IA 360
Regulatory Framework

EU Strikes Political Deal on the AI Act

After a marathon negotiation lasting more than 36 hours, the European Parliament, the Council and the European Commission have reached a political agreement on the AI Act, the world's first comprehensive regulation of artificial intelligence.

5 min read Leer en español

It was already the small hours of the morning when negotiators from the European Parliament, the Council and the Commission finally filed out of the room. They had been locked in talks for more than 36 hours straight, in what has become one of the longest legislative negotiations in the EU's recent history. The result, announced today: a political agreement on the AI Act, the first serious attempt by a bloc of countries to regulate artificial intelligence comprehensively.

This is no ordinary piece of legislation. It's the world's first general-purpose AI law, and its influence is expected to reach well beyond Europe's borders — much as GDPR did for data protection. Companies anywhere on the planet that want access to the European market will have to fall in line with its rules.

A risk-based approach

The law's architecture rests on a simple premise: not all AI deserves the same level of scrutiny. The text sorts systems into different categories according to the risk they pose to people.

At the top tier sit the uses Brussels considers flatly unacceptable, which are banned outright. These include social scoring of citizens by governments, emotion-recognition systems in workplaces or schools, biometric categorization based on sensitive traits (such as sexual orientation or religious beliefs), and the indiscriminate scraping of facial images from the internet or CCTV footage to build facial-recognition databases.

One of the thorniest sticking points in months of talks has been real-time facial recognition by law enforcement in public spaces. Several MEPs pushed for an outright ban; several member states argued for exceptions in cases such as searching for kidnapping victims, preventing terrorist attacks, or prosecuting serious crimes. The agreement reached allows its use, but only under narrowly defined circumstances and with prior judicial authorization.

Below the outright bans, "high-risk" systems — those used in areas such as recruitment, access to essential services, the justice system or critical infrastructure — will be subject to transparency obligations, human oversight and conformity assessments before they can hit the market.

General-purpose AI enters the picture

When the European Commission unveiled its original proposal back in 2021, ChatGPT didn't exist yet. The explosion of large language models throughout 2023 forced negotiators to bolt on, mid-process, a specific chapter for what the text calls general-purpose AI (GPAI): foundation models trained on enormous volumes of data that can later be adapted to a wide range of tasks.

This piece of the puzzle was one of the most fiercely contested right up to the final hours. France — with Mistral AI as the flagship of its homegrown industry — and Germany pushed to soften the requirements on these models so as not to smother their own startups in competition with U.S. giants. The agreement introduces stricter transparency and evaluation obligations for models deemed to carry the highest capability or systemic risk, while other general-purpose model providers will face lighter requirements, focused mainly on technical documentation and respect for copyright over training data.

Fines of up to 7% of global turnover

The agreement comes with real teeth on enforcement. The most serious violations — such as developing or deploying banned systems — can be punished with fines of up to €35 million or 7% of a company's global annual turnover, whichever is higher. Other violations carry lower caps, scaled according to severity.

What comes next

Today's agreement is political, not the final legal text. Over the coming weeks, technical teams from all three institutions will need to translate what was agreed into final legal language — a process that in Brussels often brings important nuances to the surface, and one where last-minute friction can still emerge. After that comes formal approval by the European Parliament and the Council, steps expected to be completed in the early months of 2024.

Once it takes effect, the law won't apply all at once: its various obligations will be phased in over the following years, giving companies and governments time to adapt.

What's clear as of today is that Brussels has chosen a different path from Washington, which leans toward letting Big Tech self-regulate, and from Beijing, with its own framework centered on state control. What remains an open question is whether this balance between innovation and safeguards will prove to be an exportable model or a drag on European competitiveness against the U.S. and China — the underlying debate that has shaped every hour of this negotiation.

Share this article

This website uses cookies to improve the browsing experience. Cookie policy.