European Union — Top-Level Rules
📍 This page covers EU-level rules only (directly applicable across 27 member states)
Section titled “📍 This page covers EU-level rules only (directly applicable across 27 member states)”For member-state implementation, competent authorities, and national AI laws, see EU Member States.
The two-tier hierarchy of EU AI governance (New Legislative Framework)
Section titled “The two-tier hierarchy of EU AI governance (New Legislative Framework)”See Methodology §2 · EU. Since the NLF of 1985, the EU has followed a standard paradigm:
- Secondary legislation (Regulation / Directive): establishes “essential requirements”
- Harmonized standards (hEN): translate essential requirements into verifiable technical specifications; once referenced in the OJEU they produce a presumption of conformity (AI Act Art. 40)
Other implementation mechanisms (do not form an independent tier):
- Treaty layer (TEU / TFEU / Charter of Fundamental Rights): constitutional backdrop; does not directly generate AI governance obligations
- Commission Implementing / Delegated Acts: fill in technical detail for secondary legislation
- Codes of Practice (e.g., the GPAI CoP): transitional compliance path pending hEN availability
- Commission Guidelines / AI Office Guidelines: explain enforcement expectations
- Member-state DPA / MSA enforcement: the on-the-ground landing of hard law
Included pages
Section titled “Included pages”AI-specific regulation
Section titled “AI-specific regulation”- EU AI Act (Regulation 2024/1689) — the world’s first horizontal AI regulation; entered into force 2024-08-01; phased application 2025-02 / 2025-08 / 2026-08 / 2027-08
- GPAI Code of Practice — Code of Practice under AI Act Art. 56, finalized 2025-07-10; signing equates to a presumption of conformity
AI-relevant horizontal regulation / directive
Section titled “AI-relevant horizontal regulation / directive”- GDPR (2016/679) — foundational data protection law, applicable from 2018
- Digital Services Act (2022/2065) — platform content governance; VLOP systemic-risk assessment extends to generative AI
- Product Liability Directive (2024/2853) — AI systems expressly classified as “products”; strict liability applies
Legislative proposal (not yet adopted)
Section titled “Legislative proposal (not yet adopted)”- Digital Omnibus Proposal (2025-11) — proposes delaying AI Act high-risk provisions by up to 16 months to 2027-12
Timeline (core)
Section titled “Timeline (core)”| Date | Event |
|---|---|
| 2018-05-25 | GDPR applicable |
| 2022-10-19 | DSA published |
| 2024-02-17 | DSA applies fully to all intermediary services |
| 2024-07-12 | AI Act published in the Official Journal |
| 2024-08-01 | AI Act enters into force |
| 2024-12-08 | Product Liability Directive enters into force |
| 2025-02-02 | AI Act prohibited list (Art. 5) applies |
| 2025-07-10 | GPAI Code of Practice finalized |
| 2025-08-02 | AI Act GPAI provisions (Arts. 51-56) apply |
| 2025-11-19 | Digital Omnibus proposal released |
| 2026-08-02 | AI Act high-risk provisions originally scheduled (may be delayed to 2027-12 under the Digital Omnibus) |
Relationship with other jurisdictions
Section titled “Relationship with other jurisdictions”- Brussels Effect: the AI Act has de facto spread to U.S., UK, Japanese, and Brazilian legislation
- Transatlantic compliance: U.S. Voluntary Commitments + California SB 53 documentation can be reused against GPAI CoP
- U.S. Trump administration pushback: EO 14365 + AI Action Plan openly contest the Brussels Effect
- China: TC260-003 + AI Safety Governance Framework form a parallel but non-aligned path