The rollout of the AI Act follows a phased schedule stretching from 2 February 2025 to the end of 2027. This gradual approach is designed to give economic actors time to comply, while swiftly activating the most urgent protections.
Outlined in Chapter V of the regulation, GPAI obligations are at the heart of foundation model regulation. Any provider of a general-purpose AI model placed on the European market-including open source models, with partial exemptions-must:
For systemic risk models-identified by a training compute threshold above 10²⁵ FLOPS or designated by the Commission-additional requirements apply: continuous risk assessment, standardized adversarial testing (red-teaming), cybersecurity measures, reporting of serious incidents to the AI Office, and publication of an energy performance report. As of the entry into force in August 2025, GPT-4, Gemini Ultra, Claude 3 Opus, and Llama 3.1 405B fell within scope. The threshold may be revised by the Commission to reflect the evolving state of the art.
To facilitate compliance with Articles 53 and 55 ahead of the adoption of harmonized standards, the European Commission launched the drafting of a Code of Practice for General-Purpose AI Models in July 2024. Coordinated by the AI Office and involving thirteen independent experts and over a hundred consulted organizations, the code went through several interim versions before its final publication on 10 July 2025.
The code is structured around three pillars: transparency (publication of technical information for deployers and the public), copyright (operational procedures for respecting opt-outs), and safety/security for systemic risk models. Adoption is voluntary but creates a presumption of compliance: a provider following the code is considered to meet the corresponding requirements. Leading American and European labs agreed to align with its provisions, with the notable exception of Meta, which refused to sign in July 2025, citing incompatibility with its practices on Llama. Google and Anthropic signed with reservations, while OpenAI, Mistral AI, and Microsoft offered full support.
Article 53 has become the focal point of debate over the coexistence of generative AI and creative industries. Its §1(c) requires GPAI providers to implement a copyright compliance policy, while §1(d) mandates the publication of a sufficiently detailed summary of training content, following a template provided by the AI Office.
In practice, the mechanism relies on the TDM exception (text and data mining, Article 4 of Directive 2019/790) and machine-readable opt-out. Rightsholders wishing to prevent their works from being used for AI model training must express this reservation in a machine-readable format-typically via a robots.txt file, an HTTP header, or metadata embedded in the work. Several initiatives-W3C's TDM Reservation Protocol, ai.txt, C2PA-offer competing standards, with none having prevailed by 2026.
French rightsholders dispute the effectiveness of the system. SACEM, SCAM, SACD, and SDRM have denounced the information asymmetry and the lack of effective sanctions for non-compliance with opt-outs. In May 2026, the rejection in the National Assembly of the Darcos bill-which sought to introduce a reversed burden of proof mechanism (presumption of use of works in the absence of transparency) via Article L. 331-4-1 of the Intellectual Property Code-left rightsholders without a national legislative recourse, referring them back to strict enforcement of Article 53 by the European Commission.
The AI Act establishes two central European bodies. The European AI Office, created by Commission decision in May 2024 and attached to DG CONNECT, oversees implementation of the regulation for GPAI and systemic risk models. It issues the code of practice, monitors providers, investigates complaints, and can impose sanctions. At its inception, it had around a hundred staff and was headed by Lucilla Sioli.
The European AI Board brings together representatives of the national supervisory authorities from all 27 Member States. Its first official meeting was held in September 2024. The Board coordinates between Member States, harmonizes interpretation of the regulation, and advises the Commission. An Advisory Forum gathering industry, civil society, academia, and SMEs complements the structure.
At the national level, each Member State designates one or more competent authorities. In France, the CNIL coordinates application of provisions relating to personal data, while DGCCRF and DGE oversee product and internal market matters. An interministerial coordination group was announced in 2025 but had not been formalized at the time GPAI rules entered into force.
The AI Act provides for a scale of sanctions calibrated to the severity of non-compliance:
SMEs and startups benefit from a proportionate cap: the lower of the two amounts applies. The first formal proceedings are expected to be opened by the AI Office at the end of 2026, after the progressive compliance phase.
The AI Act has profoundly reshaped the European AI ecosystem. For large enterprise users (banks, insurance, healthcare, HR), compliance must now be built in from the design stage-an approach known as compliance by design-which involves mapping AI use cases, conducting impact assessments, maintaining technical documentation, and establishing internal governance. Firms such as Wavestone, France Digitale, and Gide published practical guides as early as February 2024 to support this upskilling.
For open source model providers, the regulation grants partial exemptions from GPAI obligations when parameters, architecture, and usage information are made public-except for systemic risk models. A coalition of European open source actors (Hugging Face, GitHub, Mistral, La Quadrature du Net) called for a more flexible framework in July 2023 to safeguard collaborative innovation. The final compromise maintains these exemptions while requiring publication of the training data summary and copyright policy, complicating large-scale deployment for very large corpus models.
For European champions-Mistral AI, LightOn, Aleph Alpha, Black Forest Labs-the AI Act poses a dual challenge: achieving compliance within tight deadlines while continuing to train competitive models against OpenAI, Anthropic, or Google. Several voices, including Arthur Mensch (Mistral AI), have warned of a risk of European deindustrialization if regulatory burdens become disproportionate compared to those outside the EU. Conversely, Yoshua Bengio, Raja Chatila, and Nicolas Miailhe argue that strict oversight is crucial to safeguard European strategic autonomy and public trust.
The AI Act fits into a fragmented international landscape. In the United States, Biden's Executive Order of October 2023 was largely repealed by the Trump administration in January 2025, leaving federal agencies and states (notably California with SB 1047) to build sectoral or local approaches. China, as early as August 2023, imposed a pre-approval system for consumer-facing generative AI models, having approved over 190 LLMs at the cost of political control over generated content.
The United Kingdom has opted for a principles-based approach implemented by existing sectoral regulators, with no specific legislation to date. Brazil, Canada, Japan, and South Korea are developing their own frameworks, often inspired by the European risk-based approach. The Bruxelles effect-the de facto extraterritoriality of European regulations when international providers choose to align globally rather than manage multiple regimes-is expected to play out as with the GDPR, though it remained unmeasurable in 2026.
Several international summits have marked this process: the AI Safety Summit at Bletchley Park (November 2023), the Seoul AI Safety Summit (May 2024), and the AI Action Summit in Paris (February 2025). All confirmed the absence of a global consensus on regulation, while highlighting the EU's special responsibility as the first regulator to adopt binding legislation.
The critical issues for the next 18 months include:
The AI Act is not an end in itself but a living framework. It is scheduled for review every four years, with the first expected in 2028. Its success will be measured less by the letter of the law than by its ability to balance the protection of fundamental rights, industrial innovation, and European technological sovereignty.
The regulation entered into force on August 1, 2024, twenty days after its publication in the Official Journal of the European Union on July 12, 2024. Its application is phased until August 2027 depending on the type of systems concerned: prohibitions effective from February 2, 2025, GPAI obligations from August 2, 2025, and high-risk systems from August 2026.
A model is presumed to be systemic risk when it exceeds the threshold of 10²⁵ FLOPS of cumulative compute during training. At the start of the obligation in August 2025, GPT-4, Gemini Ultra, Claude 3 Opus, and Llama 3.1 405B were affected. The Commission may also designate other models based on qualitative criteria (number of users, modalities, evaluated capabilities).
Any provider of a general-purpose model placed on the European market must maintain technical documentation, publish a detailed summary of training data, implement a copyright compliance policy, and cooperate with the AI Office. Systemic risk models add obligations of ongoing evaluation, adversarial testing, cybersecurity, and incident reporting.
Article 53 requires GPAI providers to respect opt-outs expressed by right holders under Directive 2019/790. This opt-out must be machine-readable (robots.txt, HTTP headers, metadata). French right holders contest the effectiveness of the mechanism, as the repeal of the Darcos law in May 2026 left rights holders without national legislative support.
Penalties go up to 35 million euros or 7% of annual worldwide turnover for prohibited practices, 15 million or 3% for breaches of obligations applicable to high-risk systems and GPAI, and 7.5 million or 1% for providing incorrect information. The higher amount applies to large companies, the lower to SMEs.
It is a reference document published on July 10, 2025, by the European Commission, developed by thirteen independent experts and over a hundred consulted organizations. Voluntary adoption provides a presumption of compliance with articles 53 and 55. OpenAI, Mistral AI, Microsoft, Anthropic, and Google have signed it, Meta has refused.
The European AI Office, attached to the European Commission (DG CONNECT), supervises GPAI providers and systemic risk models. The European AI Board brings together the national authorities of the 27 Member States. In France, the CNIL, DGCCRF, and DGE are the competent authorities depending on the area concerned.
Yes, models whose parameters, architecture, and usage information are published under a free license benefit from partial exemptions on GPAI obligations - except if the model is systemic risk. However, publication of the training data summary and the copyright policy remains mandatory for all open source models.
In July 2025, more than 150 leaders of European companies - including Carrefour, BNP Paribas, Airbus, and TotalEnergies - signed an open letter requesting a two-year moratorium on the application of the AI Act. They cited a risk of competitive disadvantage compared to American and Chinese actors. The European Commission rejected this request, maintaining the initial timeline.
The RGPD governs the processing of personal data, while the AI Act governs the placing on the market and use of AI systems, whether or not they process personal data. Both texts apply cumulatively: a high-risk AI system processing personal data must comply with both AI Act obligations and RGPD principles (lawfulness, minimization, data subject rights).
The first four-yearly revision of the regulation is planned for 2028. The Commission will have to assess the effectiveness of the framework, the evolution of the technological state of the art, and whether to modify thresholds, lists of high-risk uses, and governance mechanisms.
5 articles liés à ce sujet
The Darcos bill on copyright and artificial intelligence has been dismissed by the French National Assembly, leaving rights holders to rely on Article...
The AI Act, European regulation on artificial intelligence (AI), has been in effect since February 2024, despite opposition from some companies. It im...
The European Commission has released the final version of the code of good practices for general-purpose AI models. This framework aims to help provid...
Last Thursday, around fifty European companies sent an open letter to the European Commission, advocating for a two-year pause in the implementation o...
The AI Office of the European Commission released the third draft of the Code of Good Practices for General Purpose AI, aiming to ensure responsible a...
