When the European Union unveiled its Artificial Intelligence Act (AI Act), it made global headlines: a sweeping, first-of-its-kind law designed to regulate AI not just for innovation, but for safety, ethics, and fundamental rights. As the EU begins to roll it out, several rules stand out as potential game-changers for how AI is built, used, and governed. Here are five key rules under the new regulation that could reshape the future of technology.
Unacceptable AI Practices Are Flat-Out Banned
One of the boldest moves in the EU AI Act is its categorical ban on certain “unacceptable risk” AI systems. According to the law, AI that manipulates people’s behavior, scores individuals socially, or uses real-time facial recognition in public places for surveillance is now prohibited.
In practical terms, this means no more creepy systems that try to influence you subliminally, profile you to decide your future, or scan public crowds without limits. The ban reflects a moral and legal red line: some applications of AI just should not exist.
This rule came into force early: as of 2 February 2025, regulators can act against tools that violate these prohibitions. By outlawing the riskiest AI practices, the EU is drawing a firm boundary. It is not just about regulating; it is about preventing the most dangerous uses of AI altogether.
High-Risk AI Systems Face Heavy Oversight
Not all AI is banned, in-fact, it is far from it. The AI Act introduces a risk-based approach, and “high-risk” AI systems are subject to strict rules.
What qualifies as high-risk? These are AI systems that could seriously impact people’s safety or fundamental rights: think AI in healthcare, employment (like hiring tools), law enforcement, credit scoring, migration, education, critical infrastructure, and more.
If a system is labeled high-risk, providers must:
- Run a robust risk management system.
- Ensure data quality to avoid bias.
- Keep detailed technical documentation: how the model was trained, how it behaves, and more.
- Make sure there is human oversight. Humans should be able to step in, not just let the AI decide everything.
- Provide transparency: users may need to know that a system is “high-risk” and how it might affect them.
This is not a lightweight regulation. High-risk AI is being treated like a serious responsibility. For developers and companies, it means more work; for citizens, it means more protection.
Transparency for General-Purpose AI (GPAI) Models (Limited Risk)
As of 2 August 2025, obligations for providers of general-purpose AI (GPAI) models kick in. These are large, flexible models that can perform many tasks (like large language models).
Here is what those providers must do:
- Prepare technical documentation for their models.
- Develop and publish a copyright policy ensuring training data respects intellectual property.
- Publish a summary of the data used to train their models, not necessarily every dataset, but enough so users and regulators can understand where the data came from.
- If a GPAI model is especially powerful (what the act calls “systemic risk”), providers must also conduct risk assessments, report incidents, and put strong cybersecurity protections in place.
To help with that, the EU has introduced a Code of Practice (voluntary for now) that companies can sign to prove they are aligning with good practices on transparency, copyright, and safety. .
Delays for High-Risk Rules: A Strategic Easing
Originally, many of the AI Act’s high-risk rules were set to apply by August 2026, but emerging industry pressure has forced a rethink. In a regulatory package dubbed the “Digital Omnibus,” the European Commission proposed delaying some high-risk provisions until December 2027.
Some of the domains affected by this delay include:
- Biometric identification (like facial recognition)
- Credit scoring / financial AI
- Hiring and job-application AI tools
- Law enforcement use of AI
This is not just about pushing deadlines: the package also suggests simplifying other rules, for instance, how consent works under GDPR and cookie popups.
The delay signals a tug-of-war between regulators and Big Tech. While the EU still wants strong rules, it seems wary of stifling innovation or making compliance too burdensome too soon.
Looser Data Rules? Big Tech Could Train on More Personal Data
Perhaps the most controversial piece: leaked internal documents suggest the European Commission is eyeing significant changes to GDPR, to make it easier for companies to use Europeans’ personal data to train AI systems. Key proposals reportedly include:
- Narrowing the legal definition of “personal data,” meaning less data might fall under GDPR’s toughest protections.
- Allowing the use of personal data for AI training under a so-called “legitimate interest” basis, without needing explicit consent in some cases.
- Making it easier to track and access personal devices through cookies or less user consent.
Critics, including privacy advocates, warn that this could erode fundamental privacy rights, benefiting Big Tech more than ordinary people. This could reshape how data protection works in Europe. By relaxing certain GDPR constraints, the EU might be trading strong privacy safeguards in favor of AI innovation. The long-term impact could redefine who really controls customer data and how.
What This Means for the Tech World & Beyond
Taken together, these five rules reflect a balancing act. The EU is trying to strike a careful equilibrium:
- Protect citizens’ rights and safety by banning the most dangerous AI, regulating high-risk systems, and demanding transparency.
- Support innovation by offering a voluntary compliance code, delaying some burdensome rules, and easing data usage constraints.
- Set a global standard because AI firms anywhere, not just in Europe, will feel the ripple effects if their products reach the EU.
For tech companies, the message is clear: AI is no longer a Wild West. If you want to operate in or serve the EU market, you will need to think deeply about ethics, data practices, and risk management, not just features.
For users, it may feel like a win: stronger guardrails around AI that could threaten privacy or fairness. But the debate is not over. The Digital Omnibus, GDPR rewrites, and how strictly these rules are enforced will shape how powerful AI becomes and who ultimately benefits from it.
