A New Rulebook Written in Brussels

The EU AI Act did not arrive without warning. Years in the making, it was formally adopted on May 21, 2024, establishing what the European Commission describes as "the first-ever legal framework on AI" designed to address the risks of the technology while positioning Europe to play a leading role globally ². The law is structured around a risk-based hierarchy — a tiered classification system that sorts AI applications into four distinct categories: unacceptable risk, high risk, limited risk, and minimal risk ¹.

At the top of that hierarchy sits a hard prohibition. AI systems deemed to pose an unacceptable risk to society — think social scoring by governments, real-time biometric surveillance in public spaces, and AI that manipulates human behavior through subliminal techniques — are banned outright ²⁰. These are not soft guidelines. They are enforceable prohibitions backed by fines that can reach up to 35 million euros or seven percent of global annual turnover, whichever is higher ³.

The high-risk category is where most corporate anxiety lives. AI systems used in critical infrastructure, employment screening, educational assessment, credit scoring, law enforcement, and medical devices all fall under this designation ⁵. Companies deploying these systems must conduct rigorous conformity assessments, maintain detailed technical documentation, implement human oversight mechanisms, and register their systems in an EU-wide public database ⁶. The compliance burden is substantial — and it is not limited to European companies.

This is the element that catches many foreign executives off guard. The Act applies to any organization placing an AI product in the EU market, regardless of where that organization is headquartered ⁵. A startup in Austin developing an AI-powered hiring tool, a fintech firm in Tokyo running an automated credit system, a healthcare company in São Paulo deploying diagnostic AI — if their technology touches European consumers or markets, they fall under the Act's jurisdiction. Baker McKenzie, one of the world's largest law firms, has warned that the legislation "will lead to significant changes to the way in which companies develop, market and use smart digital technologies" globally ⁶.

---

"The EU AI Act is not merely a European compliance headache — it is a geopolitical instrument, a market force, and possibly the most consequential piece of technology legislation since the internet itself."

The Compliance Clock Is Ticking — Loudly

The EU AI Act does not drop its full weight at once. It operates on a phased timeline designed — charitably — to give industry time to adapt. The provisions banning unacceptable-risk AI systems took effect in February 2025 ¹⁰. Rules governing general-purpose AI models, including the powerful large language models powering today's chatbot revolution, came into force in August 2025 ¹⁴. The most consequential deadline for most businesses arrives on August 2, 2026, when transparency requirements and rules for the majority of high-risk AI systems become fully enforceable ³.

That August 2026 deadline has become a focal point of corporate legal departments worldwide. According to analysis by Wilson Sonsini Goodrich & Rosati, companies must by that date comply with specific transparency requirements and rules for certain types of high-risk AI systems — and those that fail to do so face not just financial penalties but potential market exclusion [from source 16]. A further tranche of obligations, covering additional high-risk AI categories, follows on August 2, 2027, ensuring that the compliance marathon extends well into the decade ³.

For general-purpose AI providers — the Googles, OpenAIs, and Anthropics of the world — the requirements are particularly novel. The Act introduces a tiered classification for these so-called GPAI models, with heightened obligations for those deemed to carry "systemic risk" based on the computational power used to train them ¹. The threshold currently sits at ten to the power of 25 floating-point operations, a figure that effectively captures only the most powerful frontier models. These providers must conduct adversarial testing, report serious incidents to the European AI Office, and maintain cybersecurity protections — obligations with no real precedent in any prior technology law ¹².

The European AI Office, established within the European Commission, acts as the central enforcement body for GPAI providers and coordinates oversight across member states ². Its creation signals something important: Europe is not just writing rules, it is building the institutional infrastructure to enforce them. That is a meaningful distinction from jurisdictions that have published voluntary guidelines and called it a day.

---

"Companies building global products cannot easily maintain two separate versions of their AI systems; the costs of bifurcation typically exceed the costs of simply building to the stricter standard from the start."

The Brussels Effect — and Its Discontents

History offers a useful lens here. When Europe enacted the General Data Protection Regulation in 2018, skeptics predicted it would be ignored by non-European companies, circumvented by clever legal structuring, or quietly gutted by enforcement inaction. Instead, the GDPR triggered a global wave of privacy legislation from California to Brazil to Japan — a phenomenon scholars at the Carnegie Endowment for International Peace and elsewhere have called the "Brussels Effect" ⁹. The EU AI Act is widely expected to generate a similar gravitational pull.

The logic is straightforward. Companies building global products cannot easily maintain two separate versions of their AI systems — one for the European market and one for everywhere else. The compliance costs of bifurcation typically exceed the costs of simply building to the stricter standard from the start ¹⁹. As a result, the EU's risk classifications, documentation requirements, and human oversight mandates are already influencing product design decisions in California, Seoul, and Bangalore — cities where the Act has no direct legal authority whatsoever ⁵.

Yet the Brussels Effect is not without its critics — and some of them are European. A growing chorus of voices within the EU itself has raised alarms about the Act's potential to stifle innovation at a moment when the United States and China are racing ahead in AI development with far fewer regulatory constraints ⁹. The Carnegie Endowment's analysis of the EU's AI power play notes the tension between deregulation pressures and the bloc's stated commitment to human-centric AI governance ⁹. Several European AI startups have publicly complained that compliance costs disproportionately burden smaller players, effectively entrenching the dominance of large American and Chinese technology corporations who can absorb the overhead ⁷.

There is also a philosophical paradox at the heart of the legislation. As scholars writing in a 2025 peer-reviewed analysis in ScienceDirect observed, the Act simultaneously seeks to promote AI innovation and protect fundamental rights — two goals that are not always compatible ⁷. The risk-based framework assumes that regulators can accurately predict which AI applications are dangerous before those applications are widely deployed. In a field evolving as rapidly as artificial intelligence, that assumption is, at minimum, ambitious.

---

"The era of AI operating in a regulatory vacuum is over. The EU AI Act has made certain of that — and the world is watching Brussels to see what comes next."

A Template for the World — or a Warning?

The global regulatory landscape that the EU AI Act enters is fragmented, contested, and moving fast. The United Kingdom has pursued a sector-specific, principles-based approach through its existing regulators rather than enacting a single AI statute ⁴. The United States, under successive administrations, has oscillated between voluntary frameworks, executive orders, and the perpetual promise of comprehensive federal legislation that never quite materializes ⁴. China has taken a targeted approach, regulating specific AI applications — generative AI, recommendation algorithms, deepfakes — through a series of focused rules rather than a single omnibus law ⁴.

Against this backdrop, the EU AI Act stands out not just for its ambition but for its specificity. It names prohibited practices. It defines "high risk" with granular precision. It creates enforcement bodies with real authority. For jurisdictions watching from the outside, it offers something rare in technology policy: a detailed legislative template that can be adapted, adopted, or argued against ²². The Georgetown University Center for Security and Emerging Technology has noted that the finalized Act carries significant implications for how other major economies structure their own AI governance frameworks ²².

Whether those economies follow Europe's lead or deliberately chart a different course will shape the next decade of AI development. Some nations, particularly in the Global South, are actively studying the Act as a model for their own nascent regulatory efforts ²⁶. Others, particularly those competing directly with European technology markets, may use the Act's strictures as a competitive argument — positioning their own lighter-touch regimes as more hospitable to AI investment and innovation.

What is beyond dispute is that the era of AI operating in a regulatory vacuum is over. The EU AI Act has made certain of that. Companies that treat compliance as a box-ticking exercise rather than a strategic imperative do so at their own peril. Those that engage seriously with its requirements — building explainability, human oversight, and risk documentation into their systems from the ground up — may find themselves better positioned not just for European regulators, but for the global governance frameworks that are inevitably coming.

The world is watching Brussels. And Brussels, for once, is watching back.

---