EU AI Act – how it will work
EU AI Act – how it will work
The European Union's Artificial Intelligence Act (Regulation (EU) 2024/1689) is now moving into its implementation phase. The world's first comprehensive legal framework on AI, it addresses AI risks while positioning Europe to play a leading role globally. This article examines the key developments shaping the transition of the EU AI Act from legislation to enforcement.
The prohibitions on unacceptable AI practices took effect in February 2025, and the Act's transparency obligations become enforceable from 2 August 2026. As key milestones approach, the European Commission is focusing on practical implementation, including the publication of draft Codes of Practice, the development of compliance tools and the establishment of the governance and enforcement framework.
These developments signal a clear shift to operational readiness and there are increasing expectations on organisations to assess and implement compliance measures in practice.
Key Developments of the EU AI Act in enforcement
First draft Code of Practice; transparency of AI-generated content
One of the most important changes is the publication, on 5 March 2026, of the first draft Code of Practice on the marking and labelling of AI-generated content. The Code provides guidelines for implementing the transparency obligations under Article 50 of the AI Act, which is legally binding from 2 August 2026.
Adherence to the Code of Practice is voluntary but compliance may provide a degree of regulatory comfort in demonstrating compliance with Article 50, even if does not replace the underlying legal obligations. The Code it is likely to become a key reference point for supervisory authorities when assessing compliance in practice.
The Code sets out detailed technical and operational measures. It indicates that providers of AI systems should ensure that AI-generated outputs are marked in a machine-readable format and detectable as artificially generated or manipulated, including through techniques such as watermarking. It also suggests that providers make tools available to support verification of AI-generated content. These requirements are intended to apply horizontally to all providers and deployers, regardless of the AI system's risk classification.
The August 2026 deadline leaves organisations with a narrowing window to build the governance structures necessary for consistent marking and disclosure across all content types and distribution channels.
Governance and enforcement architecture becoming operational
The enforcement architecture underpinning the AI Act is taking shape at both EU and national levels. At the EU level, the AI Office established within the European Commission plays a central role in coordinating the supervision of general-purpose AI models and overseeing consistent application of the Act across Member States. The AI Office chairs the mandatory Cooperation Forum, which meets at least quarterly to coordinate enforcement with national competent authorities.
Member States are required to establish or designate independent national competent authorities, including market surveillance authorities and notifying authorities, responsible for supervision and enforcement. In practice, this is likely to involve a combination of central coordinating bodies and sector-specific regulators, depending on national implementation approaches. These authorities will have powers to request information, carry out investigations, require corrective measures and impose administrative fines.
Ireland's approach is instructive. Ireland is adopting a "distributed model" of enforcement, designating a new AI Office of Ireland as the market surveillance authority and single point of contact, while leveraging existing sectoral regulators such as the Central Bank, Coimisiún na Meán, and the Health Products Regulatory Authority to oversee enforcement in their respective domains.
These authorities will possess robust inspection and sanctioning powers, including the ability to conduct unannounced inspections, require technical documentation, order corrective actions, and impose significant administrative fines. The governance framework also includes provisions for fundamental rights oversight.
This overall approach is set out in the General Scheme of the Regulation of Artificial Intelligence Bill 2026 published on 4 February 2026.
EDPB and EDPS Joint Approach: balancing simplification with safeguards
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) Joint Opinion on the Digital Omnibus emphasises that administrative simplification must not lower the protection of fundamental rights.
They recommend the direct involvement of competent Data Protection Authorities in the supervision of data processing within regulatory sandboxes, and that the EDPB be afforded an advisory role and observer status at the European Artificial Intelligence Board to ensure consistency. The EDPB and EDPS further advise against the proposed deletion of the obligation to register high-risk AI systems, warning that this would "significantly undermine accountability and create an undesirable incentive for providers to unduly claim exemptions to avoid public scrutiny".
The Joint Opinion also addresses the proposed extension of permission to process special categories of personal data, such as ethnicity or health data, for bias detection and correction. The EDPB and EDPS recommend specifying that such data may be used for bias detection only where the risk of adverse effects from such bias is sufficiently serious.
Finally, they call for the supervisory role of the AI Office to be clearly delineated and not to overlap with the independent supervision by the EDPS of AI systems developed or used by Union institutions. This highlights the continued importance of ensuring that AI governance frameworks remain aligned with data protection principles, particularly where personal data is used in AI development and deployment.
AI Pact: voluntary early compliance gains momentum
In parallel with binding enforcement preparations, the voluntary AI Pact continues to attract participants seeking to demonstrate early alignment with the Act's core principles. The Pact calls on organisations to promote AI awareness, identify high-risk AI systems, and adopt AI governance strategies ahead of mandatory compliance deadlines. Over 100 companies have signed the Pact, including tech companies Amazon, Google, Microsoft and OpenAI as well as European industrial players such as Airbus, Nokia and Orange.
The voluntary approach is not without friction. Notably, Apple and Meta have declined to join. Meta stated that it is focused on compliance work under the AI Act. It does not rule out joining the Pact at a later date. Anthropic and TikTok have also not signed. These abstentions highlight that major technology companies are making strategic calculations as the regulatory landscape crystallises.
For general-purpose AI (GPAI) models, a dedicated Code of Practice prepared by independent experts in a multi-stakeholder process and endorsed by the European Commission and the AI Board provides a voluntary compliance pathway. Signatories have established a Signatory Taskforce, chaired by the AI Office, to facilitate coherent application of the Code. The Taskforce, which has already held meetings in January and March 2026, provides a forum for signatories to exchange views on implementation challenges and contribute input on guidance documents. The AI Act's rules for GPAI providers have applied since 2 August 2025, with enforcement beginning in August 2026.
Digital Networks Act & AI Gigafactories: building the infrastructure
Regulatory compliance is only one pillar of the EU's AI strategy. The Commission has also advanced measures to build the physical and digital infrastructure necessary for European AI competitiveness.
On 21 January 2026, the Commission proposed the Digital Networks Act (DNA), a reform of the EU framework governing electronic communications networks and services. The DNA aims to end the fragmentation of the EU's 27 national markets by creating a harmonised, Single Market for connectivity, introducing a Single Passport system for cross-border operation, and formally recognising the convergence of telecommunications, cloud, and AI. The proposal responds to the Draghi and Letta reports, which highlighted the urgent need for regulatory simplification and stronger investment incentives to support next-generation networks.
Complementing the DNA, the Council of the European Union endorsed measures in January 2026 to facilitate the establishment of AI gigafactories across Member States. First proposed by Commission President Ursula von der Leyen in her 2025 State of the Union address, these gigafactories centralise GPU clusters, cooling systems, and datasets for frontier AI research.
Initial pilots target 100-megawatt scales, with France and Germany leading site nominations. The total investment envelope exceeds €20 billion through 2027, with funding drawn from the Recovery and Resilience Facility, the Digital Europe Programme and private capital. AI infrastructure initiatives such as gigafactories are expected to operate within the broader AI regulatory framework, including where general-purpose AI models are developed or deployed.
AI Act Service Desk and Single Information Platform
To support organisations navigating the new regulatory landscape, the Commission launched the AI Act Service Desk and Single Information Platform in October 2025. The platform serves as a central hub where stakeholders can find all relevant information on the AI Act, navigate its content and access tailored guidance on implementation.
The platform includes the Compliance Checker, an interactive tool that helps stakeholders determine whether they are subject to legal obligations and understand the steps needed to comply. An AI Act Explorer allows users to browse through different chapters, annexes and recitals of the AI Act in an intuitive way.
Stakeholders can also submit questions to the AI Act Service Desk, a team of expert professionals working in close cooperation with the AI Office. The platform is currently available in English, French, and German. It will be available in all 24 EU official languages. The platform's early release ahead of the Article 62 statutory deadline of August 2026 reflects the Commission's push to accelerate readiness among both regulators and businesses.
EU AI Act: what organisations should do now
Organisations should not delay preparations or wait until formal enforcement begins. Instead, this is an opportunity to assess how the AI Act applies to your activities, identify gaps in governance and documentation, and begin aligning internal processes with the emerging regulatory expectations.
If your organisation is developing or deploying AI systems in the EU, you should consider the following steps:
- Map applicable obligations; use the AI Act Compliance Checker to determine whether your systems fall within the Act's scope and under which risk classification
- Prepare for transparency requirements by assessing your AI-generated content workflows, implement provider-side marking or deployer-side disclosure measures, and consider signing the Code of Practice to help demonstrate compliance
- Identify and map likely competent authorities as multiple regulators may have oversight depending on your sector, and update governance and incident response processes accordingly
- Although voluntary, the AI Pact and GPAI Code of Practice offer opportunities to demonstrate early compliance and gain legal certainty ahead of mandatory enforcement
- Monitor the Digital Omnibus and DNA as they progress through the ordinary legislative procedure as this will shape the broader regulatory and infrastructure environment
If you can begin preparing now by understanding your responsibilities and building the right capabilities, you will be in the strongest position to adapt to these legislative changes and their enforcement.
We would be delighted to talk to you about how we can help you understand and comply with the requirements of the EU AI Act. Please complete the form below or contact Christopher Beveridge.