1 August 2024
The Regulation entered into force 20 days after publication in the Official Journal of the EU.
2 August 2026
Most provisions apply 24 months after entry into force, with earlier deadlines for prohibited practices (Feb 2025) and GPAI (Aug 2025).
Extra-territorial
Applies to any provider or deployer placing AI systems on the EU market or affecting persons in the EU — regardless of where the provider is based.
Up to €35 million / 7% turnover
Maximum penalties for violations involving prohibited AI practices. Fines scale with risk tier and organisation size.
What is the EU AI Act?
The EU AI Act (Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024) is the world's first comprehensive horizontal regulation of artificial intelligence. It was published in the Official Journal of the European Union on 12 July 2024.
The Act takes a risk-based approach, classifying AI systems into four tiers: Unacceptable Risk (prohibited), High Risk (heavy obligations), Limited Risk (transparency obligations), and Minimal Risk (voluntary codes of practice).
In addition to regulating AI systems, the Act introduces a new horizontal framework for General-Purpose AI (GPAI) models — a category that captures the large foundation models (GPT-4, Claude, Gemini, Llama, etc.) that underpin most modern AI products.
Key institutions
- EU AI Office — European Commission body responsible for supervising GPAI models.
- National Competent Authorities (NCAs) — member-state regulators for high-risk AI systems.
- European AI Board — coordination body across NCAs.
- Advisory Forum — technical and scientific expert body advising the Commission.
Risk Classification
Unacceptable Risk — Prohibited
AI systems that pose a clear threat to fundamental rights: social scoring by public authorities, real-time biometric surveillance in public spaces, manipulation using subliminal techniques, exploitation of vulnerable groups.
High Risk
AI systems in eight regulated sectors: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. Subject to conformity assessment, registration in the EU database, and ongoing monitoring.
Limited Risk
AI systems that interact with humans (chatbots, deepfakes) must disclose their AI nature. Providers must ensure users are informed they are interacting with an AI system.
Minimal Risk
All other AI systems — spam filters, AI in games, recommendation systems. No mandatory obligations but encouraged to adopt voluntary codes of practice.
GPAI Models & the EU AI Act Equivalent of Model Cards
The Act does not use the term "model card" but creates functionally equivalent documentation requirements for foundation models.
What the Act requires (Articles 53 & 55)
Providers of GPAI models must draw up and keep up to date technical documentation covering training methodology, evaluation results, energy consumption, copyright compliance, and safety testing. This must be made available to the EU AI Office and, in summary, to downstream providers.
Technical Documentation (Article 53)
All GPAI model providers must produce technical documentation including:
- General description of the model and its intended uses
- Training data description including provenance and filtering
- Training methodologies and techniques
- Model architecture and parameter count
- Evaluation results on recognised benchmarks
- Energy consumption of training and inference
- Known limitations, bias, and safety characteristics
This is functionally equivalent to a model card, but with additional emphasis on transparency about training data and energy consumption.
Systemic Risk — Enhanced Obligations (Article 55)
GPAI models with systemic risk (defined as models trained using more than 10^25 FLOPs) face additional requirements:
- Adversarial testing (red-teaming) across the model supply chain
- Incident reporting to the EU AI Office
- Cybersecurity protection measures
- Energy efficiency reporting
Models currently meeting the systemic risk threshold include: GPT-4 series, Claude 3 Opus+, Gemini Ultra/Pro, and Llama 3 405B. This list will evolve as compute thresholds are reviewed.
These requirements go beyond traditional model cards by adding post-deployment monitoring and incident reporting obligations.
Model cards vs. EU AI Act technical documentation — key differences
Industry model cards are voluntary, vary in depth, and have no standardised format. The EU AI Act creates a mandatory, standardised technical documentation requirement with regulatory oversight — but aligns closely with best-practice model card content. Providers who already publish comprehensive system cards (e.g. OpenAI, Anthropic) are better positioned for compliance.
Key Dates & Timeline
Phased application of the EU AI Act obligations.
| Date | Milestone | What applies |
|---|---|---|
| 12 July 2024 | Published in Official Journal | Regulation enters the statute book |
| 1 August 2024 | Entry into force | Regulation legally in force across the EU |
| 2 February 2025 | Chapter I & II apply | Prohibited AI practices banned; definitions and scope active |
| 2 May 2025 | GPAI Codes of Practice | First GPAI Code of Practice expected to be finalised |
| 2 August 2025 | GPAI provisions apply | Technical documentation and transparency rules for GPAI models |
| 2 August 2026 | Full application | High-risk AI obligations, conformity assessments, national enforcement |
| 2 August 2027 | Legacy systems | High-risk AI systems already on the market must comply |
Official Resources
Direct links to official EU and Commission documents.
Regulation (EU) 2024/1689
The full text of the EU AI Act as published in the Official Journal of the European Union.
AI Office Website
The official hub for the EU AI Office, including guidance documents, GPAI model registration, and consultations.
GPAI Code of Practice
The first draft Code of Practice for GPAI model providers, developed through a multi-stakeholder process led by the AI Office.
AI Act Implementation
Commission resources on implementing the AI Act, including delegated acts, standards mandates, and the EU AI database.