EU AI Act 2025: Obligations Now in Force (Feb & Aug Milestones)

EU AI Act 2025: What changed on Feb 2 & Aug 2—bans, AI literacy, GPAI transparency, systemic-risk duties, penalties, and a quick compliance checklist.

What changed in 2025

• Feb 2, 2025: The ban on “prohibited AI practices” and the new AI literacy duty started to apply.
• Aug 2, 2025: GPAI (general-purpose AI) rules and governance provisions kicked in, including transparency, copyright policies, technical documentation, and extra duties for systemic-risk models; models already on the market before this date must comply by Aug 2, 2027.
• The EU confirmed no delay to the 2025 timeline; a voluntary Code of Practice exists to help GPAI providers (original target May 2, 2025; may slip to late-2025).

---

What went live on February 2, 2025

1) Prohibited AI practices (you must stop these now)

Banned categories include (non-exhaustive):

• Manipulation & deception that significantly distorts behaviour.
• Exploitation of vulnerabilities (age, disability, socio-economic).
• Biometric categorisation inferring sensitive traits (e.g., race, religion, sexual orientation).
• Social scoring of individuals or groups.
• Predictive criminality based solely on profiling/personality.
• Untargeted scraping of facial images from the internet/CCTV to build recognition databases.
• Emotion recognition in workplaces or schools (narrow safety/medical carve-outs).
• Real-time remote biometric identification in public for law enforcement (very narrow exceptions).

2) AI literacy requirement (applies broadly)

Providers and deployers must ensure a sufficient level of AI literacy for staff and others operating/using AI on their behalf (training proportionate to risk, role, and context). The Commission published practical Q&A guidance in August 2025.

---

What went live on August 2, 2025

GPAI & “systemic-risk” model obligations

• GPAI transparency & copyright: technical documentation, training-data summaries, and copyright-policy requirements when placing models on the EU market.
• Systemic-risk models (e.g., very compute-intensive, ≥10²⁵ FLOP) must meet additional safeguards (risk assessments, adversarial testing, incident reporting, cybersecurity).
• Grandfathering: GPAI models already on market before Aug 2, 2025 must comply by Aug 2, 2027. Digital Strategy

The Commission says the 2025 dates stand (despite industry calls to pause). A voluntary Code of Practice supports GPAI compliance. Reuters+1

---

Timeline at a glance

• Aug 1, 2024 — AI Act enters into force.
• Feb 2, 2025 — Prohibited practices + AI literacy apply.
• May 2, 2025 (target) — Codes of Practice foreseen by law (may slip toward end-2025).
• Aug 2, 2025 — GPAI & governance rules apply.
• Aug 2, 2026 — Many remaining rules become applicable (general “full” applicability), with exceptions.
• Aug 2, 2027 — Extended deadline for some high-risk AI (embedded in regulated products) and compliance for pre-2025 GPAI models.

---

Who must comply?

The Act applies across the AI value chain: providers, deployers, importers, distributors, product manufacturers, and authorised representatives. It also has extraterritorial reach—non-EU companies fall in scope if they place models/systems on the EU market or if the output is used in the EU.

---

Penalties (yes, they’re big)

• Prohibitions: up to €35M or 7% of worldwide annual turnover (whichever is higher).
• Other breaches: up to €15M or 3%; incorrect information: up to €7.5M or 1%.
  SMEs/startups benefit from proportionate caps.

---

Compliance checklist (fast start)

1. Map your AI: inventory systems/models, their use cases, and risk categories.
2. Cease prohibited uses immediately; log decisions and rationale.
3. Launch AI literacy: role-based training, usage SOPs, human-oversight playbooks.
4. GPAI prep (if relevant): assemble technical documentation, copyright policy, training-data summary; plan for security, testing & incident reporting if your model could be systemic-risk.
5. Assign accountability: name owners for provider vs deployer obligations; align importers/distributors if you place high-risk systems on the EU market.
6. Watch the Code of Practice updates to operationalize requirements efficiently.

---

FAQ

1) Does the EU AI Act apply to non-EU companies?

Yes. It applies if you place systems/models on the EU market or if your system’s output is used in the EU—even if you’re based elsewhere.

2) What exactly changed in February 2025?

The prohibited-practices ban and AI literacy duty took effect EU-wide. That includes bans on social scoring, untargeted facial-image scraping, emotion recognition in work/education, and more.

3) What went live in August 2025 for GPAI?

Transparency + copyright duties for GPAI; systemic-risk models have extra safeguards. Models already on market before Aug 2, 2025 must comply by Aug 2, 2027.

4) Who needs AI literacy and what counts?

Providers and deployers must ensure a sufficient level of AI literacy for staff/contractors operating or using AI on their behalf; the Commission’s Q&A gives practical direction.

5) What are the fines for non-compliance?

Up to €35M or 7% of worldwide turnover for prohibited practices; €15M or 3% for other violations; €7.5M or 1% for misleading information.

Sources & further reading

• EU application timeline (what applied in Feb/Aug 2025; 2026/2027 phases). Digital Strategy
• Act enters into force (Aug 1, 2024). European Commission
• Prohibited practices (Article 5 + Commission guidance). Artificial Intelligence Act+1
• GPAI rules & systemic-risk models (Aug 2, 2025). Digital Strategy
• Codes of Practice timeline & likely delay; no pause to rollout. Reuters+1
• AI literacy duty. Digital Strategy
• Scope/extraterritorial reach. Artificial Intelligence Act+1
• Penalties (Art. 99). Artificial Intelligence Act