12 November 2025

The EU’s Approach to AI Regulation in 2025: The Rule Stack, New 2025 Updates, and What Non-EU Businesses Must Do

By Yoel Molina, Esq., Owner and Operator of the Law Office of Yoel Molina, P.A.

 

Europe doesn’t have a single “AI law” mindset—it has a rule stack that combines the AI Act with data, platform, cybersecurity, and product-safety laws. Together they shape how models are built, deployed, labeled, and supported across the EU. Here’s a practical explainer—with 2025 updates—and a checklist you can use if you sell into the EU, use EU vendors, or process EU residents’ data.
 

The core pillars

 

AI Act (risk-based framework).
  • In force since Aug 1, 2024; staged application: prohibitions & AI-literacy since Feb 2, 2025; GPAI (general-purpose AI) obligations since Aug 2, 2025; most high-risk obligations apply Aug 2, 2026 (with embedded high-risk products allowed longer, to Aug 2, 2027). ( Digital Strategy)
  • The Commission issued a GPAI Code of Practice (voluntary but Commission-backed) to help providers meet Articles 53–55 on transparency, copyright, safety, and security. ( European Commission)
  • Draft GPAI guidelines clarify scope and obligations for model providers. ( Digital Strategy)
 
GDPR (privacy) + DSA (platform risk) + Data Act (data sharing & cloud switching).
  • The Data Act became applicable Sept 12, 2025, unlocking user/business access to IoT/connected-device data and smoother cloud switching—key for AI training/finetuning data pipelines. ( Digital Strategy)
  • The DSA imposes risk-management and transparency duties on platforms (especially VLOPs/VLOSEs), including research data access—relevant if your AI distributes content at scale. ( Digital Strategy)
 
Cyber Resilience Act (CRA).
  • Horizontal cybersecurity for software and connected products; entered into force Dec 10, 2024 and applies Dec 11, 2027. AI-enabled products with digital elements must meet secure-by-design obligations and handle vulnerability management. ( Digital Strategy)
 
Product liability refresh.
  • The new Product Liability Directive (PLD) broadens strict liability to digital/AI features; Member States must transpose by Dec 9, 2026 (application then). ( European Parliament)
  • The separate AI Liability Directive proposal was withdrawn in Feb 2025; expect national tort rules + PLD to fill gaps. ( Hunton Andrews Kurth)
 

What changed in 2025 (that you’ll actually feel)

 

  • GPAI obligations kicked in (Aug 2, 2025). Providers must deliver technical documentation, copyright-related disclosures, and—if “systemic risk” applies—robust safety/security measures. The GPAI Code of Practice offers a Commission-endorsed path to demonstrate compliance. ( Digital Strategy)
 
  • Standards are accelerating. CEN/CENELEC fast-tracked delivery of priority AI Act harmonised standards in October 2025, a big step toward “presumption of conformity” for compliant products. ( cencenelec.eu)
 
  • Data Act went live (Sept 12, 2025). Expect contract updates around data portability, B2B sharing, and cloud switching—these can materially affect AI training/finetune supply chains. ( Digital Strategy)
 

How the EU model works in practice

 

  • Risk tiers drive obligations. “Unacceptable-risk” uses are banned; “high-risk” systems face conformity assessment, quality management, logging, transparency, human oversight; GPAI has its own track. ( Digital Strategy)
 
  • Harmonised standards (CEN/CENELEC) will be the fastest way to prove conformity once published—build your QMS and technical docs to those drafts early. ( cencenelec.eu)
 
  • Horizontal laws still apply: GDPR governs personal-data processing; DSA governs platform risks; the Data Act reshapes access/portability; CRA injects product cybersecurity; PLD toughens defect liability for digital/AI features. ( Digital Strategy)
 

If you’re a U.S. company, what do you need to do?

 

Selling AI products or models into the EU (or serving EU users):
 
  • Map your use case to AI Act risk tiers; if high-risk, plan for conformity assessment, logging, monitoring, and human-oversight controls. ( Digital Strategy)
  • If you provide or integrate a GPAI model, prepare technical documentation, training-data summaries (copyright transparency), and risk-management files; consider signing onto the GPAI Code of Practice. ( Digital Strategy)
  • Build toward harmonised standards—the October 2025 acceleration means drafts will harden quickly. ( cencenelec.eu)
 
Running EU-resident data through AI:
 
  • Align GDPR (lawful basis, DPIAs), and leverage Data Act rights (access/portability) in your contracts; plan for cloud switching and exit assistance to avoid lock-in. ( Digital Strategy)
 
Shipping connected/AI-enabled products:
 
  • Start your CRA program now (SBOMs, vulnerability handling, secure development) so you’re ready by Dec 2027. ( Digital Strategy)
  • Update product safety files for the new PLD exposure coming Dec 2026 (easier claimant proof, broader “defect” theories for software/AI). ( European Parliament)
 

A concise compliance checklist (build this this quarter)

 

  • Assign owners: AI Compliance Lead + Privacy/Security Lead; define escalation to counsel.
  • Risk mapping: Classify each AI use (unacceptable/high/limited/minimal) and whether GPAI is in scope. ( Digital Strategy)
  • Documentation pack: Risk management file, data governance, logging, evaluation reports, human-oversight SOPs; create a technical file for market surveillance. ( Digital Strategy)
  • Copyright transparency: Prepare training-data summaries and output-level safeguards consistent with the GPAI Code of Practice. ( Digital Strategy)
  • Standards watch: Track CEN/CENELEC deliverables; align testing/metrics to draft harmonised standards for presumption of conformity. ( cencenelec.eu)
  • Contracts: Add AI-Act compliance warranties, no-training-on-customer-data clauses, incident notice SLAs, cloud-switching support (Data Act), and product-cyber terms (CRA). ( Digital Strategy)
  • Post-market monitoring: Define KPIs, complaint handling, and corrective action timelines for high-risk uses. ( Digital Strategy)
  • Liability posture: Update insurance and internal approval thresholds in light of the new PLD timeline; monitor Member State transposition. ( European Parliament)
 

FAQs we hear from clients

 

Q: We don’t sell in the EU, but EU users can access our model. Are we in scope? If you place on the EU market or provide a service to EU users, prepare for AI Act exposure. Consider geo-fencing or a staged EU launch while you build documentation. ( Digital Strategy)
 
Q: Is the GPAI Code mandatory? No—but it’s Commission-endorsed and designed to help you demonstrate compliance for Aug 2025 GPAI duties (transparency, copyright, safety/security). ( Digital Strategy)
 
Q: What happened to the AI-specific liability law? The AI Liability Directive was withdrawn (Feb 2025). For now, expect the new PLD + national tort rules to drive litigation risk. ( Hunton Andrews Kurth)
 

Contact Us

 

For legal help navigating EU-facing AI deployments—contracts and vendor terms, GDPR/Data Act strategy, AI Act documentation, and product-cyber obligations—contact Attorney Yoel Molina at admin@molawoffice.com, call (305) 548-5020 (Option 1), or message via WhatsApp at (305) 349-3637.
 

 

For inquiries, please contact our Front Desk at fd@molawoffice.com or Admin at admin@molawoffice.com. You can also reach us by phone at +1 305-548-5020, option 1.

 

For traffic ticket assistance, visit molinatrafficticket.com.