EU AI Act moves toward enforcement

Europe’s artificial intelligence law is no longer a future threat sitting in a binder. The rules for general-purpose models started applying on August 2, 2025, and the European Commission is now turning broad legal text into checklists, forms, and supervisory practice. (digital-strategy.ec.europa.eu, dlapiper.com) A general-purpose model is Europe’s term for a model that can do many different jobs and then get built into other products, like a base engine sold to many carmakers. The Commission said on April 22, 2025 that it wanted input on basic questions like who counts as the provider and what counts as putting a model on the market. (digital-strategy.ec.europa.eu) That consultation closed on May 22, 2025, and it fed into guidance the Commission said would explain how it plans to interpret the law. The shift is from arguing over the words in Brussels to telling companies which documents they need on a regulator’s desk. (digital-strategy.ec.europa.eu) The core duty is paperwork, but not the harmless kind. Article 53 says providers of general-purpose models must keep technical documentation on training, testing, and evaluation, give downstream companies information they need to integrate the model, put in place a copyright policy, and publish a summary of the training data. (ai-act-service-desk.ec.europa.eu) In practice, that means a company selling a model into Europe cannot just say “trust us, it works.” It needs a file that explains how the model was built, what it was tested on, what limits it has, and what another company should know before plugging it into a chatbot, hiring tool, or medical workflow. (ai-act-service-desk.ec.europa.eu) For the most advanced models, Europe adds a second layer. Article 55 says providers of models with systemic risk must run standardized evaluations, test for failures with adversarial methods, assess and reduce systemic risks, report serious incidents, and secure the model and its infrastructure against misuse and cyberattacks. (ai-act-service-desk.ec.europa.eu) To make those duties usable, the Commission published a General-Purpose Artificial Intelligence Code of Practice on July 10, 2025. It is voluntary, but the Commission and the European Artificial Intelligence Board said companies that sign it can use it to demonstrate compliance and cut administrative burden. (digital-strategy.ec.europa.eu) The code is split into three chapters: transparency, copyright, and safety and security. The transparency chapter includes a model documentation form, which is the bureaucratic equivalent of being told not just to bring your homework, but to use the teacher’s template. (digital-strategy.ec.europa.eu) The enforcement machinery is also catching up. The European Union’s Artificial Intelligence Office became operational on August 2, 2025, and the law gives it a central role in supervising general-purpose models, while national authorities handle supervision inside member states. (dlapiper.com) The next date companies care about is August 2, 2026. That is when the Commission’s enforcement powers for general-purpose model rules apply, including fines, and when much of the broader compliance framework for high-risk systems also starts biting. (scl.org, dlapiper.com) Those fines are not symbolic. The law allows penalties of up to 35 million euros or 7 percent of worldwide annual turnover for some violations, and up to 15 million euros or 3 percent for many other obligations, depending on the breach. (ai-act-service-desk.ec.europa.eu) So the real change is not that Europe wrote another long law in 2024. The real change is that by 2025 and 2026, model makers and the companies that build on top of them are being handed the forms, timelines, supervisors, and penalty schedule that turn abstract rules into something closer to an audit. (eur-lex.europa.eu, digital-strategy.ec.europa.eu, ai-act-service-desk.ec.europa.eu)