EU AI Act moves into engineering mode

Europe’s Artificial Intelligence Act was sold as a law about “risk,” but the next phase looks more like back-office engineering: model files, testing logs, training summaries, and named people who can answer regulators fast. The European Commission says the rules for general-purpose artificial intelligence models started applying on 2 August 2025, and its enforcement powers start on 2 August 2026. (digital-strategy.ec.europa.eu) That date split is the key to the whole story. Companies already have to line up their paperwork and processes now, because the same Commission page says fines-backed enforcement begins one year later for new models and by 2 August 2027 for models already on the market before 2 August 2025. (digital-strategy.ec.europa.eu) The law’s target here is the “general-purpose” model, which means a base model that can be reused for many jobs instead of one narrow task. The Commission says these models are the foundation for many different artificial intelligence systems, so the rules hit the model maker before the chatbot, coding tool, or search product built on top. (digital-strategy.ec.europa.eu) For all providers of those models, the Commission lists three core duties: draw up technical documentation, implement a copyright policy, and publish a summary of the model’s training content. That is where legal text turns into engineering tickets, because somebody has to know what data went in, what version shipped, and what evidence exists for each claim in the file. (digital-strategy.ec.europa.eu) A smaller group faces another layer. The Commission says models presumed to pose “systemic risk” are currently those trained with more than 10^25 floating-point operations, and those providers must notify the Commission, assess and mitigate risk, report incidents, and maintain cybersecurity protections. (digital-strategy.ec.europa.eu) The European Union is also telling companies that guidance, not just the statute, will shape what compliance looks like in practice. The Commission’s guidelines say they explain who counts as a provider, what counts as a significant modification, when open-source exemptions apply, and how the Commission will interpret the law when it enforces it. (digital-strategy.ec.europa.eu) That matters because many model makers do not build one clean product from scratch. The guidelines say only actors making “significant modifications” to a model take on provider obligations, while people making minor changes do not, which makes version control and change logs part of the compliance story. (digital-strategy.ec.europa.eu) The main compliance shortcut is a voluntary code, but “voluntary” does not mean casual. The Commission says the General-Purpose Artificial Intelligence Code of Practice was drafted by 13 independent experts with input from more than 1,400 participants, and companies that adhere to an approved code get a simpler way to demonstrate compliance and a more predictable enforcement path. (digital-strategy.ec.europa.eu) That code is organized like an operations manual. The Commission says it has three chapters — Transparency, Copyright, and Safety and Security — with the last chapter applying only to the most advanced models, which means companies need separate internal tracks for ordinary disclosure work and for higher-risk testing and security work. (digital-strategy.ec.europa.eu) The Commission previewed this shift months before the rules took effect. In its 22 April 2025 consultation, it said the guidance would answer practical questions like what a general-purpose model is, which entity is the provider in different business setups, what counts as “placing on the market,” and how the Artificial Intelligence Office would support compliance. (digital-strategy.ec.europa.eu) So the European Union story is no longer just Parliament votes and legal definitions. It is whether a lab can produce the technical documentation, training-content summary, incident reports, notification trail, and security evidence the Commission now expects on a calendar that runs from 2 August 2025 to 2 August 2027. (digital-strategy.ec.europa.eu)