EU AI Act is becoming operational reality

Europe’s artificial intelligence law is no longer a far-off policy debate. The European Commission says the rules for general-purpose artificial intelligence models started applying on August 2, 2025, and the Commission’s enforcement powers start on August 2, 2026 for new models. (digital-strategy.ec.europa.eu) That date split is why engineering teams are suddenly talking about logs instead of slogans. A rule can sit on a slide deck for a year, but once fines and enforcement arrive, companies need evidence that shows what a model did, when it did it, and which version was running. (digital-strategy.ec.europa.eu) The European Union wrote the law around risk, not around one specific model. The Commission’s overview says the Artificial Intelligence Act sorts systems by risk level, and the highest-risk uses face the heaviest duties while eight practices are banned outright. (digital-strategy.ec.europa.eu) That structure sounds abstract until you picture a credit score, a hiring screen, or a biometric system at a train station. If a company cannot reconstruct why the system produced a result, a regulator cannot check whether the system was safe, lawful, or unfair. (digital-strategy.ec.europa.eu) The law itself puts record-keeping in the plumbing, not in the public relations layer. The Official Journal text for Regulation (European Union) 2024/1689 says the Act creates obligations around transparency, technical documentation, and record-keeping to make rights and remedies work in practice. (eur-lex.europa.eu) For model makers, the first wave hit general-purpose systems such as large language models. The Commission’s guidance says providers must draw up technical documentation, implement a copyright policy, and publish a summary of training content, with extra duties for models that create systemic risk. (digital-strategy.ec.europa.eu) That pushes compliance work into ordinary engineering chores. A technical document is only useful if it matches the model version in production, and a training-content summary is only credible if the company can trace where data came from and which pipeline touched it. (digital-strategy.ec.europa.eu) Europe is also giving companies a practical playbook, not just a statute book. On July 10, 2025, the Commission said it had received the final General-Purpose Artificial Intelligence Code of Practice, built by 13 independent experts with input from more than 1,000 stakeholders. (digital-strategy.ec.europa.eu) That code is voluntary, but the incentive is obvious. The Commission says signatories can use it to demonstrate compliance and get lower administrative burden and more legal certainty than providers trying to prove everything from scratch. (digital-strategy.ec.europa.eu) So the operational change inside companies is pretty concrete. Teams now need tamper-resistant logs, version histories, incident records, and recoverable run histories for prompts, outputs, datasets, and model changes, because “trust us” is not an audit trail. (eur-lex.europa.eu, digital-strategy.ec.europa.eu) The quiet shift here is that compliance evidence is becoming part of the product itself. In Europe, an artificial intelligence system that cannot explain its lineage now looks less like a finished tool and more like a machine with no maintenance log. (digital-strategy.ec.europa.eu, eur-lex.europa.eu)