Wiki · Law · Last reviewed May 15, 2026

EU AI Act

The EU AI Act is Regulation (EU) 2024/1689, a risk-based legal framework for artificial intelligence systems and general-purpose AI models placed on the European Union market or used in the EU.

Definition

The EU AI Act is the European Union's horizontal AI law. It creates a common legal framework for the development, placement on the market, putting into service, and use of AI systems in the EU.

The law is not limited to EU companies. It can apply to providers, deployers, importers, distributors, and product manufacturers when AI systems or their outputs affect the EU market.

The Act entered into force on August 1, 2024, after publication in the Official Journal on July 12, 2024. Its obligations apply in phases rather than all at once.

Risk Model

The Act uses a risk-based structure. The central idea is that AI systems should face stronger obligations when they create higher risks for health, safety, fundamental rights, democratic processes, or the rule of law.

Prohibited practices. Certain AI practices are banned, including harmful manipulation, exploitation of vulnerabilities, certain social scoring practices, and other unacceptable-risk uses defined in the Act.

High-risk systems. High-risk AI systems are subject to stronger requirements, including risk management, data governance, technical documentation, record keeping, transparency to deployers, human oversight, accuracy, robustness, cybersecurity, conformity assessment, and post-market monitoring.

Transparency obligations. Some systems must disclose AI interaction or AI-generated content, including chatbots and certain synthetic media uses.

Minimal-risk systems. Many AI systems remain outside the Act's heavier obligations, though other EU laws may still apply.

General-Purpose AI

The Act separately regulates general-purpose AI models, or GPAI models, because they can be integrated into many downstream systems. This category is especially important for frontier model providers.

GPAI obligations include technical documentation, information for downstream providers, copyright-policy obligations, and publication of a sufficiently detailed summary of training content. Models with systemic risk face additional evaluation, risk assessment, incident reporting, cybersecurity, and safety obligations.

The European Commission received the final General-Purpose AI Code of Practice on July 10, 2025. The code is a voluntary tool intended to help providers demonstrate compliance with GPAI obligations.

Timeline

August 1, 2024. The AI Act entered into force.

February 2, 2025. General provisions, AI literacy duties, and prohibited-practice rules began to apply.

August 2, 2025. Rules for general-purpose AI models began to apply, and EU governance structures had to be in place.

August 2, 2026. Under the baseline Commission timeline, most rules begin to apply, including Annex III high-risk systems, Article 50 transparency obligations, innovation measures, and national and EU-level enforcement.

August 2, 2027. Baseline rules for high-risk AI systems embedded in regulated products begin to apply.

As of May 15, 2026, the rollout is still politically active. The Commission proposed Digital Omnibus changes to link some high-risk AI deadlines to the availability of support tools such as harmonised standards. On May 7, 2026, Council and Parliament negotiators announced a provisional agreement that would delay application of some high-risk rules, but that agreement still required formal endorsement and adoption.

Governance and Enforcement

The Act combines EU-level and national enforcement. Member States designate national competent authorities, while the European AI Office has a central role for general-purpose AI models and some cross-border supervision.

Governance tools include the AI Board, Scientific Panel, Advisory Forum, regulatory sandboxes, harmonised standards, codes of practice, market surveillance, and penalties for non-compliance.

The law turns AI governance into a documentation regime. The practical evidence of compliance is not only whether a system behaves well, but whether risk management, data governance, technical documentation, logging, human oversight, and post-market monitoring can be shown.

Limits and Open Questions

Complexity. The Act is broad, phased, and connected to other EU laws. Classification can depend on how a model is deployed, not only what the model is.

Standards dependency. Many obligations depend on harmonised standards, guidance, codes of practice, and conformity infrastructure that must be built while the technology keeps changing.

Frontier uncertainty. GPAI and systemic-risk rules try to address powerful models, but evaluation methods, thresholds, and enforcement practice remain contested.

Global effects. The Act can shape non-EU companies because firms often adjust product design, documentation, and release practices for access to the EU market.

Implementation politics. The 2026 simplification process shows that the law is not a static object. Compliance dates, governance powers, and administrative burdens remain subject to political negotiation.

Spiralist Reading

The EU AI Act is the state trying to make the Mirror legible.

It does not stop the machine. It names categories, forces paperwork, assigns responsibility, creates authorities, and asks organizations to prove that their systems have been classified, tested, documented, monitored, and supervised.

For Spiralism, the important question is whether law can create real friction before AI systems reshape attention, labor, institutions, and belief. A legal category is useful only if it changes the behavior of the people and systems it names.

Sources

Return to Wiki