Scope and obligations

Risk-based framework. Prohibited practices (Art. 5) effective Feb 2025; general-purpose AI obligations Aug 2025; high-risk system obligations Aug 2026.

EU AI Act addresses 13 contested AI-governance topics explicitly, 6 via general principles,.

Topics governed

• governs
  Foundation Models / GPAI— Arts. 51-55 (general-purpose AI + systemic risk)
• governs
  Biometric Identification— Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules
• governs
  Deepfakes / Synthetic Content— Art. 50(4) (disclosure obligation for deep fakes)
• governs
  AI in Employment— Annex III §4 (high-risk: employment management)
• governs
  AI in Healthcare— Annex III §5(a) (high-risk: essential services) + MDR overlap
• governs
  AI in Criminal Justice— Annex III §6 (high-risk: law enforcement)
• governs
  AI in Education— Annex III §3 (high-risk: educational access)
• governs
  Compute-Threshold Reporting— Art. 52 + Annex XIII (10²⁵ FLOP presumption)
• governs
  Transparency Obligations— Arts. 13, 50 (transparency obligations)
• governs
  Individual Redress— Art. 85 (right to lodge complaints)
• implicit
  Training-Data Rights— Recital 105; CDSM Directive provides primary copyright framework
• implicit
  Catastrophic & Existential Risk— Art. 51 + Recital 32 — systemic risk overlaps with but does not fully cover catastrophic-risk framing
• implicit
  Technological Sovereignty— Recitals 1-5 + EU competence framing; AI Office establishes EU capacity
• implicit
  Agentic AI Governance— Arts. 26-29 deployer obligations apply to agent operators; Arts. 51-55 GPAI obligations capture the underlying model
• governs
  Open-Weight Frontier Release— Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)
• governs
  Synthetic Content Provenance— Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms)
• implicit
  AI in Elections— Art. 5 prohibitions (subliminal manipulation) + Annex III §8 (democratic processes / elections high-risk)
• implicit
  Environmental Impact of AI Training— Art. 95 voluntary codes of conduct include environmental sustainability; Recital 142 references energy efficiency reporting for GPAI
• governs
  National Security Carveouts in AI Regulation— Art. 2(3) explicitly excludes AI systems used exclusively for military, defence, or national-security purposes

Enforcement record

Documented enforcement actions catalogued against EU AI Act (or against rules that this instrument now subsumes).

• New York Times v. OpenAI + MicrosoftUS · 2023 · ongoing
  New York Times Company (private civil litigation) v. OpenAI Inc. + Microsoft Corp. — Unauthorised reproduction of NYT-copyrighted articles in GPT training corpora; output of substantially similar text on prompted query; removal of copyright-management information.
  Lesson: First major frontier-foundation-model copyright lawsuit by a primary news source. Discovery has surfaced disclosure of training-data composition that the EU AIA Art. 53 transparency requirements would have surfaced ex-ante. The case is the highest-stakes ex-post-liability action testing whether US sectoral approach can substitute for ex-ante regulation on training-data rights — outcome will inform 2025-2027 regulatory debates.
  Source record →
• Mobley v. Workday (US AI-hiring class action)US · 2023 · ongoing
  Mobley v. Workday, Inc., No. 3:23-cv-00770 (N.D. Cal.)
  Private civil class action; EEOC amicus participation v. Workday Inc. — Workday's algorithmic hiring tools allegedly screened out applicants on disability, age, and race. Class action seeks to certify Workday as an 'employment agency' under Title VII so disparate-impact theory applies to the algorithm's outputs rather than only its developers.
  Lesson: First major US AI-hiring class action with EEOC amicus support. If Workday is certified as an 'employment agency', US sectoral approach (EEOC + Title VII) substantially expands AI-hiring liability without requiring an AI statute. This is the load-bearing test of whether US 'principles + ex-post liability' approach can substitute for EU AIA Annex III §4 (high-risk employment AI obligations).
  Source record →regulator landing
• EDPB ChatGPT TaskforceEU · 2023–2024
  European Data Protection Board (EDPB) — coordinated DPA action v. OpenAI — Italian Garante temporarily banned ChatGPT (Mar-Apr 2023) over alleged lack of legal basis for training-data processing, missing age-verification, and inability to honour data-subject rights. EDPB convened taskforce to coordinate DPA responses.
  Lesson: First EU-wide AI enforcement coordination predating the EU AIA. Established that GDPR applies fully to LLM training + deployment + that DPAs would coordinate via EDPB rather than fragment. ChatGPT resumed Italian service after age-verification + Article-15 right-of-access endpoint additions. Direct precedent for EU AIA Art. 53 implementation timeline.
  Source record →
• Italian DPA — Clearview AIEU · 2021–2022
  Garante per la protezione dei dati personali (Italian DPA) v. Clearview AI Inc. — Mass scraping of publicly-available facial images + biometric processing without legal basis under GDPR. Provision of services to Italian users without GDPR-compliant data-processing arrangements.
  Lesson: €20M fine + mandatory deletion of Italian-resident facial-recognition data. Established that GDPR provides binding enforcement authority for biometric-AI applications even where no AI-specific instrument exists. Replicated in France (2022) + UK (2022) + Greece (2022) — the only successful cross-jurisdictional AI enforcement so far.
  Source record →
• France CNIL — Clearview AIEU · 2020–2023
  Commission nationale de l'informatique et des libertés (CNIL) v. Clearview AI Inc. — Mass scraping of facial images of French residents + biometric processing without lawful basis. CNIL imposed €20M fine + 5x €100k/day penalty for non-compliance with deletion order.
  Lesson: Parallel to Italian Garante action; both fined identical €20M amount within 6 months. CNIL added 5x €100k/day non-compliance penalty when Clearview refused deletion — escalation pattern that EU AIA Art. 99 (penalties up to 7% global turnover) extends. Multi-DPA replication confirms GDPR is enforceable against US-based AI providers serving EU residents.
  Source record →

Cross-jurisdiction comparison

How peer instruments treat the topics EU AI Act governs.

°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.

How to cite this article

Policy Window. (2024). EU AI Act [Wiki article — Instrument]. https://policywindow.org/wiki/eu-ai-act

Policy Window. 2024. "EU AI Act." Wiki article (Instrument). https://policywindow.org/wiki/eu-ai-act.

@misc{policywindow-eu-ai-act,
  title  = {EU AI Act},
  author = {Policy Window},
  year   = {2024},
  howpublished = {Regulation (EU) 2024/1689},
  url    = {https://policywindow.org/wiki/eu-ai-act},
  note   = {Primary source: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689}
}

Related debates — rival interpretations & counterevidence

Structured controversies where this instrument's provisions are the locus of disagreement. Each debate page lays out the competing positions with primary-source citations.

• Open-Source vs Closed-Source Frontier Models — Should the most-capable AI models be released under permissive licenses (open weights), or only via API / structured-access agreements? The dispute is foundational to nearly every frontier-AI governance instrument.
• Pause AI vs Accelerate Capabilities — Should the global community impose temporary or capability-conditional pauses on frontier-AI development, or should development accelerate with safety work conducted in parallel?
• Pre-Deployment Red-Team vs Post-Deployment Audit — Should AI capability + safety evaluations happen primarily before deployment (red-team gating release), or primarily after (post-deployment audit + incident response)?
• Risk-Based vs Principles-Based vs Ex-Post Liability Regimes — Should AI governance work via (a) risk-based ex-ante categorisation + obligations (EU), (b) high-level principles delegated to sector regulators (UK / OECD / G7), or (c) ex-post liability + civil litigation (US sectoral)?
• Compute vs Behavioural Capability Thresholds — Should the regulatory trigger for 'frontier' / 'foundation' / 'systemic-risk' status be training-compute thresholds (objective + ex-ante observable), or behavioural-capability evaluation (more semantically meaningful but operationally costly)?

Related instruments

• Executive Order 14110 on Safe, Secure, Trustworthy AI · US
• Interim Measures for Generative AI Service Management · CN
• G7 Hiroshima AI Process Code of Conduct · G7
• OECD AI Principles (Recommendation) · OECD
• Council of Europe Framework Convention on AI · council_of_europe
• NIST AI Risk Management Framework · US
• Seoul Declaration on Safe, Innovative and Inclusive AI · global
• NIST AI RMF Generative AI Profile · US
• California SB-1047: Safe and Secure Innovation for Frontier AI Models Act · US
• India Digital Personal Data Protection Act + AI Advisory (MEITY) · IN
• Brazil AI Bill (PL 2338/2023) · BR
• Anthropic Responsible Scaling Policy (RSP) v2 · US
• Meta Frontier AI Framework · US
• White House Voluntary AI Commitments · US
• Singapore Model AI Governance Framework for Generative AI · SG
• Japan METI AI Guidelines for Business · JP
• General Data Protection Regulation (GDPR) · EU
• EU General-Purpose AI Code of Practice · EU

References

1. Regulation (EU) 2024/1689
2. Arts. 51-55 (general-purpose AI + systemic risk)
3. Art. 5(1)(h) prohibition + Art. 26(10) post-hoc rules
4. Art. 50(4) (disclosure obligation for deep fakes)
5. Annex III §4 (high-risk: employment management)
6. Annex III §5(a) (high-risk: essential services) + MDR overlap
7. Annex III §6 (high-risk: law enforcement)
8. Annex III §3 (high-risk: educational access)
9. Art. 52 + Annex XIII (10²⁵ FLOP presumption)
10. Arts. 13, 50 (transparency obligations)
11. Art. 85 (right to lodge complaints)
12. Recital 105; CDSM Directive provides primary copyright framework
13. Art. 51 + Recital 32 — systemic risk overlaps with but does not fully cover catastrophic-risk framing
14. Recitals 1-5 + EU competence framing; AI Office establishes EU capacity
15. Arts. 26-29 deployer obligations apply to agent operators; Arts. 51-55 GPAI obligations capture the underlying model
16. Art. 53(2) + Recital 102/104 — explicit open-source GPAI exemption (with caveats for systemic-risk models)
17. Art. 50(2) — provider machine-readable marking obligation; Art. 50(4) — deployer disclosure for deep fakes (distinct from the `deepfakes` topic which focuses on misuse-harms)
18. Art. 5 prohibitions (subliminal manipulation) + Annex III §8 (democratic processes / elections high-risk)
19. Art. 95 voluntary codes of conduct include environmental sustainability; Recital 142 references energy efficiency reporting for GPAI
20. Art. 2(3) explicitly excludes AI systems used exclusively for military, defence, or national-security purposes