EU moves AI rules into practice

Europe’s artificial intelligence law stopped being a future problem on August 2, 2025, when the European Union’s rules for general-purpose models started to apply to companies putting those models on the market. The European Commission then followed with detailed guidance and a code of practice in July 2025, which turned broad legal duties into checklists for product, legal, and security teams. (ec.europa.eu) A general-purpose model is Europe’s term for a model that can do many different jobs and be plugged into many downstream tools, like a foundation poured once and used for many buildings. The Commission says providers of those models must prepare technical documentation, put in place a copyright policy, and publish a summary of the content used for training. (ec.europa.eu) That sounds bureaucratic until you look at who needs the paperwork. Europe says downstream providers need enough information about the model to integrate it into their own systems and meet their own duties under the law, so missing documentation at the model layer creates compliance problems all the way down the supply chain. (ec.europa.eu) The new push is not just about publishing a PDF and moving on. The general-purpose code of practice, published on July 10, 2025, is a voluntary route to show compliance, and it covers documentation, copyright, safety and security measures for the most powerful models. (ec.europa.eu) Europe also drew a line between ordinary general-purpose models and models with “systemic risk,” which is its label for models powerful enough to create broader market or safety effects. For those models, the Commission says providers must notify Brussels, assess and mitigate systemic risks, report serious incidents, and maintain cybersecurity protections. (ec.europa.eu) That changes the engineering work. If a company wants to sell one frontier model into both Europe and non-European markets, it now needs version control for training data summaries, access logs for who can inspect or fine-tune the model, and audit trails for incidents and mitigations that can stand up to regulators. (ec.europa.eu) The enforcement calendar is staggered, but the build work is not. The Commission says the rules became applicable on August 2, 2025, while enforcement by the European Union’s artificial intelligence office comes one year later for new models and two years later for existing models, which gives companies a runway but not much excuse to wait. (ec.europa.eu) This sits inside a bigger rollout. The European Union’s ban on certain artificial intelligence practices started applying on February 2, 2025, the general-purpose model rules began on August 2, 2025, and most of the rest of the law, including many high-risk system rules, is scheduled to apply from August 2, 2026. (ec.europa.eu 1) (ec.europa.eu 2) The practical result is that Europe is forcing artificial intelligence governance into the product stack itself. A model provider can no longer treat provenance, permissions, incident reporting, and oversight as policy memos for later, because the law now expects those controls to exist where the model is built, updated, and shipped. (ec.europa.eu)