• The Advantage
  • Posts
  • EU AI Act Goes Live: What Legal Leaders Must Do Now

EU AI Act Goes Live: What Legal Leaders Must Do Now

A practical guide for legal and business leaders to navigate the world’s first comprehensive AI law.

Author

Nishant Bhaskar
August 22, 2025 • Estimated Reading Time: 5 minutes

AI governance has moved from strategic concern to regulatory reality.

The EU AI Act, the world’s first comprehensive legal framework for artificial intelligence, is now in force.

As of August 2, 2025, the EU AI Office is operational and new obligations for General Purpose AI (GPAI) models apply. For companies serving the EU, the question from your CEO or board—“Are we compliant?”—isn’t theoretical anymore.

This edition of The Advantage breaks down what’s changed, what’s next, and how legal and legal ops teams can move from compliance scramble to strategic leadership.

🟦 What’s Now in Force: From Theory to Reality

The EU AI Act entered into force last year (Aug 1, 2024). But August 2, 2025, marks the biggest milestone yet. Here’s what’s live:

  • Prohibited Practices: Social scoring, manipulative AI, and mass facial scraping are now outright banned. Liability applies to both providers and deployers, including companies using unvetted third-party tools (“shadow AI”).

  • Transparency Rules: AI systems that interact with humans, use biometrics, or generate synthetic content must disclose it clearly. Deepfakes and public-facing AI-generated content require explicit labeling.

  • GPAI Obligations: New models placed on the EU market must include documentation, transparency reports, and copyright-compliant data disclosures.

And critically, the EU AI Office is now fully operational and coordinating with national regulators. The era of AI supervision has begun.

🟦 What’s Still on the Horizon: A Phased Timeline

The Act’s rollout is staged, but waiting until deadlines hit is a recipe for last-minute chaos.

  • Feb 2025 → Bans on unacceptable risk AI and mandatory AI literacy training.

  • Aug 2025 → GPAI obligations and EU AI Office established.

  • Aug 2026 → Full rules for high-risk AI systems (employment, biometrics, healthcare, education, public services).

  • Aug 2027 → Final compliance deadline for legacy GPAI and high-risk systems already on the market.

👉 Translation: You have 12 months to prepare for high-risk system rules and 24 months to remediate legacy models. Treat this as a roadmap, not breathing room.

🟦 GPAI Rules: Why They Matter to You

If your business develops, integrates, or procures large AI models, you’re already in scope. Obligations now include:

  • Documentation: Technical details on design, training, and testing.

  • Transparency Reports: Clear summaries of capabilities, limitations, and risks.

  • Training Data Summaries: Provenance, copyright safeguards, and bias checks.

  • Systemic Risk Assessments: For models exceeding 10^25 FLOPs (a measure of extreme computing power).

💡 Action point: Update procurement playbooks. Ensure vendors—not just your team—carry compliance responsibility in contracts.

🟦 Enforcement & Oversight: Real Teeth

The enforcement ecosystem mirrors GDPR, combining central and local oversight:

  • EU AI Office: Oversees GPAI and coordinates across the EU.

  • National Regulators: Handle day-to-day enforcement and audits.

Penalties are steep:

  • Up to €35M / 7% of global turnover for banned practices.

  • Up to €15M / 3% for GPAI violations.

  • Up to €7.5M / 1% for false information.

Expect regulators to start with guidance and cooperation, but don’t mistake that for leniency. Early cases will set precedent, just like GDPR.

🟦 Where the AI Act Meets GDPR

The Act doesn’t replace GDPR; it builds on it. That means:

  • Dual exposure: Fines under both regimes if systems mishandle data.

  • Shared obligations: Documentation, DPIAs, consent management, and individual rights apply under both.

  • Data quality standards: AI Act requires datasets to be representative, unbiased, and complete, echoing GDPR’s fairness principles.

The opportunity? Build one unified governance framework that satisfies both. Legal Ops is well-positioned to lead this integration.

  • Map your AI landscape
    Inventory all AI tools, systems, and vendor relationships, including "shadow AI" used by employees, to understand your full risk exposure.

  • Audit vendor contracts
    Update terms to allocate liability and require GPAI providers to prove they meet their new documentation and transparency obligations.

  • Build an AI governance playbook
    Define clear policies, roles, and processes for risk assessment and incident response. Formalize an AI governance committee.

  • Engage cross-functional teams
    Unite legal, data protection, IT, and business leaders under a single framework to embed compliance into operations.

  • Train your people
    Implement AI literacy programs for all stakeholders. This is a mandatory step to reduce compliance blind spots and foster responsible AI use.

🟦 Closing

The EU AI Act is no longer a future concern. It’s here. Enforcement has begun, and regulators have teeth.

The risk is real, but so is the opportunity. Legal teams that act early will not just comply; they’ll lead. By embedding AI governance into operations today, you’ll build resilience, earn trust, and accelerate responsible innovation tomorrow.

This post is for informational purposes only and does not constitute legal advice.

👉 Are you prepared for the AI shift? Benchmark your Legal AI maturity now. Start your free assessment and get immediate insights to close your readiness gaps.

🟦 Share the Advantage

Know someone exploring AI or legal tech governance?
Forward this edition or invite them to subscribe.

Questions or feedback? Contact us at [email protected]

Published weekly by Advanta Legal Tech.

Reply

or to participate.