EU moves AI rules into practice

# EU moves AI rules into practice Europe’s Artificial Intelligence Act is no longer just a headline about lawmaking. The European Commission has moved into the implementation phase, after closing a targeted consultation on how to interpret rules for general-purpose artificial intelligence models and publishing guidance on what providers are expected to do in practice. The shift is important because the first wave of obligations for these models already started applying on August 2, 2025, while the Commission’s enforcement powers begin applying on August 2, 2026. (digital-strategy.ec.europa.eu) The consultation was part of the Commission’s effort to answer a basic but commercially important question: who exactly counts as a provider of a general-purpose artificial intelligence model, and what actions trigger legal responsibility under the Act. In its April 22, 2025 notice, the Commission said the consultation would help shape guidelines on issues such as what qualifies as a general-purpose model, which entities are providers in different business arrangements, and what counts as “placing on the market” in the European Union. Feedback was invited through May 22, 2025. (digital-strategy.ec.europa.eu) That matters because general-purpose models sit underneath many other tools. They can be adapted for language processing, content generation, data analysis, and a wide range of downstream applications, which means the law is not aimed only at chatbot makers. It also reaches firms that build, modify, package, or deploy foundational models that other businesses rely on. (dig.watch) The Commission’s guidance tries to narrow that uncertainty. According to the published guidelines, only actors making significant modifications to a model are treated as taking on provider obligations, while minor changes do not automatically shift that burden. The guidance also explains conditions under which open-source providers may be exempt from certain obligations, and it frames the rules as a practical interpretation of how the Commission will supervise the market. The guidelines are not legally binding on their own, but they are meant to guide enforcement. (digital-strategy.ec.europa.eu) The compliance duties themselves are concrete. The Digital Watch Observatory summary, drawing on official European Union materials, notes that providers of general-purpose artificial intelligence models are expected to prepare and maintain technical documentation. The Commission’s own guidance says providers should assess whether the rules apply to them, review model risks, and prepare for compliance, while providers of the most advanced models that pose systemic risks must notify the European Union’s Artificial Intelligence Office. (dig.watch) The timeline is phased rather than immediate. General provisions and prohibitions under the Act started applying on February 2, 2025. Rules for general-purpose artificial intelligence models and governance arrangements applied from August 2, 2025. Most of the remaining Act, including rules for many high-risk systems and broader enforcement, is scheduled to apply from August 2, 2026, with some regulated-product requirements following on August 2, 2027. (ai-act-service-desk.ec.europa.eu) For banks and asset managers, this is less about building giant frontier models and more about proving control over the tools they already use. Artificial intelligence now appears inside climate analytics, anti-money-laundering screening, customer onboarding, fraud detection, document review, research workflows, and portfolio monitoring. If any of those functions depend on a third-party general-purpose model, the institution may need to understand not just the application layer but the model supply chain underneath it. This is an inference from the Commission’s implementation focus on downstream use, provider responsibility, and documentation duties. (digital-strategy.ec.europa.eu) That changes procurement. A bank buying an artificial intelligence-enabled vendor product can no longer treat the model as a black box if the vendor itself depends on a general-purpose model provider with European Union obligations. Vendor due diligence may now need to cover who built the underlying model, whether it was significantly modified, what documentation exists, whether the provider follows the Code of Practice, and how risk information will be shared if regulators ask questions. The Commission has said signing the Code of Practice may reduce administrative burden and serve as a benchmark for compliance. (digital-strategy.ec.europa.eu) It also changes internal governance. Firms that use artificial intelligence in regulated workflows will need records showing what model was used, what it was used for, what human oversight existed, and how outputs were monitored. That is the natural operational response to a regime built around technical documentation, risk classification, and supervisory review. In practice, compliance teams, model risk teams, legal teams, and procurement teams will have to work from the same inventory instead of treating artificial intelligence as a side project inside innovation groups. This is an inference based on the obligations and enforcement structure described by the Commission and the European Union timeline. (digital-strategy.ec.europa.eu) Another consequence is that the European Union is drawing a line between guidance and enforcement. The Commission has emphasized that the guidelines explain how it interprets the law, while the Code of Practice is a voluntary tool to help providers meet their obligations. But from August 2, 2026, the Commission’s enforcement powers apply to providers of general-purpose artificial intelligence models, including the ability to impose fines. That means the current period is not a pause; it is the last stretch of preparation before supervision becomes more formal. (digital-strategy.ec.europa.eu) The broader signal is that Europe is trying to turn a principles-based debate into an operating system for oversight. During the legislative phase, the main questions were political: how strict should the law be, which systems are high risk, and how should innovation be protected. In the implementation phase, the questions are procedural: who must document what, who notifies whom, what evidence must be retained, and how regulators will interpret borderline cases. (dig.watch) For financial institutions, the practical takeaway is simple. If a product, workflow, or control process uses artificial intelligence, firms should now assume that European Union compliance will require an audit trail behind it. That means model governance, vendor checks, documentation, and escalation paths are moving from best practice to expected practice as the Artificial Intelligence Act enters its enforcement era. (digital-strategy.ec.europa.eu)