AI Regulation in Europe: The EU AI Act

·

Regulation (EU) 2024/1689, known as the Artificial Intelligence Act or AI Act, is the first horizontal legal framework in the world to regulate artificial intelligence. It was published in the Official Journal of the European Union on 12 July 2024 and entered into force on 1 August 2024, with a phased application that culminates in August 2027. For any organisation that develops, markets or uses AI systems in the European single market, failing to understand this regulation has shifted from being merely a recommendation to a legal obligation, with penalties that can reach 35 million euros or 7% of total worldwide annual turnover.

Unlike the GDPR, which regulates personal data, the AI Act regulates products and uses: it classifies AI systems according to the risk they pose to health, safety and fundamental rights. This risk-based approach is the backbone of the whole regulation and determines which obligations fall on each provider and each professional user (what the regulation calls the deployer).

The risk-based approach: four levels

The AI Act defines four risk categories, each with a distinct legal regime. Understanding which level a system falls into is the first step in any compliance analysis.

Obligations for high-risk systems

If a system falls into the high-risk category, the provider must meet the requirements of Articles 8 to 15 before placing the product on the market. In practice, this translates into a concrete set of technical and documentary measures:

Before marketing the product, the provider must carry out a conformity assessment, draw up the EU declaration of conformity, affix the CE marking and register the system in the EU public database. The harmonised standard that will serve as the technical reference is ISO/IEC 42001, the first international standard for AI management systems, which offers an auditable framework closely aligned with the requirements of the regulation.

General-purpose AI models (GPAI)

Chapter V introduces specific obligations for foundation or general-purpose models, applicable since 2 August 2025. Every provider of a GPAI model must produce technical documentation, a copyright compliance policy and a sufficiently detailed summary of the content used in training. Models that exceed the threshold of 10²⁵ floating-point operations (FLOP) of training compute are considered to pose a systemic risk and take on reinforced obligations: model evaluation, adversarial testing (red teaming), serious incident reporting and cybersecurity protection of the model weights.

The European Commission has promoted a Code of Practice for General-Purpose AI that allows providers to demonstrate compliance with these obligations while the harmonised standards are being finalised. Adhering to the code is not mandatory, but it offers legal certainty and reduces the burden of proof before the supervisory authority, which in the case of GPAI models lies with the European AI Office itself rather than with national authorities.

Relationship with the GDPR: two frameworks that add up

A common misconception is to think that the AI Act replaces or relaxes the GDPR. The opposite is true: both apply cumulatively. If an AI system processes personal data (almost inevitable in biometrics, recruitment or credit scoring), it must comply simultaneously with the obligations of Regulation (EU) 2024/1689 and those of the GDPR, including the lawful basis for processing, the data protection impact assessment (DPIA) and the rights of the individuals concerned. In Spain, this requires coordinating compliance between the product logic of the AI Act and the personal-data logic supervised by the AEPD, avoiding treating the two frameworks as watertight compartments.

The application timeline in Spain

The regulation is directly applicable in all Member States, but its rollout is gradual. These are the dates every organisation should mark on its calendar:

DateMilestone
2 Feb 2025Prohibited practices and AI literacy obligations (Art. 4)
2 Aug 2025GPAI model obligations and the governance and penalties regime
2 Aug 2026General application of the regulation, including Annex III high-risk systems
2 Aug 2027High-risk systems embedded in regulated products (Annex I)

Spain was a pioneer in creating the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), headquartered in A Coruña, designated as the national market surveillance authority. AESIA coordinates its work with the Spanish Data Protection Agency (AEPD) whenever a system processes personal data, since the AI Act does not replace the GDPR but applies alongside it.

Steps to prepare for compliance

A realistic roadmap for a Spanish company that uses AI should follow this sequence:

  1. Inventory. Catalogue all AI systems in use or under development, whether developed in-house or by third parties.
  2. Risk classification. Assign each system to one of the four levels and document the reasoning.
  3. Gap analysis. Compare the current state against the requirements of the regulation for high-risk systems.
  4. Implementation of controls. Risk management, data governance, human oversight and logging, ideally under the umbrella of ISO/IEC 42001.
  5. Training. Meet the AI literacy obligation in Article 4 for the staff involved.
  6. Ongoing governance. Appoint owners, establish periodic reviews and an incident reporting channel.

Common mistakes worth avoiding

The first is assuming that the regulation only affects the big tech companies: the deployer (the company that uses the system, even if it did not build it) also has obligations. The second is confusing GDPR compliance with AI Act compliance; they are distinct, cumulative frameworks. The third is downgrading a system's classification to evade obligations, a decision that AESIA can review and sanction. The fourth is overlooking documentation: without traceability and without logs, demonstrating compliance during an inspection becomes impossible, even if the system is technically sound.

Frequently asked questions

Does the AI Act apply to companies outside the EU? Yes. Like the GDPR, it has extraterritorial reach: it affects any provider or deployer whose output is used within the single market, regardless of where they are established.

Does an SME that only uses a commercial chatbot have obligations? If the chatbot is limited risk, the main obligation is transparency: informing the user that they are interacting with an automated system. It does not need a conformity assessment, but it should verify that the provider meets its own obligations.

Is ISO/IEC 42001 mandatory? It is not mandatory in itself, but certifying provides a reasonable presumption of due diligence and makes it easier to demonstrate compliance with the requirements of the regulation, especially once the harmonised standards that formally connect it to the AI Act are published.

What happens if you fail to comply in time? Penalties scale with the infringement: up to 35 million euros or 7% of turnover for prohibited practices, up to 15 million or 3% for breaching high-risk obligations, and up to 7.5 million or 1% for supplying incorrect information to the authorities.

Conclusion

The EU AI Act is not a formality you settle by signing a document: it is a shift in approach that requires classifying each system, documenting how it works and demonstrating human control over decisions that affect people. Organisations that begin their inventory and gap analysis now will reach August 2026 with room to spare; those that wait until the final quarter will find themselves competing for scarce audit and conformity resources. At Summum we support risk classification, the gap analysis against Regulation (EU) 2024/1689 and the implementation of a management system aligned with ISO/IEC 42001, so that regulatory compliance stops being a reactive burden and becomes a verifiable guarantee for clients and supervisors alike.