Regulatory Updates
Latest EU AI Act and related regulation developments, guidance, and enforcement activity. Subscribe to be notified of material changes.
Stay current — critical updates ahead
GPAI Code of Practice final version and high-risk enforcement approaching in 2026.
GPAI Code of Practice — Second Draft Published
The EU AI Office published the second draft of the GPAI Code of Practice following the consultation period. Key updates include clarified systemic risk indicators, refined evaluation methodologies, and updated incident reporting templates. Providers of GPAI models with systemic risk are expected to align with the Code by August 2026.
AI Office Publishes First Guidance on Art. 26 Deployer Obligations
The European AI Office released non-binding guidance clarifying deployer obligations for high-risk AI systems under Article 26. Key clarifications: 'competent person' for human oversight does not require formal certification; fundamental rights impact assessment must be completed before first deployment (not just before procurement).
CEN-CENELEC Publishes First Harmonised Standard Work Programme
CEN-CENELEC published the rolling plan for harmonised standards under the EU AI Act mandate. ISO/IEC 42001 (AI Management System) is confirmed as the primary reference standard. First harmonised standards are expected for publication in the Official Journal in late 2026, creating presumption of conformity under Art. 40.
Prohibited AI Practices Enforcement Begins (Feb 2, 2025 + 12 months)
Market surveillance authorities in multiple EU member states announced their readiness to enforce Art. 5 prohibited practices, which became applicable on February 2, 2025. Early focus is on biometric categorisation systems and social scoring. No public enforcement actions taken yet, but several investigations reportedly opened.
EU AI Office Designates GPAI Models with Systemic Risk (First List)
The EU AI Office officially designated the first set of GPAI models as having systemic risk under Art. 51(1)(a) (models trained with >10²⁵ FLOPs). Affected providers notified directly. The designation triggers obligations under Art. 55 including adversarial testing and incident reporting.
CRA Implementing Act on Vulnerability Reporting Published
The European Commission published an implementing act specifying the technical details of vulnerability disclosure under the Cyber Resilience Act (Art. 14 CRA). Manufacturers of products with digital elements (including AI-enabled IoT) must report actively exploited vulnerabilities to ENISA within 24 hours.
GPAI Transparency Obligations Become Applicable
Articles 53–55 of the EU AI Act became applicable, covering GPAI model transparency obligations. Providers must maintain technical documentation, publish summaries of training data, and comply with copyright policy requirements. Models released under open-source licences with weights below the systemic risk threshold have reduced obligations.
AI Office Opens GPAI Model Registration System
The EU AI Office opened the first version of the GPAI model database for registration. Providers can now submit model information under Art. 51. The database is currently in a pre-production mode; formal registration requirements become legally binding from August 2025.
AI Act Prohibited Practices (Art. 5) Become Applicable
After a 6-month grace period from the entry into force date, Art. 5 prohibitions became applicable across all EU member states. The eight prohibited practices include: subliminal manipulation, exploitation of vulnerabilities, social scoring, real-time remote biometric identification in public spaces (with exceptions), emotion recognition in workplace/education, and certain predictive policing uses.
EU AI Act Enters into Force
Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act — entered into force on August 1, 2024 (20 days after publication in the Official Journal). The main compliance obligations apply on a phased timeline, with most obligations for high-risk AI systems applying from August 2, 2026.
About this tracker
This page summarises key regulatory developments affecting EU AI Act compliance. For official sources, see: European Commission AI policy and EUR-Lex full text . Content is for informational purposes only and is not legal advice.