The European Union has reached another major milestone in the staged rollout of the Artificial Intelligence Act, Regulation (EU) 2024/1689, the world’s first comprehensive and binding legal framework specifically targeting artificial intelligence. Adopted in 2024 after years of negotiation, the Act’s provisions have been deliberately phased in to allow governments, regulators, and industry stakeholders time to adapt to its far-reaching requirements.
On 2 August 2025, a new wave of obligations entered into force, marking the second significant application date after the initial ban on certain AI practices took effect in February this year. This latest stage introduces core institutional and governance mechanisms, expands oversight for general-purpose AI (GPAI) systems, and enforces the EU’s first AI-specific penalty regime.
The date represents a live case study in regulatory sequencing, institutional capacity-building, and cross-border coordination within the EU’s single market. For businesses, it signals an immediate need to reassess compliance readiness, particularly for developers and deployers of AI systems with broad capabilities.
Every company needs a designated Privacy Manager! Learn more here: DELTA Academy & Consulting
Establishment of the EU’s AI Office and AI Board
While the European Commission had already created the AI Office by decision in January 2024, the institution became fully operational on 2 August 2025. Housed within the Commission, the AI Office serves as the central enforcement and coordination hub for the Act, with a mandate that includes monitoring systemic risks posed by GPAI models, fostering consistent enforcement across the EU, and liaising with both national regulators and industry.
The AI Office’s work is reinforced by the newly convened AI Board, a formal coordination body comprising representatives from all EU Member States. The Board’s purpose is to advise the Commission, share best practices, and ensure harmonized application of the Act’s requirements across diverse national regulatory environments.
National Authorities Take on Market Supervision
By 2 August 2025, every Member State was required to formally designate at least one national market surveillance authority and one notifying authority, both tasked with monitoring compliance at the domestic level. These authorities must maintain publicly accessible contact information and report their operational capacity, including financial and staffing resources, to the European Commission every two years.
This dual-layered governance structure, EU-level oversight through the AI Office and AI Board, combined with Member State market supervision, is intended to balance central coordination with localized enforcement capability.
The same date also marked the launch of the EU’s scientific panel of independent experts, established under Implementing Regulation (EU) 2025/454. Although its full operation may be subject to delays, the panel will provide the AI Office with scientific and technical advice on GPAI risks, including the power to issue formal “qualified alerts” where systemic hazards are detected. The Commission is still recruiting additional members, with applications open until mid-September 2025.
New Compliance Duties for GPAI Providers
Perhaps the most commercially significant change is the activation of general-purpose AI models GPAI-specific obligations. From 2 August 2025, providers of certain GPAI models, defined as models capable of performing a wide range of distinct tasks, must meet documentation, copyright, and transparency standards. Models already available on the market before this date benefit from a two-year grace period.
The obligations include creating and maintaining detailed technical documentation, implementing policies to ensure compliance with EU copyright and related rights, and publishing summaries of the datasets used for training the models. These requirements apply regardless of whether a model is formally classified as presenting systemic risk.
However, GPAI models with “high-impact capabilities” face even stricter measures. Such models are typically identified where the computational power used in training exceeds a defined threshold, measured in floating point operations. Providers must adopt risk management policies, conduct regular model evaluations, maintain robust cybersecurity measures, and report serious incidents to the AI Office.
Cybersecurity, Compliance, Privacy and more. Get your bestselling copy: The Handbook
The European Commission has issued a voluntary GPAI Code of Practice, offering practical compliance guidance, along with interpretative guidelines clarifying when an AI system is considered general-purpose. The Code covers three primary subjects, organized into three main chapters: transparency, copyright, and safety / security. These documents, while non-binding, may serve as valuable tools in demonstrating a good-faith compliance posture.
Enforcement and Penalties
The August 2025 milestone also activated the EU AI Act’s penalty framework. Competent authorities are now empowered to impose administrative fines that, depending on the infringement, can reach the higher of either fixed amounts or a percentage of global annual turnover:
- Up to EUR 35 million or 7 percent for prohibited AI practices
- Up to EUR 15 million or 3 percent for other key breaches
- Up to EUR 7.5 million or 1 percent for providing false or misleading information to regulators
The penalty provisions for GPAI providers will only become enforceable from August 2026, aligning with the broader enforcement powers that apply to GPAI-specific obligations.
One unresolved question is the practical mechanism for applying these penalties. Under Article 99, Member States are required to define their own enforcement rules, including warnings and non-monetary sanctions. Without these national measures in place, certain EU-level penalty powers may remain dormant until further legislative alignment occurs.
Strategic Considerations for Businesses
Organizations operating within or selling AI systems into the EU should now be:
- Identifying whether their products qualify as GPAI models
- Preparing the technical documentation required under the Act
- Aligning internal governance with the EU AI Act’s institutional framework
- Tracking the outputs of the AI Office, AI Board, and national regulators to anticipate enforcement trends
This is particularly urgent for entities intending to launch or scale AI products in the EU before the next major application date in August 2026.
Global Context
Although the EU AI Act is currently the most comprehensive AI regulation in force, global regulatory approaches remain highly fragmented. The European Commission’s own “AI Laws of the World” guide, updated for Q3 2025, documents regulatory activity in over 40 countries, revealing wide variations in legal frameworks but also recurring themes around transparency, safety, and human oversight.
The staggered implementation of the EU AI Act offers a unique longitudinal dataset on how regulatory ecosystems mature. For industry, it underscores the necessity of building compliance architectures that can adapt to multiple jurisdictions simultaneously.
As the EU advances toward the August 2026 phase, which will activate the majority of substantive compliance obligations, both policymakers and market participants will be watching closely to see whether the enforcement structures now in place can meet the scale and speed of AI innovation.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
