AI Watch: Global regulatory tracker - European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

Laws/Regulations directly regulating AI (the “AI Regulations”)

The primary legislative framework for regulating AI in the EU is the EU AI Act (here).

The EU also proposed the AI Liability Directive, which had been designed to sit alongside the EU AI Act and address some of the challenges that arise from inconsistent liability regimes across the EU, in the context of AI. However, in February 2025, the European Commission withdrew the draft AI Liability Directive, citing a lack of consensus on core issues (here).

On August 1, 2024, the Commission updated its Q&A document on the EU AI Act, providing further detail on various provisions including, for example, key compliance requirements and enforcement mechanisms (here).

On February 11, 2025, Commission President Ursula von der Leyen launched "InvestAI", an initiative to mobilise €200 billion for investment in AI, including a new European fund of €20 billion for AI gigafactories (here). Such investments aim to make Europe an "AI continent."

On March 11, 2025, the AI Office published the third draft of the "General-Purpose AI Code of Practice" (the "Code") (here). The Code is intended to help providers of general-purpose AI models meet their obligations under the EU AI Act. To that end, the Code sets out a series of "commitments" and "measures" relating to, inter alia, transparency and copyright-related rules, risk assessments for systemic risks, and risk mitigation strategies. The final version of the Code is scheduled to be published in May 2025 following stakeholder feedback. If approved and formally adopted by the Commission through implementing acts, the Code will serve as a standard for providers of general-purpose AI models to demonstrate compliance.

On March 14, 2025, the Commission published a separate Q&A document specifically on general-purpose AI models under the EU AI Act (here), aiming to provide further detail and guidance on the obligations arising from Chapter V of the EU AI Act.

On April 9, 2025, the Commission published the "AI Continent Action Plan" (the "Plan") (here). The Plan intends to enhance AI capabilities in the EU by promoting initiatives in the following five key areas: (i) building a large-scale AI computing infrastructure; (ii) increasing access to high-quality data; (iii) promoting AI in strategic sectors; (iv) strengthening AI skills and talents; and (v) simplifying the implementation of the EU AI Act. As part of the latter, the Plan announced an "AI Act Service Desk" that will be established within the AI Office to serve as a central hub for stakeholders seeking guidance and support.

Status of the AI Regulations

The EU AI Act was published in the EU Official Journal on July 12, 2024, and is the first comprehensive horizontal legal framework for the regulation of AI across the EU. The EU AI Act entered into force on August 1, 2024, and will be effective from August 2, 2026,¹ except for the specific provisions listed in Article 113.

On September 5, 2024, the Council of Europe's Framework Convention² on AI was signed by Andorra, Georgia, Iceland, Norway, the Republic of Moldova, San Marino, the United Kingdom, Israel, the United States, and the European Union³. The treaty will enter into force on the first day of the month following three months after five signatories, including at least three Council of Europe Member States, have ratified it. Countries from all over the world will be eligible to join and commit to its provisions.

Related laws affecting AI

There are many laws applicable in the EU that may affect the development or use of AI in the EU. A non-exhaustive list of common examples includes:

• The EU General Data Protection Regulation (EU) 2016/679
• The Product Liability Directive, which, if adopted, will allow people harmed by software (including AI software) to receive compensation from the software manufacturer (replacing Directive 85/374/EEC)
• The General Product Safety Regulation 2023/988/EU, replacing Directive 2001/95/EC
• Various intellectual property laws under the national laws of EU Member States

Definition of “AI”

AI is defined in the EU AI Act using the following terms:

• "AI system" means "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments"
• "General-purpose AI model" means "an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market"
• "General-purpose AI system" means "an AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems"⁴

On February 6, 2025, the Commission published non-binding guidelines on the definition of an "AI system" under the EU AI Act.⁵ The guidelines unpack the definition of an "AI system" into seven core constituent elements and establish that an AI system does not need to continuously satisfy all seven elements throughout its entire lifecycle in order to constitute an "AI system" under the EU AI Act – if an element is present at any stage of the AI system's development or use, this may be sufficient.⁶

Territorial scope

The EU AI Act applies extraterritorially to:⁷

• Any provider placing, or otherwise putting into service, an AI system or general-purpose AI models on the EU market, regardless of whether the provider is established or located within the EU or in a third country
• Any deployers of AI systems who have their place of establishment in, or who are located in, the EU
• Any provider or deployer of an AI system that have their place of establishment or are otherwise located in a third country, if the output produced by the AI system is intended to be used in the EU⁸

Sectoral scope

The EU AI Act is not sector-specific. It applies to all sectors.

Compliance roles

Under the EU AI Act:

• Any developer of an AI system or general-purpose AI model, or any natural or legal person, public authority, agency or other body that has an AI system or general-purpose AI model developed and places them or puts the system into service on the EU market are "providers" under the AI Act⁹
• Any natural or legal person in the supply chain that is not a provider or importer and makes an AI system available on the EU market is a "distributor" under the AI Act¹⁰
• Any natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country are "importers" under the AI Act¹¹
• Any natural or legal person, public authority, agency or other body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity are "deployers" under the AI Act¹²
• Any provider, product manufacturer, deployer, importer, distributor or authorized representative are "operators" under the AI Act¹³

Each of these roles comes with a set of compliance obligations.

Core issues that the AI Regulations seek to address

The EU AI Act is intended to promote the uptake of human-centric and trustworthy AI and to ensure a high level of protection of health, safety, fundamental rights, democracy, and rule of law from harmful effects of AI systems while supporting innovation and the functioning of the internal market.¹⁴

Risk categorization

The EU AI Act classifies AI systems, and imposes requirements, according to different levels of risk:

• Unacceptable risk: AI systems that present an "unacceptable" risk are prohibited.¹⁵ This includes (among others) AI systems used for social scoring and AI systems that use deceptive or exploitative techniques to materially distort a person’s behavior in a manner that can cause harm.¹⁶
• High risk: AI systems that present a "high" risk are subject to the most detailed compliance obligations under the EU AI Act and include AI systems falling within two categories: (i) AI systems used as a safety component of a product (or otherwise subject to EU health and safety harmonization legislation); or (ii) AI systems deployed in eight specific areas, including (among others) education, employment, access to essential public and private services, law enforcement, migration, and the administration of justice.¹⁷
• Limited risk: AI systems that present "limited" risk include those that directly interact with natural persons (e.g., chatbots), emotion recognition systems, biometric categorization systems, and AI systems that generate "deep fakes" (i.e., audio or visual content that appears genuine, even though it is created by an AI system). These systems are required to disclose the fact that the content has been artificially generated or manipulated.¹⁸ The transparency obligations imposed on deployers of these AI systems do not apply where the use is authorized by law to detect, prevent, investigate and prosecute criminal offenses. If the content is "evidently" an artistic, creative, satirical, fictional analogous work or program, these obligations are limited to the disclosure of existence of "deep fakes" in an appropriate manner that does not hamper the display or environment of the work.¹⁹
• Low or minimal risk: Any AI system not caught by the above are of low or minimal risk.²⁰

For general-purpose AI models, the EU AI Act distinguishes between those that entail a systemic risk and those that do not. If the computational power of the general-purpose AI model exceeds a certain threshold, the AI model is presumed to entail a systemic risk. In addition, the European Commission has the power to designate certain general-purpose AI models as having systemic risk.²¹

Key compliance requirements

Compliance obligations are primarily determined by the level of risk associated with the relevant AI system:

• Unacceptable risk: AI systems posing an unacceptable risk are not subject to compliance requirements; they are prohibited outright
• High risk: AI systems and their providers (or where applicable, the authorized representative) must be registered in an EU database before being placed onto the EU market or put into service, and must comply with a wide range of requirements on data training and data governance, technical documentation, recordkeeping, technical robustness, transparency, human oversight, and cybersecurity²²
• Limited risk: Providers and deployers of certain AI systems and general-purpose AI models are subject to transparency obligations²³
• Low or minimal risk: AI systems do not have specific obligations or requirements under the EU AI Act²⁴

All providers of general-purpose AI models are subject to certain technical documentation and transparency obligations and are required to cooperate with the Commission and national competent authorities as well as respect national laws on copyright and related rights.²⁵ Compliance may be demonstrated through adhering to approved codes of practice.²⁶ Providers of general-purpose AI models with systemic risk have additional obligations, including the obligations to perform standardized model evaluations, assess and mitigate systemic risks, track and report incidents, and ensure cybersecurity protection.²⁷

The EU AI Act also provides for the development of codes of conduct for AI systems, which the Commission hopes all AI system providers will voluntarily apply.²⁸

Regulators

Enforcement of the EU AI Act involves a combination of authorities. EU Member States will establish or designate at least one notifying authority and at least one market surveillance authority (together, the "national competent authorities") and ensure that the national competent authorities have adequate technical, financial and human resources, and infrastructure (that are sufficiently knowledgeable) to fulfill its tasks under the EU AI Act.²⁹

The notifying authority is responsible for setting up and carrying out the assessment and designation procedures that are required under the EU AI Act, in an objective and impartial manner.³⁰

The market surveillance authority may vary for "high" risk AI systems, AI systems used by financial institutions subject to EU legislation on financial services, and other EU institutions, agencies, and bodies.³¹

The market surveillance authority is primarily responsible for enforcement at the national level.³² If an AI system is non-compliant, the market surveillance authorities can exercise the enforcement powers described below. The market surveillance authorities will report to the Commission and relevant national competition authorities on an annual basis.³³

Additionally, an AI Office within the Commission will enforce the common rules across the EU.³⁴ Enforcement will be supported by a scientific panel of independent experts^.35 An AI Board with Member States' representatives will advise and assist the Commission and Member States on the consistent and effective application of the AI Act.³⁶ Finally, an advisory forum for stakeholders will provide technical expertise to the AI Board and the Commission.³⁷

Enforcement powers and penalties

Where the market surveillance authority finds that there is: (i) non-compliance with the obligations of the EU AI Act; or (ii) compliance from a high-risk AI system with the obligations of the EU AI Act, but still presents a risk to the health and safety of persons, the fundamental rights of persons, or other aspects of public interest protection; then the relevant market surveillance authority can (a) require the relevant operator to take all appropriate corrective actions (in the event of (ii), to ensure the AI system concerned no longer presents that risk) or withdraw/recall the AI system from the market; or (b) where the operator fails to do so, the relevant authority shall prohibit/restrict the AI system being made available on its national market or put into service, or withdraw/recall the product or the standalone AI system from the market.³⁸

Penalties range from (i) the higher of €35,000,000 or up to 7 percent of a company’s total worldwide annual turnover for non-compliance with prohibited AI practices, to (ii) the higher of €7,500,000 or up to 1 percent of a company’s total worldwide annual turnover for the supply of incorrect, incomplete, or misleading information to notified bodies and national competent authorities.³⁹

The AI Liability Directive increases the claimants’ likelihood of a successful claim by creating a rebuttable presumption of causality on the defendant. In practice, the new rule means that if a victim can show that someone was at fault for not complying with a certain obligation relevant to their harm, and that a causal link with the AI performance is reasonably likely, the court can presume that this non-compliance caused the damage.⁴⁰

The AI Liability Directive also gives national courts the power to order disclosure of evidence about high-risk AI systems that are suspected of causing damage, to help victims access relevant evidence to identify the person(s) that could be held liable.⁴¹

Further insights from White & Case:

• Processing Biometric Data in the Workplace
• Long awaited EU AI Act becomes law after publication in the EU’s Official Journal
• The EU AI Act’s enforcement provisions — Part 3
• The EU AI Act’s extraterritorial scope — Part 2
• Processing personal data using AI Systems — Part 1
• The pre-final text of the EU’s AI Act leaked online
• Dawn of the EU's AI Act: political agreement reached on world's first comprehensive horizontal AI regulation

1 See EU AI Act, Article 113.
2 See Convention text here.
3 See European Commission press release here.
4 See EU AI Act, Articles 3(1), 3(63) and 3(66).
5 See the Commission's guidelines on AI system here. The seven main elements outlined in the guidelines are: (i) a machine-based system; (ii) that is designed to operate with varying levels of autonomy; (iii) that may exhibit adaptiveness after deployment; (iv) and that, for explicit or implicit objectives; (v) infers, from the input it receives, how to generate outputs; (vi) such as predictions, content, recommendations or decisions; (vii) that can influence physical or virtual environments.
6 See the Commission's guidelines on AI system, Paragraph (10).
7 See EU AI Act, Articles 2(1)(a) to (c). Responsibilities along the AI value chain (including distributors, importers, deployers) are set out in Article 25.
8 See EU AI Act, Recital 22.
9 See EU AI Act, Article 3(3).
10 See EU AI Act, Article 3(7).
11 See EU AI Act, Article 3(6).
12 See EU AI Act, Article 3(4).
13 See EU AI Act, Article 3(8).
14 See "Purpose" in the Procedure File: printficheglobal.pdf (europa.eu); and EU AI Act, Article 1(1).
15 See EU AI Act, Recital 179.
16 See EU AI Act, Article 5.
17 See EU AI Act, Article 6(1), (2) and Annex I, Annex III.
18 See EU AI Act, Articles 50(1) to 50(4).
19 See EU AI Act, Article 50(4).
20 See page 4 of the briefing note.
21 See EU AI Act, Article 51.
22 See EU AI Act, Articles 8-15 and 49.
23 See EU AI Act, Article 50.
24 See page 4 of the briefing note.
25 See EU AI Act, Article 53.
265 See EU AI Act, Article 56.
27 See EU AI Act, Article 55.
28 See EU AI Act, Chapter X (Codes of Conduct and guidelines).
29 See EU AI Act, Article 70.
30 See EU AI Act, Article 31(6).
31 See EU AI Act, Article 74(6).
32 See EU AI Act, Article 74.
33 See EU AI Act, Article 74(2).
34 See EU AI Act, Article 64.
35 See EU AI Act, Article 68.
36 See EU AI Act, Article 65 and 66.
37 See EU AI Act, Article 67.
38 See EU AI Act, Articles 79(2) and 82 (1).
39 See EU AI Act, Articles 99(3) and (5).
40 See AI Liability Directive, Article 4(1).
41 See AI Liability Directive, Article 3(1).

Timo Gaudszun (Legal Intern, White & Case, Berlin), Jeffrey Shin (Associate, White & Case, London) contributed to this publication.

[View source.]