COMMENTARY: Just a few weeks ago, important parts of the EU AI Act quietly came into law. As of August 2, 2025, providers of general-purpose artificial intelligence (GPAI) models implemented in August 2025 or after will be fined up to 35 million EU or 7% of their company’s annual turnover if they do not comply with the conditions of the AI law.This legislation represents a positive step towards establishing a global standard for AI regulation and it strikes an important balance between innovation and risk management.Now that the EU AI Act’s August enforcement deadline has passed, providers of GPAI models in the EU must prove compliance with important transparency and ethical measures imposed by the law.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Providers must now show that they have measures in place to properly label and disclose manipulated and synthetic AI content; that their models meet accessibility requirements; that they’re abiding by relevant copyright laws; and that they’re not using or collecting biometric information improperly.The law also has ramifications for member states, which are also required to have proper enforcement measures in place by the August deadline.Members states and AI companies have known about these requirements for years. The August deadline is significant not because the requirements are new, but because it means that the requirements are now in legal effect, with significant and enforceable penalties for non-compliance.It’s crucial to note that the August date is just one of many important enforcement deadlines of the EU AI Act, and that it only applies to models released after the deadline. AI companies with models deployed before August 2025 – like Open AI’s Chat GPT – will have another two years to comply.Why AI compliance requires continual diligenceAs compliance deadlines continue to kick in over the next few years, companies will need to work hard to keep up with requirements of the EU AI Act, which come into force on a staggered schedule. It’s a sweeping, complex law, and compliance will present an ongoing challenge for AI firms in the EU and beyond.Even if they’re not headquartered in the EU, organizations all around the world still need stay aware of the EU AI Act and its enforcement schedule. It’s both because the statutory requirements of the law will affect an organization regardless of where they're headquartered, and because the complexity of the law and its staggered enforcement schedule highlight the broader challenges of AI regulatory compliance.Some leaders think of regulatory compliance as a static objective—a standard that’s achieved through a labor-intensive push and then maintained with minimal effort—but it’s not true, and it’s particularly false with AI. Because of the evolving nature of the technology and the legislation surrounding it, AI regulatory compliance isn’t just achieved once; it’s achieved on a continued basis, as new laws are drafted and come into effect on an almost unprecedented scale.Once more AI legislation gets passed, the work required to achieve and maintain compliance will continue to mount. Leaders need to understand this, and they need to explore ways to grapple with these regulatory burdens as efficiently as possible, well before the laws are legally enforceable.What’s next for AI regs?The EU AI Act will continue to roll out for the remainder of the decade, with new components of the law coming into effect through 2030.Outside of the EU, the regulatory picture has evolved somewhat differently. In the U.S., regulation has been much more decentralized and relaxed, with the Trump administration even rolling back some of the relatively modest regulations that the previous Biden administration had established. This less stringent and more decentralized approach will continue for the foreseeable future, with states likely to fill (or, in many cases, not fill) the regulatory void left by the federal government.Beyond the U.S. and EU, other regions are charting their own regulatory paths, with ASEAN adopting the ASEAN AI Guide, and other regions like Australia and New Zealand leveraging existing legislation to regulate AI models.While much of the global AI compliance story remains an open book, it’s now clear that organizations need to do more to grapple with the ongoing burdens of regulatory compliance. Even in regions where the regulations are more lax than the EU, developers and adopters of AI face completely new regulatory burdens that require novel approaches to automation, labor, and technology.With the right approach to compliance, organizations can meet these requirements without damaging innovation, productivity, or safety.Dana Simberkoff, chief risk, privacy, and information security officer, AvePointSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds