EU AI Act moves toward enforceable rules
The EU is shifting the AI Act from high-level principles to procedural rules, with consultations closing on draft safeguards for general-purpose models. That transition matters because once rules on model access and safeguards are formalised, vendors and deployers will face operational compliance requirements rather than vague guidance. For multinationals, Europe is becoming the jurisdiction most likely to force documentation, access controls and governance into day‑to‑day workflows. (dig.watch) (dig.watch)
Europe’s artificial intelligence law is no longer just a list of principles on paper. On April 8, 2026, the European Commission closed a consultation on draft procedure rules that spell out how it can inspect general-purpose artificial intelligence models and run enforcement cases. (dig.watch) Those draft rules get very specific. A Commission order for model access could require application programming interfaces, source code, model weights, hosting infrastructure, and even the same level of access a company gives its own employees. (dig.watch) The draft also says the Commission could require a provider to disable logging that tracks the Commission’s own access if that is needed to protect the evaluation process. In the same text, companies facing preliminary findings would get at least 14 days to respond and could see parts of the case file, with business secrets redacted. (dig.watch) This sits on top of a law that is already partly live. The European Union’s Artificial Intelligence Act entered into force on August 1, 2024, banned certain uses from February 2, 2025, and applies its rules for general-purpose models from August 2, 2025. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) General-purpose models are the broad engines underneath tools like chatbots, coding assistants, and image generators. The Commission says providers of those models need to know whether they fall inside the law, because the rules attach to the model maker before the software built on top reaches users. (digital-strategy.ec.europa.eu) For ordinary general-purpose model providers, the law points to three concrete chores. The European Commission’s code of practice says companies need model documentation, copyright compliance policies, and information that downstream developers can use to meet their own obligations. (digital-strategy.ec.europa.eu) (eur-lex.europa.eu) For the most advanced models, the bar is higher. The code of practice has a separate safety and security chapter for models with systemic risk, which is the European Union’s term for models powerful enough that failures could spread beyond one product or one company. (digital-strategy.ec.europa.eu) The code itself is voluntary, but it is not a side project. The Commission and the European Artificial Intelligence Board said providers that sign it can use it to show compliance with the law, which gives them more legal certainty than improvising their own method from scratch. (digital-strategy.ec.europa.eu) The next deadline is the one companies watch most closely. The Commission says its direct enforcement powers over general-purpose model providers apply from August 2, 2026, including fines, while older models placed on the market before August 2, 2025 get until August 2, 2027 to comply. (digital-strategy.ec.europa.eu) So the shift in Brussels is from “tell us your safety story” to “open the door, show the paperwork, and let inspectors test the engine.” For any company selling one model across the United States, Europe, and Asia, Europe is the place turning artificial intelligence governance into source-code access requests, documentation forms, and timed legal deadlines. (dig.watch) (digital-strategy.ec.europa.eu)
