EU AI Act Shapes Compliance as a Product Feature
Analysis suggests the EU AI Act's primary influence is making compliance the "path of least resistance" for AI vendors. Platforms are now competing to operationalize compliance by offering built-in audit tools and automated documentation. A new comparison highlights the overlapping requirements between the Act, NIST's AI RMF, and ISO/IEC 42000, pushing vendors to support multiple frameworks.
The EU AI Act's phased implementation began after entering into force in August 2024, with full application for high-risk systems expected by August 2026. Prohibitions on specific "unacceptable risk" AI practices, such as social scoring, became effective in early 2025. Penalties for non-compliance are substantial, reaching up to €35 million or 7% of a company's global annual turnover for the most serious violations, a figure that surpasses potential GDPR fines. Lesser infringements, such as providing incorrect information to authorities, can still result in fines up to €7.5 million or 1% of global turnover. The newly established European AI Office is central to the Act's enforcement, with exclusive powers to supervise general-purpose AI (GPAI) models. This office will develop testing benchmarks, draft codes of practice in cooperation with developers, and investigate possible rule infringements. The Act defines "high-risk" AI systems based on their intended purpose in sensitive sectors like critical infrastructure, education, employment, and law enforcement. These systems must undergo rigorous risk assessments, ensure high-quality data governance, log activity for traceability, and allow for human oversight before market entry. For general-purpose AI (GPAI) models, particularly those with over a billion parameters or trained with significant computational resources (presumed at over 10^25 FLOPs), specific obligations apply. Providers of these models, especially those deemed to have "systemic risk," face heightened requirements, including model evaluation, risk mitigation, and incident reporting. The regulation includes specific, though limited, exemptions for open-source AI to foster innovation. These exemptions do not apply if an open-source system is classified as high-risk, used for prohibited purposes, or monetized. This creates a complex compliance landscape for developers who must navigate between open-source principles and regulatory obligations. Concerns persist within the tech community that the Act could stifle innovation and place European companies at a competitive disadvantage. Critics point to the potential for a "brain drain," with some startups considering moving outside the EU to avoid stringent regulations. The legislation's success may hinge on the timely development of clear standards and codes of practice to guide companies through the new requirements.
