European Policy Landscape for AI Systems

PostedMay 20, 2025

ByIuliia Gorshkova

The European policy landscape for artificial intelligence is not a single, monolithic law but a complex, interlocking system of regulations, directives, and standards that collectively govern the lifecycle of AI systems. For professionals deploying or developing AI, robotics, biometric, or data-driven technologies in Europe, understanding this ecosystem requires moving beyond a surface-level reading of the AI Act. It demands a grasp of how the AI Act interacts with foundational data and digital market legislation, how it is implemented by national bodies, and how sector-specific rules create additional layers of compliance. This analysis dissects the architecture of EU-level policy, explains its practical implications for public and private entities, and highlights the critical interplay between harmonized European standards and national enforcement.

The Foundational Layer: Data, Trust, and Market Unity

Before the AI Act (Regulation (EU) 2024/1689) came into force, the European Union had already established a digital single market framework that profoundly shapes how AI systems can be built and operated. The General Data Protection Regulation (GDPR) remains the most significant horizontal legislation affecting AI, particularly for systems that process personal data. The interaction between the GDPR and the AI Act is a primary area of legal complexity and operational risk.

GDPR and AI: A Symbiotic but Tense Relationship

AI systems, especially those based on machine learning, are data-hungry. The GDPR’s principles of lawfulness, fairness, data minimization, and purpose limitation directly constrain the data pipelines that fuel these systems. A key point of friction is the concept of automated decision-making under Article 22 GDPR. While the AI Act regulates “high-risk” AI systems with its own set of obligations, any AI system that makes decisions with legal or similarly significant effects on individuals must also comply with GDPR’s rights to human intervention, explanation, and data subject access.

From a practical standpoint, this means that a credit scoring AI, for instance, is subject to both the AI Act’s requirements for high-risk systems (risk management, data governance, transparency) and the GDPR’s individual rights. The “right to an explanation” under GDPR is not a trivial feature; it requires system design that can produce meaningful information about the logic involved, which often conflicts with the “black box” nature of complex deep learning models. National Data Protection Authorities (DPAs), such as the CNIL in France or the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit in Germany, are actively interpreting these obligations, often issuing guidance that pushes developers towards Privacy by Design and Data Protection Impact Assessments (DPIAs) as foundational steps, not just compliance paperwork.

The Data Act and Data Governance

The Data Act (Regulation (EU) 2023/2854) introduces a new dimension by focusing on the fair allocation of value generated from data. For AI systems, this is particularly relevant in industrial and IoT contexts. The Act facilitates the sharing of data generated by connected products and related services, potentially increasing the availability of training data for AI, but also imposing constraints on how data access and use can be contractually regulated. It empowers users of connected devices to request data from manufacturers to, for example, develop predictive maintenance algorithms. This shifts the balance of power and requires AI developers to consider data access rights as a core part of their business and technical architecture, not just a legal afterthought.

Complementing this is the Data Governance Act (Regulation (EU) 2022/868), which establishes mechanisms for data intermediation and the reuse of public sector data. For AI systems in the public sector, this framework is crucial. It provides the legal basis for public bodies to share high-value datasets, which are often essential for training AI for public services (e.g., urban planning, traffic management, social benefits). However, the reuse is subject to strict conditions, particularly concerning anonymization and the protection of trade secrets, which can be technically challenging for complex datasets.

Digital Services Act and Digital Markets Act

The Digital Services Act (DSA) and Digital Markets Act (DMA) primarily target online platforms and gatekeepers, but their provisions have a knock-on effect on AI. The DSA’s rules on content moderation, for example, regulate the use of AI for detecting and removing illegal content. It imposes transparency obligations on the use of automated tools and provides safeguards against erroneous removal of content. For providers of generative AI models that can be used to generate harmful content, the DSA’s obligations to mitigate systemic risks are becoming a key compliance point.

The DMA aims to ensure fairness in the digital market. For AI, this relates to the access to and use of data by gatekeepers. If a large platform (a designated gatekeeper) uses data collected from its vast user base to train its own AI models, the DMA’s rules on data portability and interoperability can be seen as an indirect check on the concentration of AI development power in a few hands.

The AI Act: A New Paradigm of Risk-Based Regulation

The AI Act is the centerpiece of the EU’s AI policy. It establishes a harmonized, risk-based framework that categorizes AI systems based on the level of risk they pose to health, safety, and fundamental rights. It is a regulation, meaning it is directly applicable in all EU Member States without the need for national transposition laws, but its application requires the establishment of national authorities and the development of harmonized standards.

Unpacking the Risk Categories

The AI Act’s structure is built on four tiers of risk:

Unacceptable Risk: AI systems that are considered a threat to people and are banned. This includes cognitive behavioral manipulation, untargeted scraping of facial images from the internet, social scoring by governments, and biometric categorization to infer sensitive data (e.g., political or sexual orientation). Prohibited AI practices will be banned six months after the AI Act’s entry into force.
High-Risk: AI systems that negatively affect safety or fundamental rights. This is the most heavily regulated category. It includes AI used in critical areas like biometrics (e.g., emotion recognition, biometric categorization), critical infrastructure, education, employment, essential private and public services, law enforcement, migration, and administration of justice. These systems are not banned but are subject to strict obligations before they can be placed on the market.
Transparency Risk (or Limited Risk): AI systems with specific transparency obligations. The most prominent example is deep fakes and other AI-generated content. Users must be informed that they are interacting with an AI system, unless it is obvious from the context. Providers of AI systems intended to generate or manipulate image, audio or video content must also mark outputs as artificially generated.
Minimal or No Risk: The vast majority of AI systems fall into this category (e.g., spam filters, video games, inventory management systems). The AI Act does not impose mandatory legal obligations on these systems, but encourages voluntary adoption of codes of conduct.

Obligations for High-Risk AI Systems

For professionals developing or deploying high-risk AI, the AI Act creates a comprehensive compliance regime. These obligations are not trivial and require deep integration of legal, technical, and organizational processes.

Risk Management System

Providers must establish a risk management system that is a continuous, iterative process throughout the entire lifecycle of the AI system. It involves identifying, estimating, and mitigating risks. This is not a one-off assessment but an ongoing duty to monitor the system in its post-market phase.

Data Governance

The AI Act places significant emphasis on the quality of training, validation, and testing data. Data must be relevant, representative, free of errors, and complete. This is a direct response to the well-documented problem of algorithmic bias. For AI systems used in sensitive areas like recruitment, this means providers must actively audit their datasets for biases related to gender, race, or other protected characteristics. This obligation aligns closely with GDPR’s principles of data quality and fairness.

Technical Documentation and Record-Keeping

Providers must draw up technical documentation before placing a system on the market. This documentation must demonstrate compliance with the AI Act’s requirements and be presented to national authorities upon request. It needs to detail the system’s capabilities, limitations, the data used, the training methods, and the risk management measures. Additionally, automatically generated logs must be kept to ensure traceability and post-market monitoring.

Transparency and Provision of Information

High-risk AI systems must be transparent enough to allow users to understand and correctly interpret their outputs. Providers must ensure that the system’s operation is sufficiently transparent to facilitate human oversight. Users (e.g., an employer using a recruitment AI) must be provided with clear instructions for use, including the system’s intended purpose, its limitations, and the required human oversight measures.

Human Oversight

High-risk AI systems must be designed to enable effective human oversight. This is not merely a suggestion; it is a design requirement. The goal is to prevent or minimize the risk of harm from incorrect application or from automation bias (where a human blindly trusts the AI’s output). This can be achieved through measures like an “intervention button” or dashboards that present the system’s confidence levels and key influencing factors for a decision.

Accuracy, Robustness, and Cybersecurity

High-risk AI systems must be accurate and robust. They must perform consistently throughout their lifecycle and be resilient to errors, faults, or inconsistencies. They must also be resilient against attempts by third parties to alter their use or outputs (e.g., adversarial attacks or data poisoning). This requires rigorous testing and validation, not just before deployment but continuously.

The Conformity Assessment and CE Marking

Before a high-risk AI system can be placed on the EU market, it must undergo a conformity assessment. For most high-risk AI systems, this is a self-assessment by the provider, where they verify that their system meets the requirements and they draw up an EU declaration of conformity. However, for certain high-risk AI systems, particularly those used in biometrics, law enforcement, or critical infrastructure, the conformity assessment must involve a third-party Notified Body. Once the assessment is complete, the provider affixes the CE marking to the system, signaling its compliance with EU law. This is a legal declaration and carries significant liability.

Implementation and Enforcement: The Role of National Authorities

While the AI Act is a harmonized regulation, its enforcement is a national affair. The regulation requires each Member State to designate one or more national competent authorities for supervising the application and enforcement of the rules. This creates a decentralized enforcement landscape, similar to how GDPR is enforced by different DPAs across the EU.

The AI Act and GDPR: A Tale of Two Authorities

A critical question for organizations is which authority they will need to engage with. For AI systems that process personal data, there will be an overlap between the AI Act and GDPR. The AI Act requires Member States to ensure that their national authorities have the necessary expertise and powers. In many countries, the existing Data Protection Authority is being considered or designated as a key player in AI supervision, particularly for issues related to fundamental rights. However, other bodies, such as market surveillance authorities (often part of the Ministry of Economy or a dedicated agency), will also have a role. This can lead to a complex multi-authority landscape. For example, a biometric AI system deployed by a private company might be subject to oversight from the market surveillance authority for its compliance with the AI Act’s technical requirements, and from the DPA for its compliance with GDPR’s legal basis and data subject rights.

National Implementation and Divergences

Although the AI Act is directly applicable, Member States have some room for maneuver, particularly concerning the organization of their authorities and the rules for public authorities. For instance, the AI Act allows Member States to decide which authority will serve as the “single point of contact” for the public. Some countries are creating new, dedicated AI agencies, while others are embedding AI oversight within existing structures.

Consider the different approaches in key European markets:

Germany: Germany’s existing framework for market surveillance is robust. It is likely that the Bundesnetzagentur (Federal Network Agency) or other specialized bodies will take on significant roles. Germany also has a strong tradition of co-regulation and industry standards, which will influence how the AI Act’s requirements are interpreted in practice.
France: The CNIL (Commission Nationale de l’Informatique et des Libertés) is a very influential DPA and has already issued significant guidance on AI and data protection. It is expected to play a central role in the French AI governance ecosystem, particularly concerning the intersection of AI and fundamental rights.
Spain: Spain has been proactive in establishing a national AI oversight body (the Spanish Agency for the Supervision of Artificial Intelligence – AESIA). This represents a model where a dedicated agency is created specifically for AI, separate from the DPA, reflecting a view that AI oversight requires specialized expertise beyond traditional data protection.

These national differences mean that a pan-European provider of high-risk AI systems will need a nuanced compliance strategy that considers the specific enforcement priorities and institutional structures of each Member State where they operate.

General-Purpose AI (GPAI) Models: A New Regulatory Frontier

The AI Act introduced a specific regime for General-Purpose AI (GPAI) models, a category that was not present in the initial draft but was added to address the rise of powerful foundation models like GPT-4 and others. This is one of the most scrutinized parts of the regulation.

Defining and Obligating GPAI Models

A GPAI model is defined as an AI model that can be adapted to a wide range of different tasks. The AI Act applies a tiered set of obligations to these models. All GPAI model providers must:

Prepare technical documentation and instructions for use.
Comply with the copyright directive (e.g., implement a policy to respect copyright).
Publish a summary of the content used for training.

These are primarily transparency obligations designed to inform downstream providers and users.

Systemic Risk and the Highest-Impact Models

A subset of GPAI models are designated as having systemic risk. This designation applies to models with high-impact capabilities, which are defined based on the compute used for training (a threshold that will be updated by the Commission). Providers of GPAI models with systemic risk face additional, more stringent obligations:

Perform model evaluations and adversarial testing (red-teaming).
Assess and mitigate potential systemic risks.
Report serious incidents to the European AI Office.
Ensure a high level of cybersecurity.

The European AI Office, a new body within the European Commission, will be central to overseeing these GPAI models. This represents a significant centralization of regulatory power at the EU level, contrasting with the decentralized model for most other high-risk AI systems. The AI Office will develop codes of practice and can impose substantial fines for non-compliance. This is a critical area for developers of large language models and other foundation models to monitor.

Intersection with Sector-Specific Legislation

The AI Act is a horizontal regulation, but it does not operate in a vacuum. It interacts with existing and emerging sector-specific EU legislation, creating a multi-layered compliance environment. For AI systems used in regulated sectors, compliance must be holistic.

Medical Devices and AI

The Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR) govern AI systems that are medical devices. An AI system used for diagnosing a disease from an MRI scan, for example, is a medical device. The MDR/IVDR sets out requirements for safety and performance, clinical evidence, and post-market surveillance. The AI Act’s requirements for high-risk AI systems (like risk management, data governance, and transparency) largely overlap with and complement the MDR/IVDR’s requirements. In practice, a provider of an AI-based medical device will need to demonstrate conformity with both sets of rules. The AI Act clarifies that for high-risk AI systems that are also medical devices, the provider can draw up a single technical documentation that covers the requirements of both regulations, simplifying the process. However, the clinical evaluation required by the MDR remains a distinct and rigorous step.

Machinery and Robotics

The Machinery Regulation (which replaces the previous Machinery Directive) also has a direct interface with the AI Act. An AI system that controls a robotic arm on a factory floor is both a high-risk AI system (if it can cause safety harm) and part of a machine that must comply with the Machinery Regulation. The Machinery Regulation introduces new requirements for AI-integrated machinery, such as the need to protect against corruption of data and to ensure that the AI system is robust against manipulation. The interplay here is crucial: the Machinery Regulation ensures the physical safety of the machine, while the AI Act ensures the safety and fundamental rights aspects of the AI control system.

Automated Vehicles

The EU is currently revising its legislation on automated vehicles. The AI Act explicitly states that it is a lex specialis to the vehicle legislation. This means that for AI systems in vehicles, the specific vehicle regulations will take precedence. However, the AI Act’s principles on risk management and data governance are expected to inform the technical standards for vehicle AI. The development of Level 4 and Level 5 autonomous driving will therefore need to satisfy both the stringent safety requirements of the automotive sector and the fundamental rights protections of the AI Act.

Standards, Conformity, and the Practical Path to Compliance

Regulations set out the “what” (the requirements), while standards set out the “how” (the technical methods to meet those requirements). The AI Act explicitly requests the European standardization organizations (CEN, CENELEC) to develop harmonized standards that provide a presumption of conformity with the regulation.

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation