TL;DR
- The EU AI Act (Regulation 2024/1689) entered into force on August 1, 2024, making it the world's first comprehensive AI law.
- A four-tier risk framework governs everything from outright bans on social scoring to lighter transparency rules for chatbots.
- Google and OpenAI face systemic-risk obligations for their large foundation models, effective August 2025.
- Startups get regulatory sandboxes and reduced fees, but high-risk use cases still demand full compliance from August 2026.
- Fines reach €35 million or 7% of global annual turnover for the most serious violations.
What Is the EU AI Act?
The EU AI Act — formally Regulation (EU) 2024/1689 — is the European Union's binding legal framework for artificial intelligence. Published in the Official Journal of the EU on July 12, 2024, it entered into force on August 1, 2024. No comparable national or regional law existed before it.
The regulation applies extraterritorially. Any company placing an AI system on the EU market — regardless of where it is headquartered — must comply. That single clause brings Silicon Valley, Bengaluru, and Beijing under Brussels' oversight.
At its core, the Act uses a risk-based approach. Four tiers determine how much compliance burden a system carries:
- Unacceptable Risk — Banned outright.
- High Risk — Strict pre-market requirements.
- Limited Risk — Transparency obligations (chatbots, deepfakes).
- Minimal or No Risk — Largely unregulated; covers most consumer AI today.
This proportionality is deliberate. Regulators wanted to avoid stifling low-stakes innovation while drawing hard lines around systems that affect health, safety, and fundamental rights.
The Four Risk Tiers in Detail
Unacceptable Risk: What Is Banned
Prohibitions took effect on February 2, 2025. The banned practices include:
- Subliminal or manipulative techniques that distort behavior and cause significant harm.
- Exploiting vulnerabilities related to age or disability in ways that cause harm.
- Social scoring by public authorities that leads to detrimental treatment of individuals.
- Predictive policing based solely on profiling, without individual suspicion.
- Untargeted scraping of facial images from the internet or CCTV footage to build recognition databases.
- Emotion inference in workplaces or educational settings (narrow medical and safety exceptions apply).
- Biometric categorization that infers sensitive attributes such as political opinion or sexual orientation.
- Real-time remote biometric identification in public spaces by law enforcement — with narrow, court-authorized exceptions for serious crime prevention.
The European Commission published clarifying guidelines on February 4, 2025.
High-Risk AI: The Compliance-Heavy Tier
High-risk systems split into two groups. The first covers AI embedded in products already regulated under EU harmonization laws — medical devices, toys, machinery, vehicles. Full obligations for these apply from August 2, 2027.
The second group covers specific use cases listed in Annex III of the regulation. These include biometric identification, critical infrastructure management, educational assessment, employment and recruitment tools, credit scoring and essential services, law enforcement, migration and asylum processing, and justice administration. Obligations for Annex III systems apply from August 2, 2026.
Providers of high-risk systems must:
- Implement documented risk management systems.
- Train on high-quality, representative datasets.
- Maintain technical documentation and full traceability logs.
- Build in human oversight mechanisms.
- Meet accuracy, robustness, and cybersecurity standards.
- Pass conformity assessments — often by accredited third parties.
- Register the system in the EU's public AI database.
- Report serious incidents post-deployment.
General-Purpose AI Models: A New Category
General-purpose AI (GPAI) models — large language models, multimodal foundation models — received their own dedicated chapter. Obligations for newly released GPAI models began on August 2, 2025; models already on the market before that date have until August 2027 to comply.
All GPAI providers must publish technical documentation, provide summaries of training data, comply with EU copyright law, and disclose capabilities and known limitations. Models deemed to pose systemic risk — typically those trained with compute exceeding 1025 FLOPs — face additional duties: adversarial testing (red-teaming), serious incident reporting to the EU AI Office, and enhanced cybersecurity measures.
A voluntary Code of Practice, finalized in 2025, offers a compliance pathway. Google, OpenAI, Microsoft, Anthropic, Amazon, and Mistral AI all signed. Reports in mid-2025 suggested Meta's participation in the Code of Practice remained unsettled, with various sources indicating the company's position shifted during the drafting period; readers should consult the EU AI Office's published signatory list for the most current status.
Implementation Timeline at a Glance
| Date | What Takes Effect |
|---|---|
| August 1, 2024 | Regulation enters into force |
| February 2, 2025 | Prohibited practices banned; AI literacy obligations begin |
| August 2, 2025 | GPAI obligations (transparency, copyright) for new models |
| August 2, 2026 | High-risk Annex III systems; Article 50 transparency rules; enforcement powers active |
| August 2, 2027 | High-risk product-embedded systems; full compliance for pre-2025 GPAI models |
| 2030 | Legacy large-scale EU IT systems (e.g., Schengen Information System) |
The phased rollout was a deliberate negotiating outcome. Smaller companies argued — successfully — that simultaneous full compliance would be impossible. The Commission accepted a staggered schedule while keeping the prohibition dates firm.
What the EU AI Act Means for Google
Google (Alphabet) develops GPAI models including Gemini and deploys AI across Search, Google Cloud, and Workspace. Gemini's training scale almost certainly places it in the systemic-risk category, triggering the Act's most demanding GPAI obligations.
Google signed the GPAI Code of Practice in 2025 and has integrated responsible-AI reporting into its Google Cloud Responsible AI documentation. The company has flagged concerns about trade-secret exposure in training-data summaries — a tension the EU AI Office is still mediating.
Beyond GPAI, Google's cloud customers who build high-risk applications on Google Cloud become deployers under the Act. Google, as the underlying infrastructure provider, must supply the contractual and technical means for those customers to meet their own compliance obligations. That creates a downstream compliance chain that touches thousands of European businesses.
As of mid-2025, reports suggest Google has been actively engaging with the EU AI Office on its GPAI transparency obligations, though the precise status of any formal submissions remains subject to ongoing regulatory dialogue. The European Commission's AI Act regulatory framework page is the authoritative source for published compliance documentation as it becomes available.
Strategically, the Act may actually benefit Google. Compliance infrastructure is expensive to build. Large incumbents with existing legal, privacy, and safety teams absorb those costs more easily than challengers. The regulation could entrench Google's EU market position even as it constrains certain product features.
What the EU AI Act Means for OpenAI
OpenAI's GPT-4 and GPT-4o models are paradigmatic systemic-risk GPAI systems. ChatGPT's European user base — Reuters reported 100 million global users within two months of launch — makes EU compliance non-negotiable commercially.
Since August 2025, OpenAI must provide training-data summaries, copyright compliance documentation, and adversarial testing results to the EU AI Office. The company has faced separate copyright litigation from publishers and authors in multiple jurisdictions, which intersects directly with the Act's training-data transparency requirements.
OpenAI signed the Code of Practice and has, according to several reports, been building out its EU-facing policy and safety functions to meet the Act's obligations. The specific structure and titles of those roles have not been uniformly confirmed across public sources, but the broader direction — dedicated EU compliance capacity — is consistent with what the regulation requires of systemic-risk GPAI providers.
The compliance burden is real. Each new model release into the EU market now requires documentation, red-team evaluation reports, and incident-reporting pipelines before or alongside launch. That adds weeks or months to release cycles — a meaningful disadvantage when competing with models that face no equivalent regulatory hurdle in other markets.
For NRI professionals working in AI product roles at European companies or building on OpenAI's API, this means vendor contracts will increasingly include AI Act compliance clauses. Legal review of API terms of service is no longer optional.
What the EU AI Act Means for Startups
The Act's drafters were aware that uniform compliance costs would disproportionately harm smaller companies. Several provisions soften the impact:
- Regulatory sandboxes — Each EU Member State must establish at least one AI regulatory sandbox by August 2026, giving startups a supervised environment to test products before full compliance obligations apply.
- Reduced fees — SMEs and startups pay lower conformity-assessment fees.
- Priority access — National competent authorities must give SMEs priority access to sandboxes.
- Simplified documentation — Lighter technical documentation templates for smaller providers.
The harder reality is that any startup building in a high-risk Annex III category — AI hiring tools, credit scoring, medical triage — faces the same substantive compliance requirements as a Fortune 500 company. The fee discounts help; the conformity assessments, risk management systems, and post-market monitoring obligations do not shrink.
For NRI-founded startups operating in the EU or selling into the EU market, the Act creates both a barrier and a signal. A startup that achieves genuine EU AI Act compliance for a high-risk application can credibly market that compliance as a trust differentiator — particularly in regulated sectors like fintech, health tech, and HR tech where enterprise buyers are risk-averse.
Several NRI-founded technology companies have historically been active in EU markets across fintech and enterprise software, and the AI Act's sandbox provisions are specifically designed to give smaller, innovative firms a structured path to market. Founders considering EU expansion should engage early with their target Member State's national competent authority — the August 2026 deadline for Annex III systems is closer than it appears when conformity assessment queues are factored in.
Enforcement, Fines, and Governance
The EU AI Office, established within the European Commission, oversees GPAI models and coordinates enforcement across Member States. National market surveillance authorities handle most other AI systems. A Scientific Panel of independent experts advises on systemic-risk designations.
Fines are tiered by violation severity:
- €35 million or 7% of global annual turnover (whichever is higher) for prohibited-practice violations.
- €15 million or 3% for most other violations, including high-risk and GPAI obligations.
- €7.5 million or 1.5% for providing incorrect information to authorities.
For context, 7% of Alphabet's 2024 revenue would exceed $20 billion. These are not symbolic penalties.
How the EU AI Act Compares to Other Frameworks
The United States has no equivalent federal AI law as of mid-2025. The Biden administration's October 2023 Executive Order on AI established voluntary commitments and agency guidance, but the Trump administration revoked it in January 2025. As of mid-2025, reports suggest the US federal AI regulatory landscape remains fragmented, with no comprehensive statute having passed Congress and any new executive-level directives still evolving; readers should monitor authoritative US government sources for the latest developments. The UK is pursuing a sector-by-sector approach through existing regulators rather than a single statute. China has issued separate regulations on generative AI and algorithmic recommendations.
The EU's comprehensive binding approach creates a de facto global standard for any company that wants EU market access — a dynamic sometimes called the Brussels Effect. Companies building one compliance stack for the EU often apply those same standards globally, simply because maintaining two parallel systems is operationally expensive.
For NRI professionals advising multinational clients or working across jurisdictions, this divergence matters practically. A product compliant with the EU AI Act is not automatically compliant with Chinese generative-AI rules, nor does it satisfy any emerging US state-level AI requirements. Compliance strategies need to be jurisdiction-aware rather than assuming one framework transfers cleanly to another.
Next Steps
- Review the full regulation text at EUR-Lex (Regulation 2024/1689).
- Check the European Commission's AI Act resource page for updated guidelines and sandbox announcements.
- If you build or deploy AI in a high-risk Annex III category, begin a gap analysis against the August 2026 compliance deadline now — third-party conformity assessors have limited capacity.
- Developers using OpenAI or Google APIs for EU-facing products should review vendor contracts for AI Act compliance clauses and data-processing terms.
- Consult a qualified EU technology law specialist before making compliance decisions; the Act's interaction with GDPR and sector-specific laws (MDR, DORA) is complex.
