0%

4. EU
Chapter menu

Policy
AI regulation
AI-related law and regulation
1 4月 2026 Insight
Reports and highlights

The EU has adopted the world’s first comprehensive AI-specific legal framework, the AI Act, which applies a risk-based approach calibrated to an AI system’s potential threat to health, safety and fundamental rights. This horizontal regime is supplemented by additional regimes for data protection, fair competition, civil liability and product safety, which provide additional safeguards ensuring safe AI use. The European Commission (EC) has been proactively exploring the application of competition law rules to the AI sector, recognising the importance of maintaining a competitive and fair market environment as technology and digital markets continue to evolve.

AI Strategy

The EU’s approach to artificial intelligence centres around the development of a risk-based regulatory framework that describes a 'European approach' to AI and various initiatives to promote Union development and deployment of artificial intelligence. Regulation remains a key pillar of this approach, though several indications of a shift towards a lighter regulatory touch have appeared in recent months.

Development of Regulation

In 2018, the European Commission announced its European AI Strategy centred around boosting AI capacity, preparing for socioeconomic changes and ensuring appropriate ethical and legal frameworks.

In 2021, the Commission then presented its 2021 AI package that included a proposal for a comprehensive risk-based regulatory framework on artificial intelligence which has since been adopted with certain provisions in force. However the Commission's 2025 Work Programme released in February 2025, proposes to simplify overlap between digital regulations, including the EU AI Act.

In line with the Work Programme, in September the Commission opened a call for evidence to collect input from stakeholders on how to simplify legislation in the Digital Omnibus, in particular on data, cybersecurity and artificial intelligence. According to the Apply AI Strategy, the EC intends to publish guidelines on this starting Q3 2026.

The EC is preparing a tech sovereignty package which is expected to be presented on April 15 and will include the new Cloud and AI Development Act, the revision of the European Chips Act (Chips Act 2.0), the EU’s open source strategy, and a strategic roadmap for digitalization and AI in energy that is set to include a new labelling scheme for data centres. The upcoming Data Centre Energy Package aims to make data centres climate-neutral by 2030 by setting performance indicators including energy and water efficiency, waste heat reuse and renewable energy consumption, to assess how much power consumption goes toward essential IT infrastructure.

Innovation and Adoption

In 2024, the Commission launched an AI innovation package that set out measures to support European startups and SMEs in the development of trustworthy AI. Similarly, in February 2025, the Commission announced its InvestAI initiative to mobilise EUR 200 billion investment into artificial intelligence including through establishing AI gigafactories. 

This was underscored in April 2025, when the Commission launched its AI Continent Action Plan, which proposed further measures to promote  an EU AI ecosystem that fosters innovation, including by facilitating data access for AI innovation, incentivising investment into supercomputing infrastructure and simplifying the compliance burdens imposed by the EU AI Act.

In October 2025, the EC launched the Apply AI Strategy aiming to enhance the competitiveness of strategic sectors and boost AI adoption and innovation. The framework identifies 10 key industry sectors, includes support measures to enable EU tech sovereignty, and the creation of a new governance system, the Apply AI Alliance, which brings together stakeholders to advise on policy actions.

In November 2025, EU Member States affirmed its commitment to digital sovereignty reinforcing autonomy and strategic control over digital infrastructure, data, and emerging technologies such as AI.

Helpful resources

The AI Act is the EU's horizontal regulatory framework that regulates AI systems and some AI models.  Broadly speaking, it adopts a functional "risk-based" approach, with the degree of regulatory intervention depending on the function of the AI - the use to which it is to be put. The regulatory obligations are imposed on providers (developers) and deployers (users) of AI systems and apply to operators located both within and outside the EU, so long as the output from the AI system is used in the EU.

The different regulatory categories under the AI Act are as follows:

  • Prohibited AI systems: AI systems that are considered to involve unacceptable risks to health, safety and fundamental rights are prohibited outright. This includes, for example, AI used for cognitive behavioural manipulation, inferring emotions in the workplace and education institutions, and social scoring. In February 2025, the Commission provided guidelines on prohibited AI practices as defined by the AI Act.
  • High-risk AI systems: AI systems that are considered to involve significant potential risks to health, safety and fundamental rights, including AI used in critical infrastructures, certain educational and vocational training applications, employment and workers management - and AI systems that are products or safety components in products which are already subject to third-party conformity assessment requirements under sectoral EU regulation. These are subject to the greatest degree of regulation under the AI Act, including requirements about datasets and data governance, documentation and record keeping, human oversight, robustness, accuracy and security, conformity assessment for demonstrating compliance.
  • Limited risk AI systems: AI systems that interact with people where it is not reasonably obvious that they would be interacting with an AI system, and AI systems that generate synthetic content or manipulate content (including deepfakes). These are generally only subject to transparency obligations and water-marking to ensure people are aware that an AI system is being used.
  • General purpose AI models (GPAI): foundation models such as OpenAI's GPT-4 are subject to varying degrees of regulation, depending on whether they are designated as being of "systemic risk". This depends, among other things, on the level of compute used to train the model. Systemic risk GPAI models are subject to material regulatory obligations in some ways akin to the high-risk category, while non-systemic risk GPAI models are subject to fewer obligations, focused more on transparency.
  • Minimal risk AI systems: this covers all other AI systems that are not subject to specific regulatory obligations under the AI Act.

The AI Act is a voluminous piece of legislation. However, the obligations are articulated for the most part in terms of results, rather than operational or technical detail. These specifics will be further set out in due course, including for:

  • High-risk AI obligations, where "harmonised standards" are to be adopted by the EU's standardisation bodies, CEN CENELEC. 
  • In September 2025, the EC launched a consultation on draft guidance and reporting template on serious high-risk AI incidents.
  • The GPAI Code of Practice was published on 10 July 2025 with guidelines clarifying obligations for GPAI providers and guidelines clarifying the scope of obligations. It was followed by a template for summarising training data for compliance with GPAI transparency obligations. The EC confirmed that signees can selectively adopt parts of the Code of Practice and foresee an enforcement grace period until 2 August 2026. 
  • In November 2025, the EC published a reporting template for serious incidents involving GPAI models with systemic risk. In December 2025, the EC initiated a stakeholder consultation on opt-out protocols for AI training under the Code of Practice. In February 2026, the AI Office established a Signatory Taskforce for the Code of Practice to support implementation of the Code and unite signatories. And, in March 2026, the Commission issued a revised second draft of the Code of practice addressing the marking and labelling of AI-generated content.
  • On 10 March 2025, the EC adopted an implementing act setting out the rules and procedures for establishing and operating the scientific panel of independent experts on AI, as envisaged by Article 68 of the AI Act. The panel is intended to support the AI Office and national authorities in their enforcement and implementation of the AI Act, including by offering technical advice and alerting the AI Office of risks posed by GPAI models. 
  • In March 2026, the European Parliament adopted a set of Recommendations aimed at protecting copyright protected creative works from their use by artificial intelligence systems. In particular, the European Parliament stated that: 
    • the use of copyrighted content by generative AI should be subject to fair remuneration mechanisms, in order to ensure adequate protection of the EU creative sector;
    • full transparency regarding the use of protected content by generative AI systems is essential;
    • a new licensing market for copyrighted material should be developed, including sector specific voluntary collective licensing agreements covering individual creators as well as small and medium sized enterprises.

The Parliament further urges the Commission i) to strengthen the protection of the press and news media sector, whose content is regularly exploited by AI systems and ii) to consider that content entirely generated by AI should not be eligible for copyright protection.

From 2 February 2025, all providers and deployers of AI systems have been obliged under the AI Act to ensure a sufficient level of AI literacy of their staff dealing with those AI systems.

On 20 February 2025, the AI Office held a webinar on AI literacy. The key message emphasised that there is no "one-size-fits-all" approach to ensuring AI literacy, and that companies are encouraged to tailor their programmes according to their specific needs.

On 7 May 2025, the EC published its Q&A document, providing further guidance on the compliance and enforcement of the AI literacy requirement. The document clarifies the expectations and obligations for companies in order to ensure that organisations understand how to effectively implement and adhere to AI literacy standards within their operations. 
 

Helpful resources

  • EU AI Office's living repository of AI literacy best practices.
  • A list of the AI Office's "AI Pact Events", which can help to clarify the application of the AI Act in practice.
  • The AI model contract clauses and guidance released in March 2025 for the public procurement of high-risk and non-high-risk AI, aligned with the requirements in the Act.
  • EC introduces whistleblowing platform for AI Act compliance.

While the AI Act was adopted in mid-2024, it will be implemented incrementally over the next few years, with the following key start-dates:

  • 2 February 2025 – ban of prohibited AI systems and AI literacy requirements
  • 2 August 2025 – GPAI obligations

  • 2 August 2026 – most of the remaining obligations, including for the specific standalone high-risk AI categories (subject to the outcome of the EC's November 2025 Digital Omnibus proposals)  and the obligations for the limited risk AI categories

2 August 2027 – obligations in relation to high-risk AI systems that are products or safety components in products already subject to third-party conformity assessment requirements under sectoral EU regulation

Read our key takeaways on the AI Act here.

In November 2025, the EC released its Digital Omnibus proposals on simplification for AI rules. Key AI Act proposals include:

  • Linking (and likely delays) the implementation timeline for high-risk obligation to standards and tool development.
  • Removing the mandatory AI literacy requirements for providers and deployers in favour of an obligation on the EC and member states to foster AI literacy.
  • Centralising oversight of AI systems built on GPAI models to the AI Office.
  • Reducing the registration burden for providers of AI systems used in high-risk areas but for which the provider has concludes they are only used for narrow or procedural tasks.
  • Offering greater flexibility in post-market monitoring by removing the prescription of a harmonised post-market monitoring plan
  • Allowing providers and deployers of AI systems and models to process categories of personal data in order to address bias detection and correction.
  • Extending regulatory simplification to smaller enterprises.

The European Council and the European Parliament have adopted their formal positions in relation to the proposed AI Digital Omnibus with both institutions aligned on the delay to high-risk requirements with a date of application 2 December 2027 rather than 2 August 2026.The Council has maintained its proposed six-month delay for watermarking requirements for generative AI placed on the marker before 2 August 2026, the European Parliament has proposed that it be cut to three-months. The Council has also maintained its proposal for removal of the AI literacy requirements, whereas the European Parliament has restated the obligation to "support the improvement of AI literacy."

From consumer protection law to online safety, AI continues to stretch existing legal frameworks. See the latest updates below.

The European General Data Protection Regulation (GDPR) is the EU's framework governing the collection and processing of personal data in the EU. AI systems – whether deployed by an AI provider within or outside of the EU – must comply with the requirements set out in the GDPR if they fall within the scope of the scope of the legislation when collecting and processing the personal data of individuals.

The GDPR grants individuals several important rights, including rights of access, to be forgotten, to object, to rectification, to restrict processing, to data portability, and not to be subject to decisions based solely on automated processing. These ensure that data subjects have control and transparency over how their personal data is used.

The European Data Protection Board (EDPB) helps to ensure that the GDPR is applied consistently between Member States' Data Protection Authorities and facilitates cooperation in enforcement.

  • On 17 July 2024, the EDPB issued a statement calling on Member States to designate Data Protection Authorities as Market Surveillance Authorities under Europe's AI Act, with a deadline of 2 August 2025.

  • In 2024, the EDPB formed a task force to investigate data processing by OpenAI’s ChatGPT and, on 12 February 2025, expanded its scope to include the Chinese AI platform DeepSeek. A quick response team is being set up to guide and coordinate enforcement actions across different Data Protection Authorities whenever concerns arise related to AI data processing.

  • In May 2025, the data privacy non-profit NOYB sent Meta a cease and desist over its plans to train AI systems with EU personal data and its reliance on an opt-out rather than opt-in mechanism, which NOYB argues breaches the GDPR.

The European Data Protection Supervisor (EDPS), established under the GDPR, is responsible for monitoring how institutions and bodies subject to the GDPR process personal data. 

Within the scope of the AI Act, the EDPS will serve as the competent authority, supervising institutions and bodies subject to the GDPR to ensure their AI activities align with data protection principles and rules.

In November 2025, the EC released its Data Union Strategy on unlocking data for AI which focused on three priority areas: scaling up access to data for AI, streamlining data rules and strengthening the EU's global position on international data flows.

  • On 1 March 2024, the European Patent Office implemented updated "Guidelines for Examination" that introduce stricter disclosure requirements of sufficiency for AI-related inventions. The guidelines emphasise that AI models must be described in sufficient detail to enable a skilled person to reproduce the claimed invention's technical effect without undue burden. While there is no obligation to disclose the specific training dataset itself, its characteristics must be adequately described if they are necessary to achieve the claimed technical effect. Effective 1 April 2025, the updated Guidelines for Examination introduce a refined definition of patentable artificial intelligence (AI) and machine learning. The reference to the specific purpose of the algorithm has been removed. The updated text emphasizes examples of AI-related algorithms and clarifies that, to be patentable, such algorithms must contribute to the technical character of the invention. The European Council and the European Parliament have adopted their formal positions in relation to the proposed AI Digital Omnibus with both institutions aligned on the delay to high-risk requirements with a date of application 2 December 2027 rather than 2 August 2026.The Council has maintained its proposed six-month delay for watermarking requirements for generative AI placed on the marker before 2 August 2026, the European Parliament has proposed that it be cut to three-months. The Council has also maintained its proposal for removal of the AI literacy requirements, whereas the European Parliament has restated the obligation to "support the improvement of AI literacy."
  • As of 1 July 2024, the European Union Intellectual Property Office (EUIPO) established an "Executive Advisory Committee" focused on AI, inclusivity, and sustainability. In alignment with the AI Act, the EUIPO is expected to issue specific guidelines addressing the implications of AI on intellectual property, which aim to ensure compliance with EU copyright laws by requiring AI companies to establish policies that respect intellectual property rights - including mechanisms for rights holders to opt out of text and data mining. On 12 May 2025, the EUIPO released a comprehensive study "to deepen the general understanding of GenAI's technical functioning, as well as existing and developing solutions underlying the application of EU rules on copyright and Artificial Intelligence".
  • On 3 April 2025, the Budapest District Court referred the case, Like Company v Google C-250/25, to the Court of Justice of the European Union (CJEU). The Court sought clarity on whether an LLM based chatbot’s display or reproduction of press content infringes EU copyright under the DSM and InfoSoc Directives, including the applicability of the text and data mining exception.
  • The European Commission is developing a Code of Practice on Transparency of AI-Generated Content to support compliance with transparency obligations under Article 50 of the EU AI Act. It aims to ensure clear labelling of AI-generated and manipulated content, including deepfakes, in order to prevent misinformation and strengthen public trust. The Second Draft was released in March 2026 and will remain open to stakeholder consultation until 30 March 2026. It is structured into two main sections:
    1. Section 1 concerns providers of generative AI systems and focuses on requirements related to machine‑readable identification and the detection of AI‑generated or manipulated content;
    2. Section 2 is addressed to deployers and establishes obligations to ensure that deepfakes and certain AI‑generated texts intended to inform the public are clearly and recognisably labelled.
  • In GEMA v OpenAI (42 O 14139/24, 11 November 2025), the Munich Regional Court found that ChatGPT’s “memorisation” of training data and reproduction of song lyrics constitutes copyright infringement. The case was brought by GEMA, the German collecting society representing the rights of composers, lyricists and music publishers. The Munich Regional Court held that the "memorisation" of training data and reproduction of song lyrics in ChatGPT outputs infringe copyright, and that such actions do not fall within the "test and data mining" exception under section 44b of the German Copyright Act, which implements Article 4 of the DSM Directive. 

Helpful resources

  • European Copyright Society opinion on the challenges that generative AI poses to copyright law and the AI Act, published in February 2025.
  • In 25 February 2026, the European Parliament released the Report on copyright and generative artificial intelligence – opportunities and challenges, supporting a collective licensing framework to ensure lawful access to high-quality training data while safeguarding effective enforcement in the EU. Parliament is expected to vote on the report during March.
  • In March 2026, the European Parliament adopted a set of Recommendations to protect copyrighted creative work from use by AI, saying that:
    1. the use of copyrighted content by generative AI should be subject to fair remuneration mechanisms in order to ensure adequate protection of the EU creative sector;

    2. full transparency regarding the use of protected content by generative AI systems is essential;

      a new licensing market for copyrighted material should be developed, including sector‑specific voluntary collective licensing schemes covering individual creators as well as small and medium‑sized enterprises.The Parliament further urges the Commission i) to strengthen the protection of the press and news media sector, whose content is regularly exploited by AI systems and ii) to consider that content entirely generated by AI should not be eligible for copyright protection.

Competition

Technology and digital markets continue to be a strategic focus for the European Commission, which has reiterated its commitment to ensuring that these markets remain competitive and contestable. The Commission is using a range of tools, including antitrust enforcement, merger control, and the Digital Markets Act (DMA), to achieve this.

  • Vertical agreements: The Commission is closely monitoring agreements between Original Equipment Manufacturers and AI developers concerning the pre-installation of AI models on mobile devices, as arrangements could hinder access for competing foundation models.
  • Mergers and acquisitions. The Commission has examined transactions that do not meet the EU’s usual merger control thresholds but may still warrant review under Article 22 of the EU Merger Regulation. It has also scrutinised investments and partnerships between large digital companies and generative AI developers:
    • Microsoft/OpenAI. Although the Commission assessed whether Microsoft’s investment and subsequent events at OpenAI could be reviewed under the EU Merger Regulation, it concluded that Microsoft had not acquired lasting control and did not proceed with a formal merger review. Nonetheless, antitrust concerns, particularly around exclusivity arrangements, remain under consideration.
    • Microsoft/Inflection. Unlike in Microsoft/OpenAI, the Commission considered that that Microsoft’s acquisition of Inflection constituted a "concentration" under the EUMR, as it involved the transfer of all assets necessary for market participation in generative AI foundation models and chatbots. However, following the General Court’s judgment in Illumina/Grail, seven Member States withdrew their Article 22 referral, and the investigation did not proceed further.
    • NVIDIA / Run:ai. In December 2024, the Commission cleared NVIDIA’s acquisition of Run:ai, despite the transaction not meeting EU notification thresholds. The Italian Competition Authority had called in the deal and referred it to Brussels. Although NVIDIA is reportedly challenging the Commission’s jurisdiction, this case may set important precedent on AI-sector transactions.
  • Algorithmic collusion. The Commission’s revised Guidelines on Horizontal Cooperation Agreements highlight two key principles for pricing algorithms: (1) if offline pricing practices are unlawful, they are likely unlawful online too; and (2) firms remain responsible for algorithm-driven pricing in the same way they are liable for employees or consultants.
  • Digital Markets Act (DMA): While AI is not explicitly listed as a core platform service, the Commission clarified that the DMA applies to AI when embedded within designated services like search engines or social networks. EVP Margrethe Vestager emphasised this during the June 2024 workshop on "Competition in Virtual Worlds and Generative AI". In January 2025, the European Parliament raised concerns over the absence of cloud providers designated under the DMA, which it sees as critical for AI development, and the French Government called for an expansion of the DMA to cover the full AI value chain.
  • In December 2025, the Commission opened an antitrust investigation into Meta's revised policy restricting third-party AI providers' ability to offer services through WhatsApp Business Solution. The EC claims that this policy could be in breach OF Article 102 of TFEU and Article 54 of the EEA Agreement. Similarly, the EC in December also opened a formal antitrust investigation to determine whether Google has breached competition rules by using the content of web publishers on YouTube for AI purposes without appropriate compensation and opt-outs.

Consumer protection

The EU has introduced new consumer protection measures addressing AI-related risks:

  • Revised Product Liability Directive: This Directive imposes strict liability for defective products causing death, personal injury, or property damage. It covers AI systems, whether standalone or integrated into other products (e.g., self-driving cars). It introduces rebuttable presumptions to support claimants facing technical complexity and new evidence disclosure rules. The Directive entered into force on 8 December 2024, with Member States required to transpose it by 9 December 2026.
  • General Product Safety Regulation: This Regulation, in force since 12 June 2023 (applicable from 13 December 2024), introduces a modernised framework for consumer product safety. The Commission’s November 2024 Q&A confirmed that it applies to "all types of products, including software", thereby capturing AI systems within its scope.

While the EC had initially proposed to facilitate claims related to AI systems under fault-based regimes under the proposed AI Liability Directive (particularly regarding disclosure of evidence and causation presumptions), this proposal was withdrawn by the Commission in February 2025 after legislative deadlock. The Commission indicated that future proposals may be considered.

Helpful resources

  • EC and US Department of Justice and Federal Trade Commission joint statement on "Competition in Generative AI Foundation Models and AI Products"
  • EC policy brief on "Competition in Generative AI and Virtual Worlds"
  • Speech by EVP Margrethe Vestager at the EC workshop on "Competition in Virtual Worlds and Generative AI" in June 2024.

Key contacts

Kyriakos Fountoukakos photo

Kyriakos Fountoukakos

Managing Partner, Competition/Antitrust, Regulation and Trade, Brussels

View profile
Dr Morris Schonberg photo

Dr Morris Schonberg

Partner, Brussels and London

View profile
Giulia Maienza photo

Giulia Maienza

Senior Associate (Italy), London

View profile
Duc Tran photo

Duc Tran

Of Counsel, London

View profile
Miriam Everett photo

Miriam Everett

Partner, London

View profile
Pietro Pouché photo

Pietro Pouché

Partner, Milan

View profile

Featured insights

AI in the Boardroom: A Governance Framework for harnessing the power of AI
Article

AI in the Boardroom: 
A Governance Framework for harnessing the power of AI

Most Boards are now grappling with AI as a matter of enterprise risk and strategy. AI poses risks and opportunities that will differ between company and industry, all of which require understanding and engagement from the Board.

Anthropic’s 'Supply Chain' designation: Business risk and practical precautions for AI companies

Lessons in equity from HSF Kramer's AI & DEI forum

Same ‘prompt,’ different responses: Anthropic supply chain risk designation stands in D.C. Circuit, for now, splitting from California district court

Legal Notice

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

© Herbert Smith Freehills Kramer 2026

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Subscribe now
Sydney Perth Brisbane Melbourne Technology, media and entertainment, and telecommunications Emerging technology Artificial intelligence Technology Artificial Intelligence Tech Regulation Digital Transformation Emerging Technologies AI and Emerging Technologies Kyriakos Fountoukakos Dr Morris Schonberg Giulia Maienza Duc Tran Miriam Everett Pietro Pouché