12 November 2025

The EU’s Approach to AI Regulation in 2025: The Rule Stack, New 2025 Updates, and What Non-EU Businesses Must Do

By Yoel Molina, Esq., Owner and Operator of the Law Office of Yoel Molina, P.A.

 

Europe doesn’t have a single “AI law” mindset—it has a rule stack that combines the AI Act with data, platform, cybersecurity, and product-safety laws. Together they shape how models are built, deployed, labeled, and supported across the EU. Here’s a practical explainer—with 2025 updates—and a checklist you can use if you sell into the EU, use EU vendors, or process EU residents’ data.
 

The core pillars

 

AI Act (risk-based framework).
  • In force since Aug 1, 2024; staged application: prohibitions & AI-literacy since Feb 2, 2025; GPAI (general-purpose AI) obligations since Aug 2, 2025; most high-risk obligations apply Aug 2, 2026 (with embedded high-risk products allowed longer, to Aug 2, 2027). ( Digital Strategy)
  • The Commission issued a GPAI Code of Practice (voluntary but Commission-backed) to help providers meet Articles 53–55 on transparency, copyright, safety, and security. ( European Commission)
  • Draft GPAI guidelines clarify scope and obligations for model providers. ( Digital Strategy)
 
GDPR (privacy) + DSA (platform risk) + Data Act (data sharing & cloud switching).
  • The Data Act became applicable Sept 12, 2025, unlocking user/business access to IoT/connected-device data and smoother cloud switching—key for AI training/finetuning data pipelines. ( Digital Strategy)
  • The DSA imposes risk-management and transparency duties on platforms (especially VLOPs/VLOSEs), including research data access—relevant if your AI distributes content at scale. ( Digital Strategy)
 
Cyber Resilience Act (CRA).
  • Horizontal cybersecurity for software and connected products; entered into force Dec 10, 2024 and applies Dec 11, 2027. AI-enabled products with digital elements must meet secure-by-design obligations and handle vulnerability management. ( Digital Strategy)
 
Product liability refresh.
  • The new Product Liability Directive (PLD) broadens strict liability to digital/AI features; Member States must transpose by Dec 9, 2026 (application then). ( European Parliament)
  • The separate AI Liability Directive proposal was withdrawn in Feb 2025; expect national tort rules + PLD to fill gaps. ( Hunton Andrews Kurth)
 

What changed in 2025 (that you’ll actually feel)

 

  • GPAI obligations kicked in (Aug 2, 2025). Providers must deliver technical documentation, copyright-related disclosures, and—if “systemic risk” applies—robust safety/security measures. The GPAI Code of Practice offers a Commission-endorsed path to demonstrate compliance. ( Digital Strategy)
 
  • Standards are accelerating. CEN/CENELEC fast-tracked delivery of priority AI Act harmonised standards in October 2025, a big step toward “presumption of conformity” for compliant products. ( cencenelec.eu)
 
  • Data Act went live (Sept 12, 2025). Expect contract updates around data portability, B2B sharing, and cloud switching—these can materially affect AI training/finetune supply chains. ( Digital Strategy)
 

How the EU model works in practice

 

  • Risk tiers drive obligations. “Unacceptable-risk” uses are banned; “high-risk” systems face conformity assessment, quality management, logging, transparency, human oversight; GPAI has its own track. ( Digital Strategy)
 
  • Harmonised standards (CEN/CENELEC) will be the fastest way to prove conformity once published—build your QMS and technical docs to those drafts early. ( cencenelec.eu)
 
  • Horizontal laws still apply: GDPR governs personal-data processing; DSA governs platform risks; the Data Act reshapes access/portability; CRA injects product cybersecurity; PLD toughens defect liability for digital/AI features. ( Digital Strategy)
 

If you’re a U.S. company, what do you need to do?

 

Selling AI products or models into the EU (or serving EU users):
 
  • Map your use case to AI Act risk tiers; if high-risk, plan for conformity assessment, logging, monitoring, and human-oversight controls. ( Digital Strategy)
  • If you provide or integrate a GPAI model, prepare technical documentation, training-data summaries (copyright transparency), and risk-management files; consider signing onto the GPAI Code of Practice. ( Digital Strategy)
  • Build toward harmonised standards—the October 2025 acceleration means drafts will harden quickly. ( cencenelec.eu)
 
Running EU-resident data through AI:
 
  • Align GDPR (lawful basis, DPIAs), and leverage Data Act rights (access/portability) in your contracts; plan for cloud switching and exit assistance to avoid lock-in. ( Digital Strategy)
 
Shipping connected/AI-enabled products:
 
  • Start your CRA program now (SBOMs, vulnerability handling, secure development) so you’re ready by Dec 2027. ( Digital Strategy)
  • Update product safety files for the new PLD exposure coming Dec 2026 (easier claimant proof, broader “defect” theories for software/AI). ( European Parliament)
 

A concise compliance checklist (build this this quarter)

 

  • Assign owners: AI Compliance Lead + Privacy/Security Lead; define escalation to counsel.
  • Risk mapping: Classify each AI use (unacceptable/high/limited/minimal) and whether GPAI is in scope. ( Digital Strategy)
  • Documentation pack: Risk management file, data governance, logging, evaluation reports, human-oversight SOPs; create a technical file for market surveillance. ( Digital Strategy)
  • Copyright transparency: Prepare training-data summaries and output-level safeguards consistent with the GPAI Code of Practice. ( Digital Strategy)
  • Standards watch: Track CEN/CENELEC deliverables; align testing/metrics to draft harmonised standards for presumption of conformity. ( cencenelec.eu)
  • Contracts: Add AI-Act compliance warranties, no-training-on-customer-data clauses, incident notice SLAs, cloud-switching support (Data Act), and product-cyber terms (CRA). ( Digital Strategy)
  • Post-market monitoring: Define KPIs, complaint handling, and corrective action timelines for high-risk uses. ( Digital Strategy)
  • Liability posture: Update insurance and internal approval thresholds in light of the new PLD timeline; monitor Member State transposition. ( European Parliament)
 

FAQs we hear from clients

 

Q: We don’t sell in the EU, but EU users can access our model. Are we in scope? If you place on the EU market or provide a service to EU users, prepare for AI Act exposure. Consider geo-fencing or a staged EU launch while you build documentation. ( Digital Strategy)
 
Q: Is the GPAI Code mandatory? No—but it’s Commission-endorsed and designed to help you demonstrate compliance for Aug 2025 GPAI duties (transparency, copyright, safety/security). ( Digital Strategy)
 
Q: What happened to the AI-specific liability law? The AI Liability Directive was withdrawn (Feb 2025). For now, expect the new PLD + national tort rules to drive litigation risk. ( Hunton Andrews Kurth)
 

Contact Us

 

For legal help navigating EU-facing AI deployments—contracts and vendor terms, GDPR/Data Act strategy, AI Act documentation, and product-cyber obligations—contact Attorney Yoel Molina at admin@molawoffice.com, call (305) 548-5020 (Option 1), or message via WhatsApp at (305) 349-3637.
 

 

305 - 548-5020

Option 1

THE LAW OFFICE OF

YOEL MOLINA, P.A.

BUSINESS ATTORNEY

Español

English

  1. en
  2. es

        2026 The Law Office of Yole Molina, P.A. All Rights Reserved.

 

        Attorney Advertising. Prior results do not guarantee a similar outcome.

 

For traffic ticket assistance, visit molinatrafficticket.com.