The European Union has reached and enacted the world’s first comprehensive AI Act, establishing a risk-based regulatory framework for artificial intelligence in the EU.

The Act creates a staged rollout with full enforcement by August 2, 2026, and ongoing governance through 2027 and beyond.

Analysts expect higher compliance costs for high-risk AI, possible consolidation among large tech players, growth for governance and risk-management services, and new requirements for watermarking and transparency in generative AI outputs.

The regulation seeks to balance innovation with citizens’ rights, including strict limits on real-time biometric identification by law enforcement and clear governance to build trust among developers and users.

General-Purpose AI models face new obligations, including technical documentation, information sharing, copyright compliance, and system-wide risk mitigations; high-risk GPAI models require evaluations, adversarial testing, and incident reporting to the European AI Office, while limited- and minimal/no-risk AI face progressively fewer requirements.

The Act’s extraterritorial reach comes with heavy penalties up to €35 million or 7% of global turnover, presenting opportunities for regulatory clarity and first-mover advantages while posing challenges for startups and SMEs in compliance and market access.

Phased timelines include risk and literacy obligations by early February 2025, governance and GPAI obligations by August 2025, major high-risk provisions by August 2026, and transition for high-risk products through August 2027, with ongoing evaluations from 2028.

Unacceptable-risk AI, such as government social scoring, is banned, and high-risk AI used in sectors like medical devices and critical infrastructure faces stringent requirements; general-purpose AI must meet transparency and safety standards.

The Act adopts a four-tier risk framework, banning unacceptable risks, imposing rigorous duties on high-risk AI (risk management, data quality, documentation, human oversight, cybersecurity, conformity assessments, and public registries), and applying broader transparency for high- and limited-risk systems.

Institutional changes include the creation of the European AI Office to monitor GPAI, develop assessment tools, issue codes of practice, and regulatory sandboxes to help startups test compliant AI solutions.

Foundation and large-language models will face pre-release transparency duties, including summaries of training data and cybersecurity measures, with penalties up to €35 million or 7% of global turnover for non-compliance.

The Act is positioned to set a global standard for AI governance, potentially shaping policies in other major economies and serving as a benchmark for future AI regulation.