EU Tightens AI Rules as Tech Giants Face Billions in Fines

The European Union is moving to enforce the world's most sweeping artificial intelligence legislation, with major technology companies facing fines of up to €35 million or seven percent of global annual turnover — whichever is higher — for non-compliance with rules that regulators say are long overdue. Compliance deadlines are now active for the highest-risk AI applications, and enforcement bodies across member states are preparing to act.

What the EU AI Act Actually Requires

The EU AI Act, which entered into force in the summer of recently concluded legislative cycles, establishes a tiered regulatory framework designed to govern artificial intelligence based on the level of risk it poses to individuals and society. Unlike previous data protection legislation, which focused primarily on personal data handling, the AI Act targets the design, deployment, and oversight of AI systems themselves.

The Four-Tier Risk Classification System

At the top of the framework sits the "unacceptable risk" category, which bans outright a set of practices considered incompatible with fundamental rights. These include AI systems that deploy subliminal manipulation techniques to influence behaviour without a person's awareness, social scoring systems used by governments to rank citizens based on behaviour, and real-time biometric identification in public spaces by law enforcement — with narrow, court-approved exceptions.

Below that, "high-risk" AI covers systems used in critical infrastructure, education, employment, essential services such as credit scoring, law enforcement, migration processing, and the administration of justice. Companies operating in these sectors must now maintain detailed technical documentation, implement human oversight mechanisms, ensure data governance, and register their systems in an EU-wide database before deployment.

"Limited risk" systems — such as chatbots — must meet transparency obligations, meaning users must be clearly informed when they are interacting with an AI. "Minimal risk" applications, including spam filters and AI-enabled video games, face no mandatory requirements, though the Commission has encouraged voluntary codes of conduct.

General-Purpose AI and the Large Model Problem

One of the most contentious aspects of the regulation concerns general-purpose AI models, a category that covers large language models (LLMs) — the technology underpinning products such as ChatGPT, Google Gemini, and Meta's Llama series. These are AI systems trained on vast datasets to perform a broad range of tasks rather than a single defined function.

Companies providing models trained using more than 10^25 floating-point operations — a technical threshold used to indicate computational scale — are now classified as posing "systemic risk" and face obligations including adversarial testing, incident reporting to the European AI Office, cybersecurity assessments, and energy consumption disclosures. The European AI Office, a body established within the European Commission, holds primary supervisory authority over these providers.

The Giants in the Crosshairs

The companies most exposed to enforcement action are those with the broadest AI product portfolios and the deepest penetration into European markets. Google, Microsoft, Meta, Apple, Amazon, and OpenAI have all been subject to scrutiny from European regulators since the legislation's provisions began entering into force. According to IDC research, European enterprise spending on AI software and services is currently projected at tens of billions of euros annually, meaning the regulatory environment has direct implications for market access strategies.

Microsoft and OpenAI's Compliance Exposure

Microsoft, which has deeply integrated OpenAI's models into its Azure cloud platform, Bing search engine, and Office productivity suite, faces some of the most complex compliance questions. Deploying a general-purpose AI model as a component within a high-risk system — for instance, using Copilot in a HR recruitment tool — could expose the company to dual layers of obligation. Officials at the European Commission have indicated that the chain of responsibility between model providers and deployers will be a central focus of early enforcement guidance.

OpenAI separately faces obligations as a model provider under the general-purpose AI provisions. The company has publicly stated its commitment to working with regulators, according to statements reported by Wired, but critics argue that the firm's opacity around training data and model architecture runs counter to the Act's documentation requirements.

Meta's Open-Source Dilemma

Meta has complicated the regulatory picture by releasing its Llama series of models under open or semi-open licences, allowing third parties to download, modify, and deploy the systems. The AI Act includes limited carve-outs for open-source models, but those carve-outs do not extend to providers whose models meet the systemic risk threshold. Legal analysts and academics quoted by MIT Technology Review have raised questions about how enforcement would function when a model is simultaneously controlled by its originator and freely modified by thousands of downstream users.

Enforcement Architecture and Member State Roles

Enforcement of the AI Act operates on two levels. The European AI Office oversees providers of general-purpose AI models directly. For high-risk AI systems, each EU member state is required to designate a national competent authority responsible for supervising compliance within its jurisdiction. This creates a patchwork of national bodies — similar in structure to data protection authorities under GDPR — which critics argue may produce inconsistent enforcement.

The GDPR Precedent

The comparison to the General Data Protection Regulation is instructive. GDPR, which entered into force previously, established similarly significant fines — up to four percent of global turnover — but early enforcement was slow and concentrated in a handful of member states, particularly Ireland, which hosts the European headquarters of many US technology companies. Data protection authorities in smaller member states often lacked the technical resources to investigate complex cases.

Regulators have indicated they are aware of this problem. The European AI Office has been allocated dedicated staffing and is expected to coordinate with national authorities to prevent regulatory arbitrage, officials said. Whether that coordination proves effective under the pressure of the current compliance timeline remains to be seen.

Industry Pushback and Lobbying Activity

Technology industry groups have mounted sustained lobbying efforts against several provisions of the Act, arguing that compliance costs will disadvantage European startups relative to US and Chinese competitors and that the legislation's definitions are too broad to provide legal certainty. DigitalEurope, the industry association representing major technology companies operating in Europe, has called for clarification on several definitional questions, including the precise boundaries of the high-risk category and the treatment of AI components embedded within larger software systems.

The Competitiveness Debate

The competitiveness argument has found some political traction. Several member states with significant technology sectors have pushed back on what they describe as regulatory overreach, and the Commission has faced pressure to avoid deterring AI investment in Europe at a time when the continent is already perceived as lagging behind the United States and China in frontier AI development. According to Gartner analysis, European AI investment as a proportion of global totals remains significantly below the US share, a disparity that critics of the legislation cite as evidence of structural disadvantage.

Supporters of the Act counter that regulatory certainty and public trust are themselves competitive advantages, and that the alternative — an unregulated AI market — poses risks that ultimately undermine economic as well as social stability. The debate mirrors broader arguments about digital regulation that have characterised EU-US technology policy relations for more than a decade.

The UK's Parallel Path

While the EU advances its binding legislative framework, the United Kingdom is pursuing a different approach — one that has drawn both praise and criticism from different quarters. Rather than enacting a single omnibus AI law, UK authorities have opted for a sector-by-sector model, with existing regulators such as the Financial Conduct Authority, the Information Commissioner's Office, and the Care Quality Commission expected to apply AI-specific guidance within their existing domains.

For ongoing coverage of how British regulators are approaching this challenge, readers can follow our reporting on UK tightens AI regulation rules for tech giants and the government's evolving policy position on UK plans to impose strict AI safety rules on tech giants. The divergence between the EU and UK approaches raises significant questions for companies that operate across both markets, particularly given the volume of data flows and product deployments that cross the English Channel daily. Our earlier analysis of UK tightening AI safety rules ahead of US legislation sets out the transatlantic context in detail.

What Comes Next

The immediate priorities for enforcement bodies centre on prohibited practices and general-purpose AI obligations, which are currently active. High-risk AI provisions will phase in over a longer timeline, giving companies additional time to bring existing systems into compliance — though new deployments are expected to meet requirements immediately.

The European AI Office has indicated it will publish detailed technical standards and guidance documents in the coming months, developed in part through cooperation with standardisation bodies including CEN-CENELEC and ETSI. Those standards will provide the technical benchmarks against which compliance is actually measured, and their content is expected to shape industry practice significantly.

For continued coverage of how the EU framework is developing at the legislative level, see our reporting on EU tightens AI rules as tech giants face fines and the full breakdown of EU tightens AI rules as tech giants face new compliance deadlines.

The coming months will serve as the first real test of whether the EU AI Act is a workable regulatory instrument or an aspirational framework that outpaces enforcement capacity. With billions in potential fines on the table and technology companies already adjusting product roadmaps in response, the outcome will carry consequences not just for the European market but for the global trajectory of AI governance.