EU AI Act: A Revolutionary Landmark Legislation for Artificial Intelligence 2024

The EU AI Act is no longer a proposal on the horizon; it is now the law of the land across the European Union, and its rules are actively reshaping how companies build, deploy, and monitor artificial intelligence (AI) systems. The EU AI Act entered into force on August 1, 2024, and reached full applicability on August 2, 2026, though a major set of amendments adopted this year has reshuffled several of its most consequential deadlines.

It remains the first comprehensive horizontal AI regulation in the world, and it continues to set a reference point other jurisdictions are watching closely. It arrives at a moment when generative AI models are advancing rapidly, capable of producing convincing text, images, code, and video but also carrying real risks around scams, misinformation, and non-consensual content. Other regions, including the US and China, have pursued their own AI governance approaches, though none match this regulation’s binding, risk-tiered structure.

In May, EU legislators reached a political agreement on a “Digital Omnibus on AI” that postpones several compliance deadlines, tightens a few definitions, and adds new prohibited practices. Any organization whose compliance planning predates that agreement should treat this piece as a refresh: parts of the original timeline are no longer accurate.

How does the EU AI Act classify AI models?

The EU AI Act sorts AI systems into risk tiers, with obligations scaling to the potential harm a system could cause.

  • Unacceptable risk: Systems banned outright under the EU AI Act, including those using biometric data to infer sensitive traits such as sexual orientation, social scoring, and manipulative “subliminal” techniques. These prohibitions have applied since February 2025.
  • High risk: Systems used in domains like hiring, credit scoring, and law enforcement face strict obligations; providers must demonstrate safety, transparency, and non-discrimination compliance, register in a public EU database, and monitor real-world performance.
  • Low or minimal risk: Systems such as chatbots and AI-enabled games carry light-touch obligations, mainly around disclosing that a user is interacting with AI-generated content.
  • General-purpose AI (GPAI): Broad, unpredictable-use systems like large generative models fall under a two-tier regime. The first tier covers all general-purpose models except those used purely for research or released under a genuinely open-source license; these must disclose training methods, energy consumption, and copyright compliance measures.
  • The second GPAI tier applies to models with “high-impact capabilities” carrying systemic risk. Any model trained using more than 10^25 FLOPs (floating-point operations) qualifies as high-impact and must undergo rigorous safety and cybersecurity testing, along with architecture and data-source disclosure.

Violating these rules can mean fines of up to €35 million or 7% of a company’s total annual worldwide turnover, whichever is higher, for the most serious breaches, with lower tiers of up to €15 million or 3% for other violations.

What changed under the Digital Omnibus?

In May, EU negotiators agreed the first substantial amendments to the EU AI Act since its original adoption, largely in response to concerns that the original rollout was moving faster than businesses and regulators could realistically handle. The key changes:

  • High-risk Annex III systems (recruitment, credit scoring, law enforcement, education, and border control): compliance pushed from August 2026 to December 2, 2027, a deferral of well over a year.
  • AI embedded in regulated products under Annex I, such as medical devices, machinery, and vehicles: deadline extended to August 2, 2028.
  • Transparency and watermarking obligations under Article 50: still take effect on August 2, 2026, for new systems, but AI systems already on the market before that date get a grace period on watermarking specifically until December 2, 2026.
  • National AI regulatory sandboxes: the requirement for member states to stand these up is delayed a year, to August 2027.
  • A new prohibition: AI systems that generate or manipulate non-consensual intimate imagery (“nudifiers”) or child sexual abuse material are now explicitly banned, effective December 2, 2026.
  • Industrial carve-out: AI used in industrial applications already regulated under the EU’s Machinery Regulation is now exempt from EU AI Act obligations, avoiding duplicate compliance work.

These amendments still require formal adoption and publication in the Official Journal to take binding legal effect, but co-legislators have described the new high-risk deadlines as fixed, specifically to avoid the ambiguity that surrounded the original date.

What are the implications for research and innovation?

Reaction from the research community remains mixed. Some researchers welcome its potential to encourage open science and responsible disclosure, while others worry it could slow down innovation, particularly for smaller players.

The regulation exempts systems developed purely for research, development, or prototyping, so most academic work sits outside its direct obligations. Even so, researchers still have to weigh how their published models could be used or misused downstream and how transparently they report training data, methods, and known biases.

Some in the field argue that regulating models by compute scale rather than by actual use or demonstrated harm doesn’t hold up scientifically — the concern being that a model’s size alone says little about how dangerous or beneficial its applications turn out to be. Others counter that a compute threshold, however imperfect, gives regulators a workable proxy where “actual harm” would otherwise be impossible to assess before deployment.

Smaller companies and startups face a particular strain: standing up the internal compliance structures it requires- documentation, testing, registration — can be costly and slow relative to the resources of large incumbents, even with the extended timelines the Digital Omnibus now provides.

Will the act promote open-source AI?

The EU AI Act has been framed as an opportunity to strengthen Europe’s position in open-source AI, which by definition is publicly available, replicable, and transparent. The regulation offers exemptions and lighter obligations for open-source general-purpose models, an intentional design choice tied to the EU’s broader ambition to compete with the US and China by leaning into open science and collaborative development.

That said, the regulation still doesn’t spell out a precise, uncontested definition of what qualifies as “open-source” for exemption purposes. Legislators generally intend widely-used open models to benefit from lighter treatment, but the language leaves room for interpretation – a gap legal and policy observers continue to flag as unresolved even after the Digital Omnibus amendments.

How will the act be enforced?

The European AI Office, working alongside national market surveillance authorities in each member state, is now actively responsible for implementing and enforcing the EU AI Act. Enforcement of GPAI-specific fines began August 2, 2026, and the AI Office has already published guidelines and a draft Code of Practice covering transparency and content-labeling obligations.

The EU AI Act also leans on self-reporting: developers and deployers must report incidents or rule breaches and take corrective action, and the regulation gives individuals mechanisms to seek redress if harmed by an AI system.

Some skepticism persists around whether the AI Office has the resources and technical depth to meaningfully scrutinize claims from developers of very large, complex models, a concern that predates the Digital Omnibus and hasn’t been fully resolved by the timeline extensions. Companies are advised to treat the extended deadlines as planning runway rather than reasons to deprioritize compliance work under the EU AI Act, since GDPR-based enforcement of AI systems is already happening in parallel, independent of its own timeline.

FAQs

Is the EU AI Act already in force, or is it still pending?

It’s in force. The EU AI Act took effect in August 2024, and most of its rules became fully applicable by August 2026, with some high-risk deadlines now pushed later under the Digital Omnibus.

What is the Digital Omnibus and why does it matter?

It’s a package of amendments to the EU AI Act that delays high-risk system deadlines by over a year and adds new bans on AI-generated non-consensual imagery, easing the original crunch on compliance teams.

Does the EU AI Act apply to companies outside the EU?

Yes, the EU AI Act applies to any provider or deployer whose AI system is placed on the EU market or affects people in the EU, regardless of where the company is headquartered.

Are open-source AI models exempt from the EU AI Act?

Partially. Many open-source general-purpose models get lighter obligations, but the exemption’s exact boundaries are still debated, and high-impact models remain covered regardless of license.

What happens if a company doesn’t comply with the EU AI Act?

Fines scale by severity, up to €35 million or 7% of global annual turnover for the most serious violations, with lower caps for lesser breaches.

Summarize using AI:
Share:
Comments:

Subscribe to Newsletter

Follow Us