EU tightens AI rules; Colorado retreats

Colorado and the European Union are moving in opposite directions on AI compliance, and the split is now concrete enough to affect how software teams build products. On May 14, Colorado Governor Jared Polis signed SB 26-189, replacing the state’s 2024 AI Act with a narrower law that starts on January 1, 2027. (asanify.com) The new Colorado framework drops the original law’s duty of care, impact assessments and risk-management program requirements, and centers instead on notice, explanation and human review for certain automated decisions. The European side is moving on a stricter track. The EU’s Platform Work Directive, adopted in October 2024 and published in the Official Journal in November 2024, requires member states to transpose it by December 2, 2026. (eur-lex.europa.eu) That directive addresses employment status and algorithmic management in digital labor platforms, including automated monitoring and decision-making systems. ### What exactly did Colorado change? Colorado’s original AI law, SB 24-205, had been set to take effect on June 30, 2026. Instead, lawmakers passed SB 26-189 at the end of the 2026 session, and Polis signed it on May 14. The replacement law now takes effect on January 1, 2027. (asanify.com) SB 26-189 narrows the law to automated decision-making technologies used to materially influence “consequential decisions,” including decisions tied to employment, housing, lending, insurance, health care and government services. The new law removes the broader affirmative duty to prevent algorithmic discrimination and replaces the earlier compliance architecture with disclosure obligations, adverse-outcome explanations and an opportunity for meaningful human review. (eur-lex.europa.eu) ### Which obligations survived in Colorado? The Colorado rewrite keeps a smaller set of duties for covered systems. (asanify.com) Deployers must disclose use of automated decision-making technology before use, and after an adverse outcome must explain the system’s role and provide a path to human review. Developers must give deployers documentation on intended uses, limitations, risks, training-data categories and instructions for human review, while retaining compliance records for three years. The law also carves out a wide range of lower-risk or routine functions. DLA Piper said the statute excludes uses tied to cybersecurity, fraud prevention, sanctions compliance and system reliability, and excludes tools used only to summarize or present information for human review. (nixonpeabody.com) ### Why is the EU side being described as tougher? The EU framework now combines AI-specific rules with labor-specific rules. The European Commission says obligations for providers of general-purpose AI models entered into application on August 2, 2025, with Commission enforcement powers starting on August 2, 2026. Those guidelines are separate from the Platform Work Directive, which requires national laws by December 2, 2026. (asanify.com) Directive (EU) 2024/2831 focuses directly on algorithmic management in platform work. The official text says algorithm-based technologies, including automated monitoring systems and automated decision-making systems, have enabled the growth of digital labor platforms, and the directive sets rules on working conditions and personal-data protections in that context. (dlapiper.com) ### What does this mean for engineers building data-handling apps? Engineering teams building hiring, workforce or other decision-support tools should expect audit questions to center on records, review paths and data handling. Colorado’s new law explicitly keeps notice, explanation, human-review and three-year record-retention duties for covered uses. (digital-strategy.ec.europa.eu) The EU’s platform-work rules, meanwhile, put algorithmic management and worker data into a defined compliance framework. That points to practical product work: configurable retention policies, deletion flows, documentation on where data is stored, and logs showing when a human reviewed or overrode an automated outcome. (eur-lex.europa.eu) The next fixed date in that split regime is December 2, 2026, when EU member states must have transposed the Platform Work Directive, while Colorado’s replacement law begins on January 1, 2027. (asanify.com)