The EU AI Act has moved from political negotiation to implementation. After three years, the European Parliament voted to approve the law, and the next phase will test whether regulators and companies can turn broad rules into practical oversight.
The law is expected to enter into force in May. People living in the EU should begin seeing changes by the end of the year, while companies may have up to three years to comply with some obligations.
Some AI uses will be banned first
The AI Act places limits on AI systems that can threaten fundamental rights. The source identifies health care, education, and policing as areas where high-risk uses are especially important because decisions can affect people in serious and personal ways.
Some uses described as posing an “unacceptable risk” will be outlawed by the end of the year. These include AI systems that use “subliminal, manipulative, or deceptive techniques to distort behavior and impair informed decision-making,” as well as systems that exploit vulnerable people.
The law also bans systems that infer sensitive characteristics such as someone’s political opinions or sexual orientation. Real-time facial recognition software in public places is also banned, as is the creation of facial recognition databases by scraping the internet à la Clearview AI.
Those bans come with important exceptions. Law enforcement agencies can still use sensitive biometric data and facial recognition software in public places to fight serious crime, such as terrorism or kidnappings. Companies and schools are not allowed to use software that claims to recognize people’s emotions, but they can use it for medical or safety reasons.
That is why some civil rights organizations are dissatisfied. Access Now has called the AI Act a “failure for human rights” because it did not fully ban controversial uses such as facial recognition.
AI interactions should become easier to spot
The law also focuses on transparency. Tech companies will have to label deepfakes and AI-generated content, and they must notify people when they are interacting with a chatbot or another AI system.
The AI Act will also require companies to build AI-generated media in a way that makes detection possible. That requirement could support work on watermarking and content provenance, two areas that matter in the fight against misinformation.
But the source makes clear that this part of the law faces a technical gap. Watermarks are still experimental and easy to tamper with. It is still difficult to reliably detect AI-generated content.
Some approaches show promise, including the C2PA, an open-source internet protocol. Even so, provenance techniques still need more work before they can become reliable, and the industry still needs broader standards.
People in the EU get a new complaint path
The AI Act will create a new European AI Office to coordinate compliance, implementation, and enforcement. That office is one of the institutional pieces needed before the law can work in practice.
For citizens, one of the most direct changes is the ability to submit complaints about AI systems when they suspect they have been harmed. People can also receive explanations about why AI systems made the decisions they did.
This is a first step toward giving people more agency in an automated world. But it also depends on awareness. The source notes that citizens will need a decent level of AI literacy and some understanding of algorithmic harms, which remain foreign and abstract concepts for many people.
Transparency duties will hit some companies harder
Most AI uses will not require compliance with the AI Act. The most significant obligations apply to AI companies developing technologies in “high risk” sectors, such as critical infrastructure or health care.
When the act fully comes into force in three years, those companies will face duties involving better data governance, human oversight, and assessments of how systems affect people’s rights.
Companies developing “general-purpose AI models,” such as language models, will also need to create and keep technical documentation. That documentation must show how the model was built, how the company respects copyright law, and include a publicly available summary of what data went into training the AI model.
This changes the current status quo described in the source, where tech companies are secretive about training data. It will also require changes to the AI sector’s messy data management practices.
The companies with the most powerful AI models, such as GPT-4 and Gemini, will face more demanding requirements. These include model evaluations, risk-assessments and mitigations, cybersecurity protection, and incident reporting when an AI system fails.
Companies that do not comply may face huge fines, or their products could be banned from the EU. At the same time, free open-source AI models that share every detail of how they were built, including architecture, parameters, and weights, are exempt from many obligations.
The hardest part starts after approval
The final vote ends one phase of the AI Act, but it does not settle every practical question. Regulators still need to get set up, and companies need to interpret what the new requirements mean for their systems, documentation, and public communication.
The law will be judged not only by what it bans, but by whether people can understand when AI is being used, challenge harmful decisions, and trust that the highest-risk systems are being watched closely. The AI Act is now approved; the implementation work is what comes next.