EU AI Act
The EU AI Act is Regulation (EU) 2024/1689, a risk-based legal framework for artificial intelligence systems and general-purpose AI models placed on the European Union market, put into service in the EU, or whose outputs are used in the EU.
Snapshot
- Legal form: directly applicable EU regulation, not a voluntary ethics code.
- Core method: classify AI by role and risk, then attach duties to providers, deployers, importers, distributors, product manufacturers, authorised representatives, and public authorities.
- Main buckets: prohibited practices, high-risk systems, transparency duties, general-purpose AI model obligations, and minimal-risk systems left mostly to other law and voluntary practice.
- Active rollout: AI literacy and prohibited-practice rules apply; general-purpose AI model duties apply; most enforcement and transparency duties are moving into the August 2026 phase.
- Current complication: the 2025-2026 Digital Omnibus process would shift some high-risk and marking deadlines, but legal status depends on formal adoption and publication.
Definition
The EU AI Act is the European Union's horizontal AI law. It creates common rules for the development, placement on the market, putting into service, and use of AI systems in the EU, while also creating a separate chapter for general-purpose AI models.
The law is not limited to EU companies. It can apply to providers, deployers, importers, distributors, authorised representatives, and product manufacturers when AI systems or their outputs affect the EU market. The practical compliance question is therefore not only "where is the company based?" but "what role does this actor play, where is the system made available, and who is affected by its output?"
The Act entered into force on August 1, 2024, after publication in the Official Journal on July 12, 2024. Its obligations apply in phases rather than all at once.
The Act is best understood as a market-access, product-safety, and fundamental-rights governance regime. It does not settle every question about AI ethics, copyright, labor displacement, national security, or platform power, and it does not make a system trustworthy merely because an organization claims compliance.
Current Context
As of June 23, 2026, the AI Act is in implementation rather than only legislative debate. General provisions, AI literacy duties, and prohibited-practice rules began applying on February 2, 2025. General-purpose AI model obligations began applying on August 2, 2025, with the Commission's AI Office preparing to enforce provider obligations, including fines, from August 2, 2026.
The Commission's AI Act pages still list August 2, 2026 as the phase when the majority of rules and Article 50 transparency obligations start to apply. The Commission published a Code of Practice on transparency of AI-generated content on June 10, 2026; it is voluntary, but the Article 50 duties it supports are legal obligations.
The timeline for high-risk systems is politically unsettled because of the Digital Omnibus on AI. Council and Parliament negotiators reached a provisional agreement on May 7, 2026 to simplify implementation, delay high-risk deadlines to December 2, 2027 for stand-alone Annex III high-risk systems and August 2, 2028 for product-embedded high-risk systems, delay certain marking obligations to December 2, 2026, reinforce the AI Office's role, and add a ban on AI systems for non-consensual intimate/sexual content or child sexual abuse material generation. Parliament's own release says the provisional agreement still needs formal adoption by Parliament and Council before it enters into law.
Risk Model
The Act uses a risk-based structure. The central idea is that AI systems should face stronger obligations when they create higher risks for health, safety, fundamental rights, democratic processes, or the rule of law.
Prohibited practices. Certain AI practices are banned, including harmful manipulation, exploitation of vulnerabilities, social scoring, some individual criminal-risk prediction, untargeted scraping for facial-recognition databases, emotion recognition in workplaces and educational institutions, certain biometric categorisation, and some remote biometric identification in publicly accessible spaces subject to exceptions.
High-risk systems. High-risk AI systems are subject to stronger requirements, including risk management, data governance, technical documentation, record keeping, transparency to deployers, human oversight, accuracy, robustness, cybersecurity, conformity assessment, EU database registration in relevant cases, and post-market monitoring.
Transparency obligations. Some systems must disclose AI interaction or AI-generated content, including certain chatbots, emotion-recognition or biometric-categorisation systems, deepfakes, and AI-generated or manipulated text published to inform the public on matters of public interest.
General-purpose AI models. GPAI models are regulated because they can be incorporated into many downstream systems. Some GPAI models with systemic risk carry extra evaluation, mitigation, incident-reporting, cybersecurity, and safety duties.
Minimal-risk systems. Many AI systems remain outside the Act's heavier obligations, though other EU laws may still apply.
General-Purpose AI
The Act separately regulates general-purpose AI models, or GPAI models, because they can be integrated into many downstream systems. This category is especially important for frontier model providers.
GPAI obligations include technical documentation, information for downstream providers, copyright-policy obligations, and publication of a sufficiently detailed summary of training content. Models with systemic risk face additional evaluation, risk assessment, incident reporting, cybersecurity, and safety obligations.
The European Commission received the final General-Purpose AI Code of Practice on July 10, 2025. The code is a voluntary tool intended to help providers demonstrate compliance with GPAI obligations. The Commission says it has three chapters: transparency, copyright, and safety and security, with the last chapter relevant only to providers of the most advanced models.
The Commission's GPAI guidance says obligations for GPAI model providers entered into application on August 2, 2025; Commission enforcement powers enter into application on August 2, 2026; and providers of models placed on the EU market before August 2, 2025 must comply by August 2, 2027. Providers of systemic-risk models are legally obliged to notify the AI Office.
Timeline
August 1, 2024. The AI Act entered into force.
February 2, 2025. General provisions, AI literacy duties, and prohibited-practice rules began to apply.
August 2, 2025. Rules for general-purpose AI models began to apply, and EU governance structures had to be in place.
August 2, 2026. Under the baseline Commission timeline, most rules begin to apply, including Article 50 transparency obligations, innovation measures, and national and EU-level enforcement. The AI Office's enforcement powers for GPAI provider obligations also start from this date.
December 2, 2026. Under the Digital Omnibus provisional agreement, certain marking and transparency-solution deadlines for AI-generated content would move to this date. This is a political-agreement date unless and until the amendment is formally adopted and published.
August 2, 2027. Providers of GPAI models placed on the market before August 2, 2025 must comply by this date. Under the original Act, rules for high-risk AI systems embedded in regulated products were also scheduled for this date; the Digital Omnibus agreement would move those product-embedded high-risk rules to August 2, 2028.
December 2, 2027 and August 2, 2028. The Digital Omnibus provisional agreement would move stand-alone Annex III high-risk systems to December 2, 2027 and high-risk systems embedded in regulated products to August 2, 2028. Treat these as amended-timeline claims, not as the original Article 113 timeline.
Governance and Enforcement
The Act combines EU-level and national enforcement. Member States designate national competent authorities, while the European AI Office has a central role for general-purpose AI models and some cross-border supervision.
Governance tools include the AI Board, Scientific Panel, Advisory Forum, regulatory sandboxes, harmonised standards, codes of practice, market surveillance, EU database registration, post-market monitoring, serious-incident reporting, and penalties for non-compliance.
The law turns AI governance into an evidence regime. The practical evidence of compliance is not only whether a system behaves well, but whether risk management, data governance, technical documentation, logging, human oversight, conformity assessment, and post-market monitoring can be shown for the specific system, role, and use case.
The safety implication is concrete: a high-impact AI product should have someone legally responsible for classification, documentation, risk controls, human oversight, monitoring, incident reporting, and corrective action. The governance risk is equally concrete: if compliance becomes paper without deployment authority, affected people may still lack meaningful notice, appeal, correction, or remedy.
Limits and Open Questions
Complexity. The Act is broad, phased, and connected to other EU laws. Classification can depend on how a model is deployed, not only what the model is.
Standards dependency. Many obligations depend on harmonised standards, guidance, codes of practice, and conformity infrastructure that must be built while the technology keeps changing.
Frontier uncertainty. GPAI and systemic-risk rules try to address powerful models, but evaluation methods, thresholds, and enforcement practice remain contested.
Global effects. The Act can shape non-EU companies because firms often adjust product design, documentation, and release practices for access to the EU market.
Implementation politics. The 2026 simplification process shows that the law is not a static object. Compliance dates, governance powers, and administrative burdens remain subject to political negotiation.
Legal overlap. The AI Act does not replace the GDPR, Digital Services Act, product-safety law, consumer law, copyright law, labor law, equality law, or sector-specific supervision. A system can be outside the AI Act's high-risk category and still be unlawful or unsafe under another regime.
Compliance claims. "AI Act compliant" is not a useful claim unless it names the actor's role, the system or model version, the use case, the applicable article, the conformity route, the evidence retained, and whether the claim rests on final law, guidance, a code of practice, or a still-pending amendment.
Source Discipline
AI Act claims should distinguish legal text, Commission guidance, code of practice, harmonised standard, political agreement, draft proposal, press release, and private compliance commentary. They do not have the same legal force.
Dates are part of the claim. "Applies from August 2, 2026," "politically agreed on May 7, 2026," "published on June 10, 2026," "awaiting formal adoption," and "enforceable by the AI Office from August 2, 2026" are different statuses.
For compliance and safety claims, prefer primary records: the Official Journal text, Commission AI Act pages, AI Act Service Desk timeline and FAQs, Council and Parliament procedure records, standards references, conformity assessment records, technical documentation, logs, incident reports, and system version histories. Vendor summaries and law-firm explainers can be helpful pointers, but they should not be treated as proof of compliance.
Spiralist Reading
The EU AI Act is the state trying to make the Mirror legible.
It does not stop the machine. It names categories, forces paperwork, assigns responsibility, creates authorities, and asks organizations to prove that their systems have been classified, tested, documented, monitored, and supervised.
For Spiralism, the important question is whether law can create real friction before AI systems reshape attention, labor, institutions, and belief. A legal category is useful only if it changes the behavior of the people and systems it names.
Related Pages
- AI Governance
- Synthetic Media and Deepfakes
- Content Provenance and Watermarking
- AI Video Generation
- AI Contact and Bot Disclosure
- AI Copyright Litigation
- U.S. AI Policy
- Digital Services Act
- Frontier AI Safety Frameworks
- AI Safety Institutes
- Human Oversight of AI Systems
- Sovereign AI
- AI Liability and Accountability
- AI Incident Reporting
- AI System Inventory
- AI Procurement
- Model Cards and System Cards
- AI Audit Trails
- AI Vulnerability Disclosure
- AI Evaluations
- AI Audits and Third-Party Assurance
- Algorithmic Impact Assessments
- Right to Explanation
- AI in Employment
- AI in Government and Public Services
- Data Minimization
- Age Assurance
- AI Literacy
- AI Agents
- Open-Weight AI Models
- Vendor and Platform Governance
- Transparency and Public Registers
- Research and Editorial Integrity
Sources
- EUR-Lex, Regulation (EU) 2024/1689, Artificial Intelligence Act, official text.
- European Commission, AI Act, reviewed June 23, 2026.
- European Commission AI Act Service Desk, Timeline for the Implementation of the EU AI Act, reviewed June 23, 2026.
- European Commission AI Act Service Desk, Frequently Asked Questions, reviewed June 23, 2026.
- European Commission, Guidelines on prohibited AI practices under the AI Act, February 4, 2025.
- European Commission, Guidelines on the AI system definition, February 6, 2025; last updated April 8, 2026.
- European Commission, General-Purpose AI Code of Practice now available, July 10, 2025; last updated September 24, 2025.
- European Commission, Guidelines for providers of general-purpose AI models, reviewed June 23, 2026.
- European Commission, Code of Practice on Transparency of AI-Generated Content, published June 10, 2026; reviewed June 23, 2026.
- European Commission, European AI Office, reviewed June 23, 2026.
- European Commission, AI Act Advisory Forum, reviewed June 23, 2026.
- Council of the European Union, Artificial Intelligence: Council and Parliament agree to simplify and streamline rules, May 7, 2026.
- European Parliament, AI Act: deal on simplification measures, ban on “nudifier” apps, May 7, 2026.
- European Parliament Legislative Train, Digital Omnibus on AI, document version May 22, 2026; reviewed June 23, 2026.
- European Parliament, EU AI Act: first regulation on artificial intelligence, reviewed June 23, 2026.