Europe’s AI rulebook gap
Europe has built a legal framework for AI but the practical system to check compliance isn’t working yet, leaving firms stuck between rules and enforcement. The EU AI Act requires strict controls for high‑risk systems—risk management, data governance, transparency and human oversight—but the conformity‑assessment mechanism meant to verify those controls is not fully functional, creating operational ambiguity for buyers and vendors. At the same time regulators are testing which legal hat AI services wear: the European Commission is separately probing whether ChatGPT should count as a “large online platform” under the Digital Services Act, meaning the same service could face overlapping rules. (medium.com; thehindu.com)
Europe has written detailed rules for artificial intelligence, but the system meant to certify compliance for many high-risk tools is still not fully in place. The European Union’s Artificial Intelligence Act is Regulation (EU) 2024/1689, published in June 2024 and in force since August 1, 2024. Its bans on certain uses started applying on February 2, 2025, and its rules for general-purpose models started applying on August 2, 2025. For high-risk systems, the law requires risk management, data governance, technical documentation, record-keeping, transparency for deployers, human oversight, accuracy, robustness and cybersecurity. Those are the checks that matter for tools used in areas like employment, education and critical infrastructure. The catch is that some of those systems need an outside reviewer before they can be placed on the market, and that reviewer is a “notified body” designated by a member state. The Commission says notifying authorities supervise those bodies, while market surveillance authorities enforce the rules after products are on the market. That leaves companies with a split picture: the legal duties exist, but the compliance plumbing is still being assembled country by country. The Commission said member states were supposed to designate and empower national competent authorities by August 2, 2025. Brussels has tried to fill some of that gap with guidance instead of full certification machinery. In July 2025, the Commission issued guidelines on general-purpose artificial intelligence models, and it backed a voluntary code of practice published on July 10, 2025, as a tool providers can use to show compliance. That is only one side of the puzzle, because the same service can also fall under the Digital Services Act if regulators treat it as an online platform. The Digital Services Act has applied to all online platforms in the European Union since February 17, 2024, and it imposes its toughest duties on services with more than 45 million monthly users in the bloc. Under that law, “very large online platforms” and “very large online search engines” face extra obligations tied to systemic risks, audits and data access for vetted researchers. The Commission is the direct supervisor for those designated services. The Commission’s public list of designated very large online platforms and search engines, updated in 2026, does not list ChatGPT. That does not settle the policy question, but it shows the overlap debate is still more about classification and future enforcement than a final designation. So Europe now has an artificial intelligence law with phased deadlines, a separate platform law with its own threshold and enforcement track, and a compliance system that is uneven across the two. For buyers and vendors, the rulebook is no longer the missing piece; the working inspection system is.
