The EU AI Act enters into force, and three years of implementation work begin in earnest

On 1 August 2024, the European Union's Artificial Intelligence Act entered into force. The journey from initial Commission proposal in April 2021 to gazetted law took three years, three months and several rounds of late-stage redrafting after the public release of ChatGPT forced the inclusion of a general-purpose AI chapter that did not exist in the original text.

On the day the law took effect, no enforcement action could be taken under it. As reported by Politico Europe and confirmed in the Commission's own implementation timetable, the Act phases in over thirty-six months. The prohibitions on unacceptable-risk practices, which include certain forms of biometric mass surveillance, social scoring and emotion recognition in workplaces and schools, became applicable in February 2025. Obligations on providers of general-purpose AI models took effect in August 2025. The full high-risk regime, covering sectors from medical devices to recruitment, applies from August 2026.

A four-tier risk framework

The Act sorts AI systems into four risk tiers. Unacceptable risk is banned outright. High risk, which captures most regulated-sector deployments, faces a comprehensive conformity assessment regime including data governance, technical documentation, human oversight and post-market monitoring obligations. Limited risk, primarily chatbots and systems generating synthetic content, faces transparency obligations: users must be told they are interacting with an AI and synthetic media must be marked. Minimal risk, the catch-all category covering most consumer software, faces no new obligations beyond existing law.

Europe has decided what it does not want AI to be. The harder question is whether the law can keep up with what AI becomes.

The general-purpose AI question

The most contested chapter of the Act covers general-purpose AI models, a category that did not exist as a regulatory concept when the original draft was tabled. The final text imposes baseline transparency, copyright and safety obligations on all general-purpose model providers, with stricter obligations on "systemic risk" models defined by a compute threshold of ten to the twenty-fifth floating-point operations during training. As Reuters reported in the run-up to publication, that threshold currently applies to fewer than ten existing models and is recalibratable by Commission decision.

The first practical impact has been on documentation. Frontier AI companies operating in Europe are now staffing teams whose function is, in effect, to write the technical and risk-management dossiers the Act will require. Whether the underlying models will still be the relevant artefacts when those obligations bind in earnest, in 2025 and 2026, is the question that quietly preoccupies the lawyers.