April 08, 2025: The European Union’s AI Act has officially moved into the enforcement phase following final legislative approval, making it the first comprehensive regulatory framework for artificial intelligence in a major global economy. The law introduces a risk-based approach to AI regulation, placing obligations on developers, providers, and users depending on the application’s risk category.

The legislation classifies AI systems into four tiers: unacceptable, high-risk, limited-risk, and minimal-risk. Systems deemed “unacceptable” are banned outright. This includes biometric categorization based on sensitive traits, untargeted scraping of facial images, predictive policing based solely on profiling, and emotion recognition in workplaces or schools.

High-risk systems—such as those used in critical infrastructure, healthcare, law enforcement, border control, and education—must meet strict transparency, accuracy, human oversight, and cybersecurity requirements. Providers must conduct conformity assessments before placing such systems on the market and maintain detailed documentation for regulatory review.

General-purpose AI models, including large language and foundation models, will be regulated separately under additional transparency rules. Developers of such models must disclose training data sources, model capabilities, and limitations and ensure compliance with environmental and cybersecurity standards. Specific obligations will apply to “systemic” models with broad societal impact.

National supervisory authorities and a newly created European AI Office will oversee enforcement. Noncompliance penalties can reach up to €35 million or 7% of global turnover, whichever is higher. Startups and SMEs will have access to regulatory sandboxes and guidance to support compliance without stifling innovation.

The enforcement timeline is staggered: bans on prohibited uses take effect in six months, rules for general-purpose AI in 12 months, and high-risk application compliance within 24 months. Member states are required to establish or designate national competent authorities for monitoring.

Global companies operating in the EU must adapt their systems and documentation to the AI Act’s standards. The regulation is expected to influence international policy alignment, particularly in jurisdictions preparing their AI governance models, such as Canada, the UK, and the U.S.