European Parliament passes AI Act: what changes and when
The European Parliament has approved the AI Act, the regulation that will govern the use of the technology according to risk. It bans certain practices, scrutinizes sensitive systems and requires transparency from generative models.
The European Parliament approved the European Union’s AI Act on Wednesday, the world’s first cross-sector regulation dedicated to the technology. The text received 523 votes in favor, 46 against and 49 abstentions, and sets different obligations depending on the risk a system may pose to safety and fundamental rights.
The vote closes the parliamentary phase of rules negotiated for years and politically agreed by the European institutions in December. Formal adoption by the Council of the EU and publication in the Official Journal are still pending, but the rules that will shape the work of companies, public authorities and developers have already been defined.
Regulation based on risk, not technology
The AI Act does not regulate every program that uses artificial intelligence in the same way. Its central idea is to classify systems according to the risk of harm they may cause. The more sensitive the context — hiring someone, granting credit, selecting students or identifying someone in the street — the more safeguards a system will have to pass.
Uses deemed to pose an unacceptable risk will be banned. They include social-scoring systems that classify people according to their behavior or characteristics; the indiscriminate scraping of facial images from the internet or surveillance cameras to build databases; and emotion recognition in schools and workplaces.
The rules also ban predictive-policing systems based solely on personal profiles or traits. The regulation additionally prohibits biometric categorization designed to infer especially sensitive data, such as religious beliefs, sexual orientation or racial origin.
Police use of remote biometric identification in public spaces will face particularly strict limits. It may be used only in exceptional circumstances, such as searching for victims of certain crimes, preventing a serious and imminent threat or locating suspects in serious crimes. It will require prior authorization and be subject to time and geographic limits.
What will count as high-risk AI
The category most relevant to many companies and public authorities is that of high-risk systems. They are not necessarily illegal, but they will have to demonstrate that they operate safely before being placed on the market or put to use.
The list covers systems used in critical infrastructure, education and training, recruitment, access to essential public or private services, law enforcement, migration and border control, the administration of justice and democratic processes. An algorithm that helps screen job applications, for example, will face very different requirements from a music recommender.
Providers of these systems will have to implement risk-management processes, use high-quality data, document how the system works, retain activity logs and allow human oversight. They will also have to meet requirements for accuracy, technical robustness and cybersecurity.
The law addresses an issue that has often been left out of purely technical discussions: the impact on fundamental rights. Certain public bodies and private entities using high-risk systems will have to assess their potential effects before deploying them.
ChatGPT and large models are covered too
The approved text establishes a specific regime for general-purpose AI: models capable of performing many different tasks and serving as the foundation for products such as chatbots, image generators and coding assistants.
Their developers will have to prepare technical documentation, establish a policy for complying with European copyright rules and publish a sufficiently detailed summary of the content used to train the models. This is a significant requirement for an industry accustomed to treating training data as confidential information.
General-purpose models that may create systemic risks — because of their power, reach or ability to spread across many products — will face additional controls. They will have to assess and mitigate those risks, report serious incidents and strengthen security against malicious uses.
The law also requires people to be informed when they are interacting with a machine in certain contexts and requires synthetic content, such as deepfakes, to be identifiable. The goal is not to prevent the generation of artificial images, voice or text, but to stop such content from being presented deceptively when it could affect public information or the rights of third parties.
The rules will take effect in stages
The AI Act will be a regulation, not a directive. That means that, once it enters into force, it will apply directly in all member states without each country having to draft national transposition legislation.
Most of its provisions will begin to apply 24 months after it enters into force. The bans will come earlier, after six months. Obligations for general-purpose models will take effect after 12 months, while some rules for high-risk systems will have a 36-month deadline.
That timetable recognizes that adapting products, hiring processes and public systems will not happen overnight. But it also makes clear that organizations already using AI in sensitive decisions should not wait for the deadline to arrive: they will need to know which models they use, what data they handle, who is accountable for them and how their errors are reviewed.
Europe has not resolved every artificial-intelligence dilemma with this law. Its practical application will depend on technical standards, supervisory authorities and the ability to enforce the obligations on companies inside and outside the EU. Even so, the vote turns an idea debated since 2021 into a concrete legal framework: in the European market, it will not be enough for an AI system to be useful; it will have to demonstrate that it follows the rules.