AI governance has crossed from strategic concern into regulatory reality. The EU AI Act — the world's first comprehensive legal framework for artificial intelligence — entered force on 1 August 2024 and reached its most consequential milestone on 2 August 2025, when the EU AI Office became operational and obligations for General-Purpose AI (GPAI) models took binding effect.
What is now binding
Three categories of obligation now apply to any organisation that develops, deploys, or procures AI systems serving EU customers:
Prohibited practices. Social scoring, manipulative AI, mass facial scraping, and certain biometric inference systems are outright banned. Liability extends to both providers and deployers, including organisations using unvetted third-party tools — the canonical Shadow AI exposure.
Transparency obligations. AI systems that interact with humans, use biometrics, or generate synthetic content must disclose their AI nature clearly. Public-facing AI-generated content requires explicit labelling, including deepfakes.
GPAI obligations. Any new GPAI model placed on the EU market must publish technical documentation, transparency reports, training-data summaries, and (for models exceeding 10²⁵ FLOPs) systemic-risk assessments. The procurement implication is direct: every GPAI vendor in your stack must produce these artefacts on request.
The phased rollout
Three remaining milestones structure the next 24 months:
- August 2026 — full rules for high-risk AI systems (employment, biometrics, healthcare, education, public services)
- August 2027 — final compliance deadline for legacy GPAI and high-risk systems already on the market
This is a roadmap, not breathing room. Approximately ten weeks to prepare governance for high-risk categories; fifteen months to remediate legacy posture.
The convergence with GDPR
The EU AI Act does not replace GDPR — it extends it. The result is dual exposure: penalties under both regimes when AI systems mishandle personal data. The procedural overlap (documentation, DPIAs, consent management, data-subject rights) creates an opportunity. A unified governance framework that satisfies both regimes is achievable, and legal operations is the natural function to lead it.
Enforcement architecture
Enforcement mirrors GDPR's federated model: the EU AI Office oversees GPAI and coordinates across member states; national regulators handle day-to-day enforcement and audits. Penalty tiers per AI Act Articles 99–101:
- Banned practices: up to €35 million or 7% of global turnover
- GPAI violations: up to €15 million or 3%
- False information to regulators: up to €7.5 million or 1%
Expect early cases to focus on guidance and cooperation — but as GDPR demonstrated, early enforcement sets the precedent that defines the regime.
Share this issue