The
European Parliament voted to adopt the EU AI Act in March 2024 by a margin of
523 votes to 46, ending a three-year legislative process that produced the
world’s first comprehensive legal framework for artificial intelligence. The
vote was accompanied by statements from MEPs describing it as a historic
moment for technology governance, and from AI companies ranging from cautious
acceptance to pointed criticism of specific provisions they had failed to
amend during the legislative process. The significance of the vote is real:
the AI Act establishes a precedent for AI governance that is already
influencing regulatory approaches in dozens of countries, imposes binding
requirements on the world’s most powerful AI systems, and creates enforcement
infrastructure with genuine teeth in the form of fines up to seven percent of
global annual turnover for the most serious violations.
Understanding what the AI Act actually requires, as distinct from
how it has been characterised in coverage that ranges from breathless about
its ambition to dismissive about its enforceability, is important for anyone
seeking to understand the direction of AI governance globally. The Act is
neither the comprehensive solution to AI risk that its most enthusiastic
proponents claimed nor the bureaucratic overreach that its critics alleged.
It is a detailed, risk-proportionate regulatory framework with genuine
strengths, genuine gaps, and a phased implementation timeline that means its
full effects will not be visible for several years.
What the Act Prohibits
The Act’s prohibition on unacceptable risk AI applications is its
most visible provision. Real-time remote biometric identification of
individuals in public spaces by law enforcement is prohibited with limited,
strictly defined exceptions for specific serious crime investigations subject
to prior judicial authorisation. This prohibition addresses a technology that
civil liberties organisations across Europe had identified as the most
immediate threat to the right to move through public space anonymously.
Social scoring systems operated by public or private entities that evaluate
individuals based on their social behaviour and restrict their access to
services are prohibited, a provision specifically designed to prevent the
emergence of Chinese-style social credit systems in European jurisdictions.
AI systems that exploit cognitive vulnerabilities, including unconscious
biases, to manipulate behaviour in ways that cause harm are prohibited, as
are AI applications that categorise individuals based on biometric
characteristics to infer sensitive attributes including political views,
sexual orientation, and religious beliefs.
These prohibitions took effect in February 2025, six months ahead
of the general application of most other AI Act provisions. Organisations
that had deployed systems in these categories, whether knowingly or not,
faced the most immediate compliance pressure, and several systems were
modified or discontinued ahead of the deadline. The enforcement of these
prohibitions across the EU’s 27 member states is the responsibility of
national AI authorities, whose resources and enforcement capacity vary
significantly, creating implementation consistency challenges that the
European AI Office is working to address through coordination and
guidance.
ChatGPT, Claude, and General-Purpose AI Rules
The provisions most directly relevant to widely used AI products
like ChatGPT and Claude are those governing general-purpose AI models. Under
the Act, providers of general-purpose AI models must publish technical
documentation about their models’ capabilities and limitations, comply with
EU copyright law in their training data practices, and publish summaries of
the training data used. Models classified as having systemic risk, currently
defined as those trained using more than 10^25 floating point operations,
face additional requirements including adversarial testing, incident
reporting, cybersecurity obligations, and energy efficiency
disclosure.
OpenAI, Anthropic, Google, and Meta have all engaged with the
European AI Office on GPAI compliance, with varying degrees of transparency
about their model training processes and capabilities. The copyright
compliance requirement is particularly significant in light of the ongoing
litigation over training data practices: the Act requires compliance with EU
copyright law, but what exactly EU copyright law requires for AI training
remains subject to interpretation pending court rulings and guidance from the
European Commission. The European
Commission’s digital strategy directorate has published guidance
that provides some clarity but leaves important questions unresolved pending
judicial interpretation.
Deepfake Disclosure Requirements
The AI Act includes specific provisions on AI-generated synthetic
content, requiring that deepfake audio, video, and images be labelled as
artificially generated in a way that is machine-readable and, for content
intended for human consumption, clearly visible. These labelling requirements
apply to content generated for entertainment, news, or political purposes,
with exceptions for artistic or satirical content where labelling would
undermine the intended effect. The practical implementation of these
requirements depends on technical standards for labelling that are still
being developed through standardisation processes involving ETSI and ISO,
with a timeline that means mandatory labelling is unlikely to be technically
operational before 2026 in most deployment contexts.
What This Means for You
If you use AI products within the EU, the AI Act is progressively
strengthening your rights to transparency about how AI systems that affect
you work, your protection from the most harmful AI applications, and your
ability to seek redress when AI systems cause harm. If you use AI products
outside the EU but provided by companies with EU market presence, the AI
Act’s requirements are shaping how those products are designed and governed
in ways that affect users globally. For UK users and organisations,
monitoring AI Act implementation and its effects on products and services you
use, and engaging with UK regulatory developments that may or may not track
the EU approach, is the most relevant practical response to a regulatory
development whose effects extend well beyond European borders. For related
analysis, see our coverage of how
the AI Act is reshaping global AI development and AI
regulatory gaps in the UK.
The AI Act’s interaction with existing EU law creates compliance
complexity that organisations are only beginning to address. An AI system
used in HR decisions may simultaneously face AI Act high-risk requirements,
GDPR Article 22 automated decision-making provisions, and sector-specific
employment law obligations with potentially inconsistent requirements across
these frameworks. The European Data Protection
Board and European AI Office have published joint guidance on AI
Act-GDPR interaction, but the guidance is necessarily general and specific
compliance questions require legal analysis that many organisations are only
beginning to commission. Smaller organisations without the legal resources of
major technology companies face particular challenges navigating overlapping
requirements, and the compliance support ecosystem serving this market is
still developing. Building accessible, practical compliance guidance for
small and medium enterprises is a priority that the European AI Office has
acknowledged but not yet fully delivered against.
The AI Act’s impact on AI
development practices extends beyond compliance to the deeper question of
whether regulatory requirements produce better AI systems as a genuine
outcome rather than merely better-documented AI systems. Early evidence from
organisations that have implemented AI Act-aligned governance practices
suggests that the conformity assessment and transparency requirements produce
genuinely useful internal information about AI system behaviour that was not
previously systematically collected. The discipline of preparing
documentation that must satisfy regulatory scrutiny encourages more rigorous
internal evaluation than organisations typically conduct absent that external
requirement. Whether this effect on development practice is sustained as
compliance processes mature and become routine, or whether organisations find
ways to satisfy formal requirements without the substantive evaluation that
motivates them, will be one of the most important questions in AI regulation
to watch over the coming years.
About the Author
Stuart Kerr is a technology correspondent at LiveAIWire, covering
artificial intelligence, digital innovation, and the social impact of emerging
technologies. Follow LiveAIWire for daily analysis at liveaiwire.com.