EU tightens AI regulation rules for tech giants

The European Union has moved to enforce its landmark artificial intelligence legislation with a new compliance framework that places sweeping obligations on technology companies deploying high-risk AI systems across member states, with non-compliant firms facing fines of up to 35 million euros or seven percent of global annual turnover, whichever is greater. The rules represent the most comprehensive regulatory intervention into AI deployment anywhere in the world, officials said, and industry analysts warn the costs of adaptation will run into the billions across the sector.

What the New Compliance Framework Requires

The updated compliance framework, issued by the European AI Office — the body established to oversee implementation of the EU AI Act — sets out detailed technical and organisational requirements for companies whose AI systems are deemed high-risk. These requirements apply whether the system was developed inside the EU or simply deployed there, meaning global technology companies cannot avoid the rules by basing operations elsewhere.

Mandatory Risk Assessments and Documentation

Under the framework, companies must conduct and publish conformity assessments before any high-risk AI system enters the market. These assessments — detailed audits of a system's design, training data, intended use, and potential for harm — must be kept on file and made available to national regulators on request. The documentation requirement is designed to create an auditable trail that regulators can follow if a system causes harm or discriminates against users, officials said.

According to MIT Technology Review, many of the largest AI deployments currently in commercial use — including hiring algorithms, credit-scoring systems, and predictive policing tools — would fall squarely within the high-risk classification, triggering the full documentation and monitoring regime.

Human Oversight and Real-Time Monitoring

The framework also mandates that high-risk AI systems include technical mechanisms for human oversight. In practical terms, this means organisations cannot fully automate consequential decisions — such as denying someone a loan, flagging a job applicant for rejection, or determining parole eligibility — without a qualified human being able to review, override, and correct the system's output. Real-time monitoring logs must be maintained throughout the operational life of the system, and companies must notify regulators within 72 hours of discovering a serious incident or malfunction.

Which Companies Face the Greatest Exposure

The compliance burden falls most heavily on large technology companies that have embedded AI deeply into products and services used across the EU. That list includes American giants such as Microsoft, Google, Meta, Amazon, and Apple, as well as European firms and a growing cohort of AI-native startups that have scaled rapidly in recent years.

General-Purpose AI Models Under Scrutiny

A distinct set of obligations applies to providers of what the regulation calls general-purpose AI models — large-scale systems, such as the large language models (LLMs) that power modern chatbots and content generation tools, which can be adapted for many different tasks. LLMs are AI systems trained on vast quantities of text data that learn to generate human-like responses, summaries, and code. Under the framework, providers of such models must publish detailed technical summaries, comply with EU copyright law in training data collection, and implement policies to detect and mitigate systemic risks if their models exceed defined capability thresholds.

Wired has reported that several leading AI developers are lobbying Brussels for clearer definitions of what constitutes a systemic risk threshold, arguing that the current language leaves companies uncertain about whether their models trigger the highest tier of obligations.

Smaller Firms and the SME Carve-Out

Regulators have acknowledged that applying the full weight of the compliance framework to small and medium-sized enterprises (SMEs) could stifle innovation at the startup level. A series of proportionality provisions reduces documentation requirements and offers regulatory sandboxes — controlled testing environments where new AI systems can be evaluated without full regulatory exposure — for smaller operators. However, critics argue these carve-outs are insufficiently defined, and that SMEs supplying high-risk components to larger platforms may still face unexpected liability.

The Cost of Compliance

Technology companies have begun disclosing the scale of investment required to meet the framework's requirements. Legal teams, compliance officers, and AI auditors are in high demand across the industry, with recruitment data showing significant salary inflation in AI governance roles across European markets this year. According to IDC, enterprise spending on AI risk management and compliance tooling is growing at more than 30% annually, driven in large part by regulatory pressure in the EU and, increasingly, in comparable markets.

Compliance Technology as a Market in Itself

The regulatory burden has generated a secondary market in compliance technology — software platforms designed to help organisations catalogue their AI systems, generate required documentation, monitor outputs, and flag potential violations automatically. Gartner has identified AI governance platforms as one of the fastest-growing categories in enterprise software, noting that demand accelerated sharply following the EU AI Act's passage. Several established cybersecurity vendors have moved aggressively into this space, repositioning existing risk management products for the AI compliance use case. For more on the intersection of digital policy and technology regulation, see our coverage of EU tightens AI rules as US tech giants face compliance costs.

Enforcement Architecture and National Authorities

Enforcement of the AI Act operates on a dual-track model. The European AI Office holds authority over general-purpose AI models and cross-border violations, while national competent authorities in each member state are responsible for monitoring and enforcing obligations at the domestic level. This architecture is broadly similar to how the General Data Protection Regulation (GDPR) — the EU's data privacy law — has been enforced, though officials have stressed that lessons have been learned from the GDPR's slow early enforcement record.

Market Surveillance and Penalty Escalation

Each member state is required to designate a market surveillance authority with powers to inspect AI systems, demand technical documentation, issue corrective orders, and impose financial penalties. The penalty structure is tiered: the highest fines apply to prohibited AI practices — such as real-time biometric surveillance in public spaces and systems that exploit psychological vulnerabilities — while lower ceilings apply to failures of documentation or transparency obligations. Repeat violations or deliberate obstruction of regulators can trigger penalty escalation and, in extreme cases, withdrawal of market access for the system in question.

International Dimensions and the UK Position

Because the EU AI Act applies to any AI system used by EU residents, regardless of where the provider is based, its reach extends well beyond European borders. American, British, and Asian technology companies deploying products into the EU market are all subject to the same obligations as European-headquartered firms. This extraterritorial dimension has sparked diplomatic friction, particularly between Brussels and Washington, where the current US administration has taken a substantially lighter regulatory approach to AI.

The United Kingdom, following its departure from the EU, is developing its own regulatory approach independently. British policymakers have signalled a preference for a principles-based, sector-specific framework rather than a single overarching AI law — a divergence that could create compliance complexity for companies operating across both markets. Readers following the evolution of British policy should consult our reports on UK tightens AI regulation rules for tech giants and the broader picture described in UK tightens AI regulation framework for tech giants, as well as the most recent governmental positions detailed in UK unveils tougher AI safety rules for tech giants.

Industry Response and Civil Society Pressure

The response from the technology industry has been divided. Larger companies have broadly accepted the framework as an emerging baseline, with several publishing public compliance roadmaps and appointing dedicated AI Act officers. A number of trade associations representing the US technology sector have, however, filed formal representations with the European Commission raising concerns about competitive disadvantage and the cost of compliance for companies that do not primarily operate in Europe.

Civil society organisations and digital rights groups have taken the opposite position, arguing that the framework does not go far enough. Privacy advocates have noted that several enforcement mechanisms rely on self-reporting, and that the national competent authorities tasked with market surveillance remain underfunded relative to the scale of the task. The context of broader platform regulation battles is relevant here — as our earlier coverage of UK delays Online Safety Bill as tech giants challenge rules illustrates, large technology companies have a well-documented record of contesting digital regulation through legal and lobbying channels.

According to MIT Technology Review, the AI Act's ultimate effectiveness will depend not on the quality of its drafting — which is widely acknowledged to be technically sophisticated — but on the political will and institutional capacity of member state authorities to conduct genuine, adversarial enforcement against well-resourced companies. That test is still to come, and the first major enforcement actions, expected as full provisions come into effect across their respective implementation windows, will be closely watched by regulators, industry, and civil society alike as a signal of how seriously Europe intends to govern the technology that is reshaping nearly every sector of the economy.