EU vs. USA: An end to data theft? How the new EU law aims to change AI training forever

Stricter rules for ChatGPT, Gemini and others – The new EU rules for artificial intelligence

From August 2, 2025, stricter rules will apply in the European Union to large artificial intelligence systems such as ChatGPT, Gemini, and Claude. These rules are part of the EU AI Regulation, also known as the AI ​​Act, which is being phased in. The new regulations specifically target so-called general-purpose AI models, or GPAI for short. This category includes systems that are versatile and can be used for a variety of tasks – from text generation and translation to programming.

The providers of these systems will be subject to comprehensive transparency obligations in the future. They must disclose how their systems function, what data they were trained on, and what measures have been taken to protect copyrights. Particularly powerful models that could potentially pose systemic risks are subject to additional security measures and must undergo regular risk assessments.

Suitable for:

• EU tightens AI regulation: The most important questions and answers about the regulation from August 2025

Why is the EU introducing this regulation?

The European Union pursues several objectives with its AI regulation. Firstly, it aims to protect citizens from the potential risks of artificial intelligence, while secondly, it seeks to promote innovation and create legal certainty for businesses. The EU aims to be a global leader in AI regulation and to set standards that could potentially be adopted internationally.

A key concern is the protection of fundamental rights. The regulation aims to ensure that AI systems are transparent, comprehensible, non-discriminatory, and environmentally friendly. At the same time, it seeks to prevent AI systems from being used for purposes incompatible with EU values, such as social scoring modeled on Chinese systems or manipulative practices.

What specific obligations will providers have from August 2025 onwards?

From August 2, 2025, providers of GPAI models must comply with a number of obligations. These include, first and foremost, comprehensive technical documentation detailing the model architecture, training methodology, training data sources, energy consumption, and computing resources used. This documentation must be continuously updated and made available to authorities upon request.

A particularly important aspect is copyright compliance. Providers must develop and implement a strategy for complying with EU copyright law. They must ensure that they do not use any training content for which rights holders have issued a usage restriction. Furthermore, they must create and publish a sufficiently detailed summary of the training content. The European Commission has developed a binding template for this, which will become mandatory for new models from August 2025.

What about copyright and the training of AI models?

The issue of copyright in the training of AI models is a central point of contention. Many authors, artists, and media producers complain that their works have been used without permission to train AI systems, and that this AI now competes with them. The new EU rules address this problem by requiring providers to disclose which websites they use to access copyrighted works.

According to Article 53 of the AI ​​Regulation, providers must demonstrate that they have a functioning system in place to protect European copyright. They must implement a copyright compliance policy that includes technologies to detect and respect any opt-out reservations made by copyright holders. While the text and data mining exception of the DSM Directive remains applicable, if rights holders have reserved their rights, providers must obtain permission for use.

What about existing AI models?

For AI models that were already on the market before August 2, 2025, there is a longer transition period. Providers such as OpenAI, Google, and Anthropic, whose models were available before then, only have to comply with the obligations of the AI ​​Regulation from August 2, 2027. This means that ChatGPT, Gemini, and similar existing systems have another two years to adapt to the new rules.

This phased rollout is intended to give companies time to adapt their systems and processes. However, new models launched after August 2025 must meet the requirements from the outset.

What happens if the new rules are violated?

The EU has established a tiered system of sanctions that imposes substantial penalties for violations. The amount of the fines depends on the severity of the infringement. Violations of GPAI obligations can result in fines of up to €15 million or 3% of global annual turnover, whichever is higher. Providing false or misleading information to authorities can be punished with fines of up to €7.5 million or 1.5% of annual turnover.

It is important to note, however, that the EU Commission's enforcement powers will only take effect from August 2, 2026. This means there will be a one-year transition period during which the rules apply but will not yet be actively enforced. However, affected citizens or competitors can already file lawsuits during this time if they discover violations.

What role does the voluntary code of conduct play?

Alongside the binding rules, the EU has developed a voluntary code of practice, the GPAI Code of Practice. This code was drafted by 13 independent experts and is intended to help companies comply with the requirements of the AI ​​Regulation. The code is divided into three areas: transparency, copyright, and security and safeguards.

Companies that sign the code can benefit from reduced administrative burden and greater legal certainty. By the end of July 2025, 26 companies had already signed the code, including Aleph Alpha, Amazon, Anthropic, Google, IBM, Microsoft, Mistral AI, and OpenAI. However, Meta explicitly decided against signing, criticizing the code for creating legal uncertainties and going beyond the requirements of the AI ​​Act.

How do the approaches in the EU and the USA differ?

Regulatory approaches in the EU and the US are increasingly diverging. While the EU relies on strict regulation and clear guidelines, the US under President Trump is pursuing a path of deregulation. Shortly after taking office, Trump repealed his predecessor Biden's AI targets and his AI plan focuses entirely on promoting innovation without regulatory hurdles.

One particularly controversial point is the issue of copyright. Trump argues that AI models should be allowed to use content free of charge, without having to respect copyright. He compares this to how people who read a book acquire knowledge without violating copyright. This position stands in stark contrast to EU regulations, which explicitly require the protection of copyright.

What does this mean for users of AI systems?

For end users of AI systems like ChatGPT or Gemini, the new rules primarily bring greater transparency. Providers will be required to communicate more clearly how their systems work, their limitations, and potential errors. AI-generated content must be clearly identified as such, for example, through watermarks on images or appropriate disclaimers on text.

Furthermore, the systems are to become more secure. The prescribed risk assessments and security measures are intended to prevent AI systems from being misused for harmful purposes or producing discriminatory results. Users should be able to trust that the AI ​​systems available in the EU comply with certain standards.

Which AI practices are already banned in the EU?

Since February 2, 2025, certain AI applications have been completely banned in the EU. This includes so-called social scoring, i.e., the evaluation of people's social behavior, as practiced in China. Emotion recognition in the workplace and in educational institutions is also prohibited. Systems that manipulate people or exploit their vulnerability to harm them are likewise banned.

Facial recognition in public spaces is generally prohibited, but there are exceptions for law enforcement agencies investigating serious crimes such as terrorism or human trafficking. These prohibitions are considered practices posing an “unacceptable risk” and are intended to protect the fundamental rights of EU citizens.

How is compliance with the rules monitored?

The monitoring of the AI ​​Regulation takes place at various levels. At the EU level, the European Commission's newly established AI Office is responsible for monitoring GPAI models. Member States must also designate their own competent authorities. In Germany, the Federal Network Agency, in cooperation with other specialized agencies, assumes this task.

For certain high-risk AI systems, so-called notified bodies are involved to conduct conformity assessments. These bodies must be independent and possess the necessary expertise to evaluate AI systems. The requirements for these bodies are detailed in the regulation.

What impact will this have on innovation and competition?

Opinions differ on the impact of the AI ​​regulation on innovation. Proponents argue that clear rules create legal certainty and thus promote investment. The European Commission emphasizes that the regulation allows room for innovation while simultaneously ensuring that AI is developed responsibly.

Critics, including many technology companies and industry associations, warn of a “complete halt to innovation.” They fear that the extensive documentation and compliance requirements could particularly disadvantage smaller companies and startups. Meta argues that overregulation will slow down the development and dissemination of AI models in Europe.

Suitable for:

• The five-point plan: This is how Germany wants to become a world leader in AI – data gigafactory and public contracts for AI startups

What are the next important dates?

The timeline for implementing the AI ​​Regulation includes several key milestones. Following the entry into force of the GPAI rules on August 2, 2025, the next major stage will take place on August 2, 2026. At that point, the full rules for high-risk AI systems will come into effect, and the European Commission will be granted its full enforcement powers. By then, Member States must also have implemented their sanctions rules and established at least one AI real-world laboratory.

On August 2, 2027, the regulations for high-risk AI systems, governed by sectoral harmonization rules, and the rules for GPAI models launched before August 2025 will come into effect. Further transitional periods exist until 2030 for specific areas such as AI systems in large EU IT systems.

How are the major tech companies positioning themselves?

The reactions of major technology companies to the new EU regulations vary. While companies like Microsoft and OpenAI have signaled their willingness to cooperate and have signed the voluntary code of conduct, Meta is considerably more critical. Joel Kaplan, Meta's Chief Global Affairs Officer, stated that Europe is taking the wrong approach to AI regulation.

Google has announced its intention to sign the Code of Practice, but has also expressed concerns that the AI ​​law could stifle innovation. Anthropic, which has been sued for alleged copyright infringement, has also endorsed the code. These differing positions reflect the companies' diverse business models and strategic orientations.

What practical challenges arise during implementation?

Implementing the AI ​​regulation presents numerous practical challenges. A key difficulty lies in defining which systems qualify as "artificial intelligence" and thus fall under the regulation. The European Commission has announced corresponding guidelines, but these have not yet been fully published.

Another problem is the complexity of the documentation requirements. Companies must compile detailed information about their training data, which is particularly difficult when large amounts of data from various sources have been used. The question of how exactly opt-out reservations from rights holders should be technically implemented also remains unresolved.

What does this mean for European AI companies?

For European AI companies, the regulation presents both opportunities and challenges. On the one hand, it creates a uniform legal framework within the EU, which facilitates cross-border business. Companies that meet the standards can use this as a mark of quality and build customer trust.

On the other hand, many fear that the strict rules could put European companies at a disadvantage in global competition. In particular, compared to US or Chinese competitors, which are subject to less stringent regulations, European providers could be at a disadvantage. The EU argues, however, that the regulation will lead to safer and more trustworthy AI systems in the long run, which could represent a competitive advantage.

Integration of an independent and cross-data-source AI platform for all business needs - Image: Xpert.Digital

AI Game Changer: The most flexible AI platform - Tailor-made solutions that reduce costs, improve your decisions and increase efficiency

Independent AI platform: Integrates all relevant company data sources

• This AI platform interacts with all specific data sources
  • From SAP, Microsoft, Jira, Confluence, Salesforce, Zoom, Dropbox and many other data management systems
• Rapid AI integration: Tailor-made AI solutions for businesses in hours or days, instead of months
• Flexible infrastructure: Cloud-based or hosting in your own data center (Germany, Europe, free choice of location)

• Maximum data security: its use in law firms is irrefutable proof
• Deployment across a wide variety of enterprise data sources
• Choice of own or different AI models (DE, EU, USA, CN)

Challenges that our AI platform solves

• Lack of fit of conventional AI solutions
• Data protection and secure management of sensitive data
• High costs and complexity of individual AI development
• Shortage of qualified AI specialists
• Integration of AI into existing IT systems

More about it here:

• AI integration of an independent and cross-data source-wide AI platform for all company matters

How do other countries handle AI regulation?

The EU is a global pioneer with its comprehensive AI regulation, but other countries are also developing their own approaches. The US currently lacks comparable nationwide regulation, although individual states have enacted their own laws. Under the Trump administration, the US has been moving more towards deregulation.

China is pursuing a different approach with specific rules for certain AI applications, while simultaneously promoting technologies like social scoring. Other countries, such as Canada, the UK, and Japan, are developing their own frameworks, which are often less comprehensive than the EU regulation. These differing approaches could lead to regulatory fragmentation, posing challenges for international companies.

What role do courts play in enforcement?

Courts will play a crucial role in interpreting and enforcing the AI ​​regulation. Several lawsuits are already underway in the US concerning alleged copyright infringements in AI training. For example, one court ruled in favor of authors who sued Anthropic, claiming that versions of their books had been used without permission to train Claude.

In the EU, individuals and companies can now file lawsuits if they identify violations of the AI ​​Regulation. This also applies during the transitional phase, before the authorities' official enforcement powers take effect. However, the final interpretation of the regulation will rest with the European Court of Justice, which is expected to deliver landmark rulings in the coming years.

Suitable for:

• AI bans and mandatory competence: The EU AI Act – A new era in dealing with artificial intelligence

What are the long-term prospects?

The long-term impact of the EU AI regulation is still difficult to predict. Proponents hope that the EU standards could become a global benchmark, similar to the General Data Protection Regulation (GDPR). Companies developing for the European market could then apply these standards worldwide.

Critics, however, warn of Europe's technological decoupling. They fear that strict regulation could lead to innovative AI developments taking place primarily outside of Europe. The future will show whether the EU has found the right balance between protection and innovation.

What does all this mean in summary?

The new EU rules for artificial intelligence mark a turning point in the regulation of this technology. From August 2025, providers of large AI systems such as ChatGPT or Gemini will have to meet comprehensive transparency and security requirements. The regulation aims to protect citizens' rights while simultaneously enabling innovation.

Practical implementation will show whether this balancing act succeeds. While some companies see the rules as necessary and sensible, others criticize them as stifling innovation. The differing approaches in the EU and the US could lead to a fragmentation of the global AI landscape. For users, the rules mean greater transparency and security; for companies, they mean additional compliance requirements. The coming years will be crucial in determining whether Europe can successfully pursue its self-chosen path of AI regulation.

How does technical documentation work in practice?

The technical documentation that GPAI model providers must create is a complex undertaking. It encompasses not only technical specifications but also detailed information about the entire development process. Providers must document the design decisions made, the structure of the model architecture, and the optimizations implemented.

Documenting training data is particularly demanding. Providers must not only specify which data sources were used, but also how the data was prepared and filtered. This includes information on data cleansing processes, duplicate removal, and the handling of potentially problematic content. The EU also requires details on the scope of the data, its main characteristics, and how it was obtained and selected.

What specific requirements apply to systemically risky models?

AI models classified as systemically risky are subject to particularly stringent requirements. This classification occurs when training requires a cumulative computational effort exceeding 10^25 floating-point operations, or when the European Commission deems the model particularly risky due to its capabilities.

These models are subject to additional obligations, such as conducting risk assessments, adversarial testing to identify vulnerabilities, and implementing risk mitigation measures. Providers must also establish an incident reporting system and promptly report serious incidents to the supervisory authorities. These measures are designed to ensure that particularly powerful AI systems cannot be misused for malicious purposes.

What does cooperation between the EU and its member states look like?

Enforcement of the AI ​​Regulation involves a complex interplay between EU institutions and national authorities. While the EU AI Office is responsible for monitoring GPAI models, national authorities play a crucial role in monitoring other AI systems and enforcing the rules locally.

Member States were required to designate at least one competent authority by November 2024 and establish national notification authorities by August 2025. These authorities are responsible for the accreditation and monitoring of conformity assessment bodies that test high-risk AI systems. Coordination between the different levels presents a challenge but is necessary to ensure consistent application of the regulation across the EU.

What is the significance of harmonized standards?

A key aspect of the AI ​​Regulation is the development of harmonized standards. These technical standards are intended to specify how the abstract requirements of the regulation can be implemented in practice. The European standardization organizations CEN, CENELEC, and ETSI are working on developing these standards, which cover areas such as data quality, robustness, cybersecurity, and transparency.

While the harmonized standards are not mandatory, they do create a presumption of conformity. This means that companies adhering to these standards can assume they meet the relevant requirements of the regulation. This provides legal certainty and significantly simplifies practical implementation.

How do smaller companies deal with the requirements?

For smaller companies and start-ups, the extensive requirements of the AI ​​Regulation pose a particular challenge. The documentation obligations, conformity assessments, and compliance measures require considerable resources that not all companies can afford.

The EU has attempted to address this problem by explicitly requiring in the regulation that the interests of SMEs be taken into account. Notified bodies are to avoid unnecessary burdens and minimize the administrative burden for small businesses. Furthermore, AI real-world labs are intended to offer small businesses the opportunity to test their innovations in a controlled environment.

What are AI real-world laboratories and how do they work?

AI real-world labs are controlled environments where companies can test AI systems under real-world conditions without having to meet all regulatory requirements. Member States are required to establish at least one such real-world lab by August 2026. These labs are intended to foster innovation while simultaneously providing insights into risks and best practices.

In real-world laboratories, companies can test new approaches and benefit from regulatory flexibility. Authorities monitor the tests and can gain valuable insights into the practical challenges of AI regulation. This should contribute to an evidence-based development of the legal framework.

Suitable for:

• 200 billion euros for the promotion of AI gigafactors and AI-related projects in Europe

How does the AI ​​regulation relate to other EU laws?

The AI ​​Regulation does not exist in a vacuum; it must harmonize with other EU laws. The relationship with the General Data Protection Regulation (GDPR) is particularly relevant, as AI systems frequently process personal data. The AI ​​Regulation supplements the GDPR and creates additional requirements specifically for AI systems.

The AI ​​Regulation also needs to be coordinated with sector-specific regulations such as the Medical Devices Regulation and the Machinery Regulation. In many cases, both sets of regulations apply concurrently, which increases compliance requirements for companies. The EU is working on guidelines to clarify the interplay between the various legal acts.

What role does cybersecurity play in the AI ​​regulation?

Cybersecurity is a key aspect of the AI ​​regulation. Providers must ensure that their systems are robust against cyberattacks and cannot be manipulated. This includes measures to protect against adversarial attacks, where specially crafted inputs are intended to trick the AI ​​system into making errors.

Cybersecurity requirements vary depending on the risk level of the AI ​​system. High-risk systems and systemically risky GPAI models must meet particularly high standards. Providers must conduct regular security assessments and address vulnerabilities promptly. Security incidents must be reported to the authorities.

How are cross-border issues handled?

The global nature of AI systems raises complex cross-border issues. Many AI providers are based outside the EU but offer their services to European users. The AI ​​Regulation applies to all AI systems placed on the market or used in the EU, regardless of the provider's location.

This leads to practical enforcement challenges. The EU must cooperate with third countries and potentially negotiate agreements on the mutual recognition of standards. At the same time, European companies operating internationally may have to comply with different regulatory requirements in different markets.

What support is available for affected companies?

To support companies in implementing the AI ​​Regulation, the EU and its member states have established various support measures. The EU AI Office regularly publishes guidance and explanations on key aspects of the regulation. These documents are intended to provide practical assistance in interpreting and applying the rules.

National authorities also offer advice and support. In Germany, for example, the Federal Network Agency has developed an AI compliance compass that guides companies through the regulatory requirements. Industry associations and consulting firms offer additional resources and training.

How will the international discussion develop?

The international discussion on AI regulation is dynamic and multifaceted. While the EU is forging ahead with its comprehensive regulation, other countries are closely monitoring developments. Some are considering similar approaches, while others are deliberately pursuing alternative paths.

International organizations such as the OECD, the G7, and the UN are working on global principles for responsible AI. These efforts aim to create a common framework that can bridge differing regulatory approaches. The challenge lies in finding a consensus among countries with very different values ​​and priorities.

What does this mean for the future of AI development?

The EU AI Regulation will undoubtedly shape the landscape of AI development. Some experts see it as a necessary measure to strengthen trust in AI systems and ensure their responsible development. They argue that clear rules will lead to better and safer AI systems in the long run.

Others fear that regulation could weaken Europe's innovative capacity. They point out that compliance costs pose a particular hurdle for smaller companies and that talented developers might migrate to less regulated markets. The coming years will show which of these predictions come true.

Europe's regulatory path: Protection and progress in artificial intelligence

The introduction of stricter rules for AI systems in the EU marks a historic moment in technology regulation. With the phased implementation of the AI ​​Regulation, Europe is breaking new ground and setting standards that may well be emulated worldwide. The balance between protection and innovation, between safety and progress, will be the central challenge.

For everyone involved – from large tech companies to startups and individual users – this marks a time of change and adaptation. Successful implementation will depend on how well the abstract principles of the regulation can be translated into practical solutions. Collaboration among all stakeholders will be crucial: regulators, businesses, academia, and civil society must work together to ensure that AI can realize its positive potential while minimizing risks.

The coming years will show whether the EU's regulatory approach has created a model for the world, or whether alternative approaches prove superior. One thing is certain: the debate about the right balance between AI innovation and regulation will continue to occupy us for a long time. The rules coming into force on August 2, 2025, are just the beginning of a longer development that will shape the digital future of Europe and potentially the world.

☑️ SME support in strategy, consulting, planning and implementation

☑️ Creation or realignment of the AI ​​strategy

☑️ Pioneer Business Development

Konrad Wolfenstein

I would be happy to serve as your personal advisor.

You can contact me by filling out the contact form below or simply call me on +49 7348 4088 965 (Munich) .

I'm looking forward to our joint project.

Xpert.Digital is a hub for industry with a focus on digitalization, mechanical engineering, logistics/intralogistics and photovoltaics.

With our 360° business development solution, we support well-known companies from new business to after sales.

Market intelligence, smarketing, marketing automation, content development, PR, mail campaigns, personalized social media and lead nurturing are part of our digital tools.

You can find out more at: www.xpert.digital - www.xpert.solar - www.xpert.plus