The EU AI Act’s Rules on General Purpose AI: What Businesses Need to Know
The EU AI Act’s rules and obligations for General Purpose AI models (GPAI) came into force on 2 August 2025, as part of the bloc’s staggered implementation period.
With the EU AI Act set to come fully into force in August next year, companies must begin actively ensuring compliance with the Act’s provisions. Updating compliance programmes, ensuring data collection, system monitoring, and auditing practices align with the Act’s mandates, and adopting the ISO 42001 are important first steps.
Dahua Technology and Axis Communications are among those companies in AI-driven sectors that are actively preparing for the Act’s full implementation next year.
Challenges in Enforcement
In May this year, European Parliament digital policy advisor Kay Zenner warned that struggles with funding and retaining expertise will pose enforcement challenges for the EU AI Act. He questioned whether member states facing serious budget crises will choose to invest in AI regulation over public services, noting that this, along with the difficulty of attracting skilled professionals, many of whom are drawn to better-paying roles in the tech industry, will pose a major hurdle to implementation.
Transformative Effects
While there is no doubt that building the capacity to regulate AI will not be plain sailing, the Act is already having a transformative effect on the private sector. The clock is ticking, and businesses that fail to adapt now will risk being left behind on both trust and compliance. Put simply, the ethical and legal implications of AI can no longer be an afterthought; companies must start addressing them head-on.
Overview of the EU AI Act
The EU AI Act, first entered into force on 1 August last year, and marked a turning point in the regulation of artificial intelligence. At its core, it set out a series of rules to promote the uptake of human-centric and trustworthy AI, while ensuring a high level of protection for health, safety, and the fundamental rights of individuals.
It established a risk-based framework that classifies AI systems into four categories: minimal, limited, high, and unacceptable risk, ensuring that the level of oversight corresponds to the potential impact of the technology on individuals and society.
The EU AI Act is scheduled to apply from 2 August 2026 as part of the Act’s staggered implementation process, with certain notable exceptions. This includes the prohibition on the use of unacceptable risk AI systems, which came into force on February 2, 2025, and this August, the next wave of regulations kicked in, which set out rules and obligations for GPAI models.
Penalties for Noncompliance
Unsurprisingly, the penalties for noncompliance are severe, with businesses facing fines of up to 35 million euros or 7% of global annual revenue.
For UK companies, in particular, adhering to these new regulations is a must. Not only do they have to meet them to avoid legal action, but failing to comply will also jeopardise their reputation and market access, shutting them out of the EU, one of the world’s most lucrative markets.
What Companies Can Do Now
Despite the level of regulatory uncertainty, waiting for enforcement clarity is risky. What companies in the private sector can do now is start understanding the risk level of their AI systems by conducting a comprehensive review. Additionally, they should update compliance programmes, ensuring that data governance, risk management, human oversight, auditing practices and other measures align with the EU AI Act’s mandates. Adopting ISO 42001 is also a smart move, as it offers a structured approach for businesses to navigate the ever-evolving legislative landscape.
For leading companies in AI-driven sectors like security, the EU AI Act offers an opportunity to reinforce commitments to responsible innovation. Businesses such as Axis Communications and Dahua Technology, both leaders in AI-powered security solutions, are actively preparing to align with the Act’s transparency and accountability requirements.
Axis Communications, for instance, has a strong foundation in privacy-by-design principles. Similarly, Dahua Technology has shown a growing focus on AI governance and cybersecurity, indicating readiness to adapt to the current regulatory environment and support the development of compliant video technologies.
Conclusion
Ultimately, those companies that prioritise compliance from the outset will be better positioned to navigate multiple markets, ensuring they maintain trust when the EU AI Act is fully enforced, particularly given that it will likely inspire similar legislation worldwide.
Indeed, as Zenner indicated, enforcement will bring challenges, but acting and adapting now will mean turning compliance into an opportunity for future growth, innovation, and resilience.
