The European Union Artificial Intelligence Act (EU AI Act) is rapidly reshaping the regulatory landscape for AI development and deployment, both within Europe and globally. In a recent Cooley webinar, partner Patrick Van Eecke and associate Bartholomäus Regenhardt, members of the firm’s cyber/data/privacy practice, provided an overview of the EU AI Act’s phased implementation, compliance hurdles and the much-anticipated Code of Practice for general-purpose AI (GPAI) models. Here’s what you need to know.
Phased rollout: Understanding the timeline
The EU AI Act is being implemented in several key stages:
- February 2, 2025: The first obligations took effect, focusing on AI literacy and prohibiting certain high-risk AI practices.
- May 2, 2025: The (delayed) publication of the Code of Practice for GPAI models was expected, though pushback from major industry players and international stakeholders has postponed its finalization.
- August 2, 2025: GPAI governance rules and obligations that apply to GPAI models on the market after this date come into force.
- August 2, 2026: The majority of the EU AI Act’s requirements become fully enforceable.
- 2030: Final implementation steps, especially for the public sector.
This phased approach allows organizations time to adapt but also creates a complex compliance environment.
The EU AI Act in a nutshell
- World’s first comprehensive AI regulation: The EU AI Act sets a global precedent, though its ultimate impact – akin to the “Brussels Effect” of the EU General Data Protection Regulation (GDPR) – remains to be seen.
- Dense legislation: 450+ pages, 68 new definitions, nearly 200 recitals and multiple annexes, with additional guidance and soft law expected.
- Risk-based approach: Obligations scale with the risk level of the AI system, from prohibited practices to high-risk and low-risk categories.
- Wide applicability: The EU AI Act applies to developers (providers), deployers (users), affected individuals, importers and distributors, regardless of whether they are based in the EU or abroad, due to its extraterritorial reach.
- Severe sanctions: Fines can reach up to 7% of global turnover or 35 million euros, surpassing even GDPR penalties.
- Dual enforcement: Both national supervisory authorities and the new EU AI Office will have enforcement powers, especially for GPAI models.
Early compliance: What’s happened since February 2025?
The first two obligations – AI literacy and prohibition of certain practices – have triggered a flurry of activity.
- AI literacy: Companies have launched training programs to ensure staff understand AI risks and regulatory requirements. The European Commission’s best practices repository, fueled by the AI Pact, offers practical examples, though following these does not guarantee compliance.
- Prohibited practices: Organizations have begun mapping and assessing their AI systems to ensure they are not engaging in prohibited activities. The European Commission has issued detailed (though nonbinding) guidance to clarify what constitutes a prohibited practice.
Defining ‘AI system’: Persistent challenges
A recurring challenge is determining whether a solution qualifies as an “AI system” under the EU AI Act. The European Commission’s recent guidelines emphasize a holistic, case-by-case assessment based on seven criteria, acknowledging that not every system marketed as “AI” actually falls within its scope. This has led to concerns about “AI washing”: the overlabeling of products as AI-enabled for marketing purposes.
GPAI models and the Code of Practice
A major focus now is the regulation of GPAI models, such as large language models. The EU AI Act distinguishes between:
- GPAI models: Core AI technologies (e.g., GPT-4, Mistral) capable of a broad range of tasks.
- AI systems: Applications built on top of GPAI models, with user interfaces and specific use cases (e.g., ChatGPT, Le Chat).
Obligations differ for GPAI model providers versus AI system providers. The Code of Practice, currently still under negotiation, is designed to bridge the gap between legal requirements and practical implementation for GPAI model providers. While voluntary, signing up to the Code may help demonstrate compliance and could influence enforcement decisions.
However, industry resistance, particularly from major US tech firms, and pressure from the US administration have delayed its adoption. The final content and legal effect of the Code remain uncertain, but it is expected to focus on:
- Transparency: Such as documentation and disclosure requirements, both to regulators and downstream AI system providers.
- Copyright: Such as ensuring web-crawled data does not infringe on intellectual property rights.
- Systemic risk: Such as additional safeguards for GPAI models with the potential for significant societal impact.
Transparency obligations: A shared responsibility
Transparency is a cornerstone of the EU AI Act. GPAI model providers must maintain up-to-date documentation and share it with both the EU AI Office and downstream system providers. In turn, system providers must inform users about the AI’s capabilities and limitations, echoing GDPR-style privacy notices.
Enforcement: When do the teeth come out?
While compliance is already required for certain obligations, enforcement mechanisms, including fines and penalties, will only become active from August 2025 (August 2026 for GPAI models). National authorities are still being designated but affected individuals and entities can already seek injunctions in national courts.
Key takeaways
- The EU AI Act is complex, far-reaching and still evolving.
- Early obligations focus on AI literacy and prohibiting harmful practices.
- Defining what counts as an “AI system” remains challenging and requires multidisciplinary input.
- The upcoming Code of Practice for GPAI models is a critical but currently delayed piece of the puzzle.
- Transparency obligations affect both GPAI model and AI system providers.
- Enforcement will ramp up significantly from mid-2025.
Stay tuned for further developments, especially as the Code of Practice on GDPAI models is finalized and the AI Act’s next milestones approach. For organizations operating in or with customers in the EU, proactive engagement and cross-functional compliance efforts are essential to navigate this new regulatory era.
Listen to a recording of the webinar, “AI Talks: Understanding the EU AI Act – What It Means for Companies Worldwide.”
Disclaimer: This blog post was generated with the assistance of AI based on the transcript of the webinar, and finally reviewed by a lawyer.
Authors
Patrick Van Eecke, Partner, Brussels
Bartholomäus Regenhardt, Associate, Brussels
