European Parliament Approves EU AI Act Risk-Based Framework

On June 14, 2023, the European Parliament approved the EU Artificial Intelligence Act with overwhelming support (499 in favor, 28 against, 93 abstentions), advancing the world's first comprehensive AI regulation toward final adoption. The legislation establishes a risk-based framework categorizing AI systems by potential harm, prohibits certain applications, regulates high-risk AI systems, and introduces requirements for general-purpose AI models including foundation models like GPT-4 and Claude.

Risk-Based Classification Framework

The EU AI Act categorizes AI systems into four risk levels: unacceptable risk (prohibited), high-risk (heavily regulated), limited risk (transparency obligations), and minimal risk (voluntary codes of conduct). Unacceptable risk systems include social scoring by governments, real-time biometric identification in public spaces (with narrow exceptions), emotion recognition in workplaces and schools, and AI systems exploiting vulnerabilities of specific groups.

High-risk AI systems span eight categories: biometric identification, critical infrastructure management, education and vocational training, employment and worker management, access to essential services, law enforcement, migration and border control, and administration of justice. These systems must undergo conformity assessments, maintain technical documentation, ensure human oversight, and demonstrate robustness and accuracy before market deployment.

Foundation Model Requirements

The Parliament negotiated specific provisions for general-purpose AI (GPAI) models and foundation models, responding to rapid developments in large language models. Foundation model providers must conduct model evaluations, assess and mitigate systemic risks, ensure cybersecurity protections, report energy consumption, and document training data including copyrighted materials used.

High-impact GPAI models—those with capabilities that could pose systemic risks—face additional requirements including adversarial testing, incident reporting, and state-of-the-art cybersecurity. The legislation requires transparency about AI-generated content, enabling users to distinguish human-created from synthetic content. Generative AI systems must disclose training data sources and implement safeguards preventing illegal content generation.

Compliance Obligations for Deployers

Organizations deploying high-risk AI systems must conduct fundamental rights impact assessments, ensure human oversight mechanisms, monitor system performance in real-world conditions, and report serious incidents to national authorities. Deployers bear responsibility for data governance, ensuring training and testing data is relevant, representative, and free from bias.

The Act establishes conformity assessment procedures based on existing EU product safety frameworks. High-risk AI systems require third-party conformity assessment for biometric identification and critical infrastructure, while other categories permit self-assessment. Providers must register high-risk systems in an EU-wide database, enabling transparency and regulatory oversight.

Governance and Enforcement Structure

The legislation creates an EU AI Office within the European Commission to oversee general-purpose AI models, coordinate member state authorities, and develop technical standards. National competent authorities enforce the Act within member states, with powers to conduct audits, request information, and issue fines. An AI Board comprising member state representatives coordinates enforcement and ensures consistent interpretation across the EU.

Penalties for non-compliance are substantial: violations of prohibited AI practices incur fines up to €35 million or 7% of global annual turnover, whichever is higher. Non-compliance with AI Act obligations results in fines up to €15 million or 3% of global turnover. Incorrect or incomplete information provided to authorities incurs fines up to €7.5 million or 1% of turnover.

Innovation and Regulatory Sandboxes

The Act establishes AI regulatory sandboxes—controlled environments where companies test AI systems under regulatory supervision before market deployment. Sandboxes enable startups and SMEs to innovate while demonstrating compliance with safety and fundamental rights requirements. Member states must establish at least one sandbox, with reduced regulatory burden for participants including faster approval processes and exemptions from certain data requirements.

The legislation includes exemptions for AI systems developed for research and development, not placed on the market. Open-source AI models receive lighter-touch regulation unless they are high-risk systems or foundation models with systemic impact. The Commission must publish guidance on free and open-source AI models within nine months of the Act's entry into force.

Global Implications and Extraterritorial Reach

The EU AI Act applies extraterritorially to providers and deployers outside the EU if their AI systems are used within EU territory or produce outputs used in the EU. Global technology companies including OpenAI, Google, Microsoft, and Amazon face compliance obligations for AI services offered to EU users. The regulation establishes a Brussels Effect, with global AI governance frameworks likely to converge toward EU standards.

Countries including Canada, Brazil, and Singapore reference the EU AI Act in developing domestic AI regulations. The risk-based approach influences AI governance discussions in the UK, which pursues a sector-specific regulatory model. The Act's transparency requirements for foundation models may drive global disclosure standards for training data and model capabilities.

Implementation Timeline and Readiness

Following Parliament approval, the Act proceeds to trilogue negotiations among Parliament, Council, and Commission to finalize legislative text. The legislation enters into force 20 days after publication in the Official Journal, with a phased implementation timeline. Prohibited AI practices apply six months after entry into force, foundation model requirements apply 12 months after, and high-risk system obligations apply 24-36 months after entry into force.

CTIOs should initiate AI system inventories, classify systems by risk level, and assess gaps against Act requirements. Organizations must establish AI governance frameworks, designate compliance officers, and implement documentation and testing procedures. Technical teams should develop bias testing methodologies, human oversight mechanisms, and incident reporting processes. Early compliance efforts position organizations to meet deadlines and avoid enforcement actions.

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 40/100 · June 14, 2023

Policy Briefing — European Parliament adopts AI Act negotiation mandate

On 14 June 2023 the European Parliament approved its negotiating position on the EU AI Act, adding generative AI transparency duties, stricter biometric safeguards, and new copyright-related obligations before entering…

Policy · Credibility 40/100 · November 1, 2023

Policy Briefing — Bletchley Declaration sets AI safety cooperation agenda

Governments at the UK AI Safety Summit adopted the Bletchley Declaration on 1 November 2023, committing to international coordination on frontier model risks, information sharing, and evaluation infrastructure for safe…

Policy · Credibility 92/100 · December 6, 2022

Policy Briefing — EU AI Act Council General Approach

EU telecom ministers agreed the Council’s general approach to the AI Act, adding guardrails for general-purpose systems, biometric surveillance, and governance structures that companies must operationalise ahead of…

Policy · Credibility 40/100 · December 8, 2023

Policy Briefing — EU Institutions Reach Political Agreement on the AI Act

The European Parliament and Council struck a political deal on the AI Act on 8 December 2023, defining rules for high-risk systems, foundation models, and biometric safeguards ahead of formal adoption in 2024.

Policy · Credibility 88/100 · April 24, 2024

Policy Briefing — Brazil’s Senate Approves AI Legal Framework Bill

Brazil’s Senate approved Bill 2338/2023 on 24 April 2024, advancing a risk-based AI legal framework with transparency duties, sanctions, and fundamental-rights safeguards to the Chamber of Deputies.