Regulatory pressure on AI vendors

Europe is moving from “be careful with artificial intelligence” to “show your work.” A new compliance push around the European Union Artificial Intelligence Act tells companies to map every model, classify its risk level, document how it works, and make the whole stack auditable before the main August 2, 2026 deadline. (raconteur.net, eur-lex.europa.eu) That changes the job for software teams. Instead of treating compliance like a legal memo in a folder, companies are being told to build it into application programming interfaces, model integrations, logs, vendor records, and legacy systems that still feed data into newer tools. (raconteur.net) The European Union law works like a sorting system. Some uses are banned, some are lightly regulated, and “high-risk” systems in areas like hiring, education, critical infrastructure, and law enforcement face the heaviest obligations when the bulk of the rules apply in 2026. (eur-lex.europa.eu, artificialintelligenceact.eu) Now the second front is opening around OpenAI’s consumer product itself. Reuters reported on April 10 that the European Commission is analyzing whether ChatGPT should be treated as a very large online search engine under the Digital Services Act after user figures rose above the key threshold. (reuters.com, economictimes.indiatimes.com) That threshold is 45 million monthly users in the European Union. Services above it face the toughest Digital Services Act duties, including extra risk management, outside audits, and closer supervision by the European Commission. (digital-strategy.ec.europa.eu, digital-strategy.ec.europa.eu) So vendors are getting squeezed from two directions in Europe. The Artificial Intelligence Act asks what a model is allowed to do in sensitive use cases, while the Digital Services Act asks how a giant public-facing service is governed once millions of people use it. (eur-lex.europa.eu, digital-strategy.ec.europa.eu) At the same time, the politics in the United States are pulling the other way on liability. Wired reported that OpenAI backed an Illinois bill that would limit when frontier model developers can be sued for “critical harms” if they did not act intentionally or recklessly and if they published safety, security, and transparency reports. (wired.com) Wired said the Illinois proposal defines “critical harm” at an extreme scale, including death or serious injury of 100 or more people or at least $1 billion in property damage, and it applies to models trained with more than $100 million in computing costs. (wired.com) That creates a strange map for any company selling or buying artificial intelligence tools across borders. In Brussels, the pressure is to prove risk controls before and after deployment; in Illinois, the fight is over narrowing who pays when something goes badly wrong. (raconteur.net, wired.com) The practical result is that the compliance burden is shifting downstream into product design. Vendors now need inventories, documentation trails, testing records, and audit evidence for Europe, while customers need contracts and internal logs strong enough to show who made the model, who deployed it, and who controlled the risky decision. (raconteur.net, eur-lex.europa.eu) The old argument over artificial intelligence regulation was about principles like fairness, safety, and transparency. The new argument is about checklists, thresholds, audit trails, and who carries legal exposure when the same model crosses from Paris to Chicago. (eur-lex.europa.eu, digital-strategy.ec.europa.eu, wired.com)