EU tightens AI regulation: The most important questions and answers about the regulation from August 2025

What is the EU AI Regulation and why was it introduced?

The EU AI Regulation, also known as the EU AI Act (Regulation (EU) 2024/1689), is the world's first comprehensive law regulating artificial intelligence. The regulation was adopted by the European Parliament on 13 March 2024 and entered into force on 1 August 2024.

The main objective of the regulation is to create a harmonized legal framework for the use of AI in the European Union. On the one hand, it aims to promote innovation and strengthen trust in AI, while on the other hand, it ensures that AI is only used in a way that safeguards the fundamental rights and security of EU citizens. The EU is pursuing a risk-based approach: the higher the risk posed by an AI system, the more comprehensive the obligations.

The regulation is a direct response to the rapid development of AI technology and its far-reaching societal impact. With its adoption, the EU aims to both protect against potential risks and establish Europe as a leading location for trustworthy AI.

Suitable for:

• AI systems, high-risk systems and the AI ​​Act for practical application in companies and public authorities

What are general-purpose AI models and why are they the focus of regulation?

General-purpose AI (GPAI) models, as defined by the EU AI Regulation, are AI models that exhibit significant general applicability and are capable of competently performing a wide range of diverse tasks. These models can be integrated into a variety of downstream systems or applications.

A characteristic feature of GPAI models is their versatility: they are not designed for a specific application, but offer broad functionality. Unlike specialized AI models, a GPAI model is not taught only one specific, narrowly defined task during training.

Well-known examples of GPAI models include GPT-4 from OpenAI (used in Microsoft Copilot and ChatGPT), Gemini from Google DeepMind, Claude from Anthropic, and LLaMA from Meta. Due to their technical scope and training architecture, these systems meet the criteria of a GPAI model according to EU regulations.

The special regulatory focus on GPAI models is due to their high risk potential: Since they can be used in many areas, there is a particular risk that AI could lead to applications that have high societal impacts – for example in healthcare, lending or human resources.

Which obligations will come into force on August 2, 2025?

Binding obligations for providers of GPAI models will come into force on August 2, 2025. These new regulations mark a crucial milestone in the EU AI Regulation and affect various areas:

Transparency obligations

Vendors must provide technical documentation and disclose information about training methods, training data, and model architecture. This documentation must include a general description of the AI ​​model, including the tasks the model is intended to perform and the types of AI systems into which it can be integrated.

Copyright compliance

Providers must ensure that their models comply with EU copyright law. This includes taking into account websites with opt-out signals and setting up complaint mechanisms for rights holders.

Governance obligations

Appropriate governance structures must be implemented to ensure compliance with regulations. This includes enhanced auditing and reporting requirements for particularly high-risk GPAI models.

Documentation requirements

A sufficiently detailed summary of the training content must be prepared and published. This summary should facilitate the exercise and enforcement of rights by parties with a legitimate interest, including copyright holders.

How does the European AI Office oversee AI?

The European AI Office was established by the European Commission on 24 January 2024 and plays a central role in the implementation of the AI ​​Regulation. It is organizationally part of the European Commission's Directorate-General for Communications Networks, Content and Technology (DG Connect).

The AI ​​office has extensive powers to monitor compliance with GPAI regulations. It can request information from companies, assess their models, and demand that deficiencies and problems be rectified. In cases of violations or refusal to provide information, officials can remove AI models from the market or impose fines.

The institution undertakes several key tasks: It further develops the binding AI code of conduct, coordinates the European supervisory network, and monitors the development of the AI ​​market. Furthermore, the office is tasked with developing tools and methods to evaluate the risks of larger generative AI models in particular.

The AI ​​Office consists of five specialized units: Regulation and Compliance, AI Security, Excellence in AI and Robotics, AI for the Public Good, and AI Innovation and Policy Coordination. This structure enables comprehensive support for all aspects of AI regulation.

What penalties are imposed for violations of the GPAI regulations?

The EU AI regulation stipulates substantial penalties for violations of the GPAI guidelines. Fines can amount to up to €15 million or 3 percent of global annual turnover – whichever is higher.

For particularly serious violations, such as failure to comply with the prohibition of certain AI practices under Article 5, fines of up to €35 million or 7 percent of global annual turnover can be imposed. This underlines the EU's determination to enforce the new rules.

In addition to fines, there are further legal consequences: False or incomplete information provided to authorities can be punished with fines of up to €7.5 million or 1.5 percent of global annual turnover. Insufficient documentation and a lack of cooperation with regulatory authorities can result in penalties of the same amount.

The size of the fines underscores the seriousness with which the EU is enforcing its AI regulation. A recent example is the €15 million fine imposed on OpenAI by the Italian data protection authority, although this was under the GDPR and not the AI ​​regulation.

Suitable for:

• AI bans and mandatory competence: The EU AI Act – A new era in dealing with artificial intelligence

What is the AI ​​code of conduct and why is it controversial?

The AI ​​Code of Practice is a voluntary instrument developed by 13 independent experts and incorporating input from more than 1,000 stakeholders. Published by the European Commission on July 10, 2025, it aims to help providers of GPAI models comply with the requirements of the AI ​​Regulation.

The code is divided into three main chapters: transparency, copyright, and security and protection. The chapters on transparency and copyright are aimed at all providers of GPAI models, while the chapter on security and protection is only relevant for providers of the most advanced models with systemic risks.

Companies that voluntarily sign the code benefit from reduced bureaucracy and increased legal certainty. Those that do not sign the code can expect more inquiries from the Commission. This creates indirect pressure to participate, even though the code is officially voluntary.

The controversy arises from the differing reactions of the companies: While OpenAI expressed a willingness to cooperate and sign the code, Meta declined to participate. Joel Kaplan, Chief Global Affairs Officer at Meta, criticized the code as legally uncertain and argued that it went far beyond the scope of the AI ​​law.

Why does Meta refuse to sign the code of conduct?

Meta has decided not to sign the EU Code of Conduct for GPAI models, representing a notable stand against European regulation. Joel Kaplan, Chief Global Affairs Officer at Meta, explained this decision in a LinkedIn post, citing several critical points.

The main criticism is the legal uncertainty: Meta argues that the code "creates a number of legal uncertainties for model developers and includes measures that go far beyond the scope of the AI ​​law." The company fears that the unclear wording could lead to misinterpretations and unnecessary bureaucratic hurdles.

Another aspect is the concern about stifling innovation: Meta warns that the code could slow down the development of advanced AI models in Europe and hinder European companies. The company is particularly critical of the impact on startups and smaller companies, which could be disadvantaged in competition by the regulations.

This refusal is noteworthy, as Meta simultaneously intends to increasingly rely on its own AI services, such as the Llama 3 language model, within the EU. The company plans to deploy its AI both via its own platforms and in cooperation with cloud and hardware providers, for example in Qualcomm smartphones and Ray-Ban glasses.

Which companies support the code of conduct and which reject it?

The reactions of technology companies to the EU code of conduct vary widely and reflect the division within the industry regarding European AI regulation.

Supporters of the Code

OpenAI has announced its intention to sign the code, describing it as a workable framework for implementing the EU AI law. The company sees the code as a foundation for expanding its own infrastructure and partnerships in Europe. Microsoft has also indicated its willingness to cooperate: President Brad Smith stated that it is “likely we will sign” and acknowledged the AI ​​office’s positive collaboration with the industry.

Critics and dissenters

Meta is the most prominent critic and explicitly refuses to sign. The company thus joins the ranks of critics who view Europe's AI regulatory plans as stifling to innovation. More than 40 CEOs of European companies, including ASML, Philips, Siemens, and the AI ​​startup Mistral, have called for a two-year postponement of the AI ​​law in an open letter.

Undecided

Google and Anthropic have not yet publicly commented on their position, suggesting internal evaluation processes. This reticence could be strategic, as both companies must weigh the advantages of legal certainty against the disadvantages of additional compliance costs.

Despite industry pressure, the EU Commission remains steadfast and is sticking to the timetable: the requested postponement of the GPAI rules is out of the question.

Integration of an independent and cross-data-source AI platform for all business needs - Image: Xpert.Digital

AI Game Changer: The most flexible AI platform - Tailor-made solutions that reduce costs, improve your decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Rapid AI integration: Tailor-made AI solutions for businesses in hours or days, instead of months
• Flexible infrastructure: Cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Maximum data security: its use in law firms is irrefutable proof
• Deployment across a wide variety of enterprise data sources
• Choice of own or different AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• Lack of fit of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Shortage of qualified AI specialists
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

How do standard GPAI models differ from those with systemic risks?

The EU AI Regulation provides for a tiered risk classification for GPAI models, distinguishing between standard GPAI models and those with systemic risks. This distinction is crucial for determining the applicable obligations.

Standard GPAI models

They must meet basic requirements: detailed technical documentation of the model, information on the data used for training, and compliance with copyright. These models are subject to the standard obligations under Article 53 of the AI ​​Regulation.

GPAI models with systemic risks

They are classified according to Article 51 of the AI ​​Regulation. A model is considered to pose a systemic risk if it has “high impact capacities.” As a benchmark, a GPAI model has a systemic risk if “the cumulative amount of computations used for its training, measured in floating-point operations, exceeds 10^25.”.

For models with systemic risks, additional obligations apply: conducting model evaluations including adversarial testing, assessing and mitigating potential systemic risks, tracking and reporting serious incidents to the AI ​​Bureau and the relevant national authorities, and ensuring adequate cybersecurity protection.

This classification takes into account that particularly powerful models can also pose particularly high risks and therefore require stricter monitoring and control.

Suitable for:

• AI Action Summit in Paris: The awakening of the European strategy for AI – “Stargate AI Europe” also for startups?

What specific information do companies need to document and disclose?

The documentation and transparency obligations for GPAI providers are comprehensively and meticulously regulated. The technical documentation according to Article 53 and Annex XI of the AI ​​Regulation must cover various core areas.

General model description

The documentation must include a comprehensive description of the GPAI model, including the tasks the model is intended to perform, the types of AI systems into which it can be integrated, the applicable principles of acceptable use, the publication date, and the distribution modalities.

Technical specifications

Detailed information on the architecture and number of parameters, modality and format of inputs and outputs, license used, and technical means required for integration into AI systems.

Development process and training data

Design specifications of the model and the training process, training methods and techniques, key design decisions and assumptions made, information on the datasets used including type, origin and curation methods.

Public summary of training content

A standardized template was provided by the AI ​​office, offering an overview of the data used to train the models. This includes the sources from which the data was obtained, large datasets, and top-level domain names.

The documentation must be available on request for both downstream providers and the AI ​​Office, and must be updated regularly.

What role do copyrights play in the new regulations?

Copyright plays a central role in the EU AI Regulation, as many GPAI models were trained on copyrighted content. The code of conduct dedicates a separate chapter to this topic.

Compliance obligations

Providers must implement practical solutions for complying with EU copyright law. This includes the obligation to observe the Robot Exclusion Protocol (robots.txt) when crawling web pages and to identify and respect rights reservations.

Technical protective measures

Companies must implement technical safeguards to prevent their models from generating copyright-infringing content. This could pose a significant hurdle, especially for image generators like Midjourney.

Complaint mechanisms

Providers must designate contact persons for rights holders and establish a complaints procedure. If rights holders demand that their works not be used, companies must comply.

Transparency about training data

The new template for the public summary of training content is designed to make it easier for copyright holders to exercise and enforce their rights. It allows them to better track whether their copyrighted works have been used in the training.

These regulations aim to maintain a balance between innovation in the field of AI and the protection of intellectual property.

How does regulation affect smaller companies and start-ups?

The impact of the EU AI regulation on smaller companies and start-ups is a critical aspect of the debate surrounding the new rules. Concerns about the potential disadvantages for smaller players are being raised from various quarters.

Bureaucratic burden

Meta argues that the strict requirements of the code of conduct could particularly restrict the opportunities of start-ups. The extensive documentation and compliance requirements can impose disproportionately high costs on smaller companies.

Relief measures for SMEs

However, the AI ​​regulation also provides for simplifications: Small and medium-sized enterprises (SMEs), including start-ups, can submit the technical documentation in a simplified form. The Commission is creating a simplified form tailored to the needs of micro and small businesses.

Open-source exceptions

Providers of GPAI models with an open-source license—that is, openly and freely licensed models without systemic risks—are not required to comply with detailed documentation standards. This regulation can be particularly beneficial for startups and smaller developers.

Equal competition

The code of conduct was developed with the participation of more than 1,000 stakeholders, including small and medium-sized enterprises. This is intended to ensure that the needs of different company sizes are taken into account.

The EU is therefore striving to limit the burden on smaller companies while maintaining high standards of security and transparency.

Suitable for:

• 200 billion euros for the promotion of AI gigafactors and AI-related projects in Europe

What significance does August 2, 2025 have for existing AI models?

August 2, 2025, marks a significant turning point in European AI regulation, distinguishing between new and existing models. This distinction is crucial for the practical implementation of the regulation.

New GPAI models

For new GPAI models launched after August 2, 2025, the full obligations of the AI ​​Regulation apply immediately. This means that all transparency, documentation, and governance obligations are mandatory from that date.

Existing models

For systems already on the market, such as ChatGPT-4, the rules will only apply from August 2026. This two-year transition period is intended to give providers time to adapt their existing systems accordingly and implement the new requirements.

Enforcement by the AI ​​Office

The European AI Office will enforce the rules one year after they come into force (i.e., from August 2026) for new models and two years later for existing models. This gives authorities time to build their capacity and develop consistent enforcement practices.

Transitional bridge through code of conduct

As a transitional measure, companies can already sign the voluntary AI code of conduct. These companies then benefit from less bureaucracy and increased legal certainty compared to companies that choose other compliance methods.

What are the long-term implications for the European AI market?

The EU AI Regulation is expected to have far-reaching and lasting effects on the European AI market. These changes will affect both Europe's competitive position and the development of the AI ​​industry as a whole.

Legal certainty as a competitive advantage

Companies that prioritize transparency, governance, and compliance early on will remain competitive in the European market. Uniform rules can make Europe an attractive location for trustworthy AI and strengthen investor and customer confidence.

Global standard setter

Similar to the GDPR, the EU AI Regulation could have international repercussions. Experts expect the EU AI Act to stimulate the development of AI governance and ethical standards worldwide. Europe could establish itself as a global benchmark for responsible AI development.

Innovation ecosystem

The EU is funding several measures to support AI research and facilitate the transfer of research results to the market. The network of more than 200 European Digital Innovation Hubs (EDIHs) aims to promote the widespread adoption of AI.

Market consolidation

The stringent regulatory requirements could lead to market consolidation, as smaller providers may struggle to bear the compliance costs. At the same time, new business models could emerge around compliance solutions.

Competition risks

Companies that fail to act in a timely manner risk legal uncertainty and competitive disadvantages. The high penalties and strict enforcement measures can have a significant impact on business models.

The long-term impact depends on whether Europe succeeds in balancing innovation and regulation and establishing itself as a leading location for trustworthy AI.

☑️ Our business language is English or German

☑️ NEW: Correspondence in your national language!

Konrad Wolfenstein

I would be happy to serve you and my team as a personal advisor.

You can contact me by filling out the contact form or simply call me on +49 7348 4088 965 (Munich) . My email address is: wolfenstein ∂ xpert.digital

I'm looking forward to our joint project.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the AI ​​strategy

☑️ Pioneer Business Development