EU Publishes AI Act Implementation Rules
The European Union has advanced its AI Act by publishing official regulatory instruments that detail compliance, documentation, and audit obligations for vendors. The implementing regulation sets enforcement deadlines for 2026 and beyond. This places the direct responsibility on AI providers to demonstrate conformity with the Act's risk-based classifications and transparency requirements.
- The Act establishes a four-tier risk classification: systems deemed "unacceptable risk," such as government-led social scoring or predictive policing, are prohibited. High-risk systems used in areas like critical infrastructure, employment, and law enforcement are subject to the most stringent requirements. - A new European AI Office, housed within the European Commission, has been created to oversee the Act's implementation and enforce the rules for general-purpose AI (GPAI) models. This office will support governance bodies in member states and develop evaluation methodologies for AI models. - Penalties for non-compliance are severe and are calculated based on a percentage of a company's global annual turnover. Fines for using prohibited AI systems can reach up to €35 million or 7% of global revenue, while violations for high-risk systems can incur fines of up to €15 million or 3% of global revenue. - The implementation timeline is staggered over several years. The ban on prohibited AI practices began in early 2025, obligations for providers of general-purpose AI models will apply from August 2025, and the comprehensive rules for high-risk systems will take effect on August 2, 2026. - Providers of "high-risk" AI systems must conduct a conformity assessment before their products enter the market. Depending on the specific use case and whether harmonized standards are used, this may require a third-party assessment from a nationally designated "Notified Body" or an internal self-assessment. - The regulation places specific obligations on providers of general-purpose AI (GPAI) models, often called foundation models. These providers must maintain detailed technical documentation, supply information to downstream developers integrating their models, and publish a summary of the content used for training. - GPAI models classified as having "systemic risk," which is presumed for models trained using a computing power greater than 10^25 floating-point operations (FLOPs), face additional mandates. These include performing model evaluations, assessing and mitigating systemic risks, and reporting serious incidents to the AI Office.
