI management system standard, provides a framework that aligns with the AI Act's requirements for risk management and governance. While not legally required, certification to this standard is seen as a key tool for demonstrating compliance and building trust. The Act introduces specific rules for general-purpose AI models, with stricter obligations for those deemed to pose "systemic risk." A model is presumed to have systemic risk if the computing power used for its training exceeds 10^25 floating-point operations (FLOPs). These high-impact models face additional requirements, including model evaluation, adversarial testing, and cybersecurity measures. Globally, the EU’s comprehensive, risk-based approach contrasts with the United States' more sector-specific, innovation-focused stance and China's state-led framework emphasizing security and economic development. While the EU aims to set a global benchmark, China has developed its own agile, layered regulations for areas like generative AI and algorithmic recommendations. This divergence creates a complex geopolitical landscape for international standards setting.