Responsible AI Platform

The AI Act has truly begun โ€“ what has happened since?

ยทยท7 min read
Delen:
Lees in het Nederlands

Published: 14 June 2025 โ€“ reading time ยฑ 10 minutes

When the EU AI Act appeared in the Official Journal on 1 August 2024, it still felt abstract. Eleven months later, that phase is over: the first prohibitions are already in effect, employees must demonstrably be AI-literate, and Brussels is flooded with consultations. In this blog, I walk you through the most important developments since the entry into force โ€“ practical, legal, and political. No rehash of the legal text; instead, a look at what happened after 1 August and why you need to know about it today.

1. February 2025: the first hard blow

2 February 2025 was the date when the AI Act bared its teeth. Two provisions took immediate effect:

  • Prohibited AI practices โ€“ everything falling under Article 5 (social credit systems, manipulative or exploitative AI, emotion AI in schools and workplaces, large-scale real-time biometrics) had to be removed from the market or shut down immediately.
  • AI literacy obligation โ€“ every organization that builds or uses AI must now be able to demonstrate that its staff possesses "sufficient AI knowledge." The Dutch Data Protection Authority (AP) published a dedicated page in early March with explanations, checklists, and training suggestions.

Anyone who assumed that fines (up to 7% of global annual turnover) would only become relevant in 2026 was mistaken: the sanction articles take effect this year (2 August 2025). Pay close attention โ€“ especially if there's still some selenium-like scoring algorithm running in the basement somewhere.

2. Brussels clarifies what "prohibited" actually means

The timing was tight: 4 February 2025 โ€“ two days after the prohibition articles came into force โ€“ the European Commission published draft guidelines on prohibited AI practices. The document is packed with practical examples ("this is allowed" vs. "this is not") and adds nuance to emotion recognition, for instance: merely analyzing facial expressions in the workplace already falls under the prohibition, but measuring customer satisfaction through surveys does not.

For now it remains a draft; stakeholders had six weeks to provide feedback. Expect a final version in Q3 that supervisory authorities will use as a framework. Since guidelines are non-binding, we will only have 100% certainty when the Court of Justice eventually rules on the matter, but they do provide much-needed direction right now.

3. Generative AI under the magnifying glass

Large language models and other General-Purpose AI models (GPAI) will face standalone obligations from 2 August 2025. To prevent misunderstandings, the newly established European AI Office launched a targeted consultation on 22 April 2025:

  • What exactly constitutes a GPAI model?
  • When are you considered a "provider" (including fine-tuning or downstream deployment)?
  • How do you publish a "summary of training data" without leaking trade secrets?

Over 250 parties โ€“ from open-source collectives to Big Tech โ€“ responded. In parallel, the AI Office is working on a Code of Practice that providers can voluntarily follow to demonstrate compliance. The timeline: process consultations over the summer, finalize GPAI guidelines and the code in autumn. Anyone deploying a model like GPT-5, Llama 4, or an industrial model should start thinking now about documentation, copyright claim handling, and risk assessments.

4. The Netherlands: supervisors warming up

4.1 AP + RDI: proposal for "hub-and-spoke" supervision

In June 2024, the AP and the National Digital Infrastructure Inspectorate (RDI) presented a position paper: let the AP act as the central market surveillance authority for prohibited AI and most high-risk systems, while sectoral supervisors (NVWA, IGJ, ILT) retain their existing product domains.

The final advisory (February 2025) reiterated this model and requested additional budget and AI experts. The Dutch government must formally decide before 2 August 2025.

4.2 Consultations on prohibited AI

Meanwhile, on the AP website: a series of "Input on forbidden AI systems" consultations. Organizations could share case studies and concerns about, for example, social credit algorithms and exploitation of vulnerable groups. The goal: gaining insight into practice so the AP can enforce effectively from day one.

4.3 AI literacy as a compliance driver

The AI knowledge obligation resonates โ€“ particularly among municipalities and healthcare institutions. The AP compiled FAQs, sample training modules, and a self-assessment. Tip for businesses: share your training documentation with your Data Protection Officer, giving you immediate evidence for the inspector.

5. The new EU governance structure

Since autumn, three layers have been positioning themselves:

  1. European AI Office โ€“ the central hub, drafting guidelines and overseeing GPAI compliance.
  2. European AI Board โ€“ a platform of national authorities ensuring consistent enforcement.
  3. National market surveillance authorities โ€“ must be officially designated by 2 August 2025 at the latest. The Netherlands is ahead of the curve, but in some Member States the discussion has only just begun.

The European Data Protection Board (EDPB) called on all Member States to give their privacy authorities a prominent AI supervision role, to logically coordinate with GDPR enforcement. So expect one complaints desk per country for citizens, and yet more Brussels meeting tables where AI inspectors converge.

6. Feasibility debate: pause or press on?

Not everyone is comfortable with the pace. In May and June, signals emerged that the European Commission is considering a "stop-the-clock" measure: pushing back certain deadlines (particularly the GPAI obligations) until technical standards are finalized and enough conformity assessment bodies are operational.

Poland in particular โ€“ Council President from July โ€“ is openly advocating for postponement. SME associations agree: without standards, providers don't know exactly how to demonstrate their risk management system. At the same time, NGOs warn that every month of delay postpones citizen protection. It promises to be a hot agenda item at the Telecom Council meeting in July 2025.

7. Views from beyond Europe

  • United States โ€“ No federal law yet, but states like California are watching closely. American Big Tech is increasingly building "EU-by-design" to avoid duplicate work.
  • United Kingdom โ€“ Sticking to principle-based, sector-specific supervision; using the AI Safety Summit to discuss cross-border risks of frontier AI.
  • G7/Council of Europe โ€“ The Hiroshima Declaration and the new Council of Europe treaty follow the same values framework; the AI Act serves as a template.

For European companies, this means the Brussels Effect is striking again: products that are compliant in the EU are generally acceptable elsewhere โ€“ but the reverse does not hold.

8. What organizations need to do right now

  1. Clean up your AI portfolio. Scan all applications: prohibited? high-risk? limited risk?
  2. Document AI literacy. Schedule training, record attendance and assessment results.
  3. Follow the consultations. The High-Risk AI deadline (18 July 2025) and the final GPAI code (autumn) will shape your roadmap.
  4. Review contracts. Suppliers delivering GPAI models after 2 August 2025 must comply with new disclosure obligations โ€“ put that in the SLA.
  5. Allocate budget. Conformity assessment is not a spreadsheet exercise; plan for external audits and (for high-risk) CE-style certification.

Conclusion

The EU AI Act is no longer a futuristic vision; it makes a daily difference on the work floor, in the development studio, and in the boardroom. Between now and 2 August 2025, the law will see a second wave: GPAI oversight, the sanctions regime, and the official designation of national inspectorates. Whether that date holds depends on the stop-the-clock debate โ€“ but waiting is not a wise strategy.

Organizations that have already been doing their homework over the past months are discovering that compliance is not merely a cost center. It delivers sharper governance, better datasets, and above all the confidence that your AI applications can withstand European scrutiny. And that โ€“ pause or not โ€“ is becoming the new normal.

Want to Learn More About AI Compliance?

Curious how your organization can prepare for the latest EU AI Act developments? At Embed AI, we help organizations with practical compliance strategies and AI literacy plans. Let us know โ€“ we'd be happy to think along with you!

Sources: European Commission โ€“ Guidelines prohibited AI (4 Feb 2025); Consultation GPAI (22 Apr 2025); Dutch DPA (AP) โ€“ AI literacy (Mar 2025); AP โ€“ Input prohibited AI (Apr 2025); DLA Piper โ€“ possible AI Act pause (Jun 2025); LinkedIn/MLex leak on "stop-the-clock" (Jun 2025).

๐Ÿ“š Deepen your knowledge: Check out the Complete EU AI Act Guide for a comprehensive overview of all aspects of the AI legislation.

On LearnWize:EU AI Act ComplianceTry it free

From risk classification to conformity assessment: learn it in 10 interactive modules.

Take the free AI challenge