EU AI Act: Changes 2025 Explained

Avatar
Lisa Ernst · 02.12.2025 · Technology · 10 min

Companies are investing in AI pilots, often without considering the changing legal framework. Questions about high-risk AI systems or reporting obligations for foundation models only arise later. This article sheds light on the adjustments to the EU AI Act and national AI plans, such as the one in Australia, to provide guidance.

EU AI Act: Basics & Changes

The EU AI Act has been in force since 2024 and will be gradually implemented by August 2027. It is based on a risk-based model with four risk levels and an additional category for General Purpose AI models (GPAI), also known as foundation models. AI Act Service Desk, ECNL

In 2025, this framework will be refined. The EU will publish guidelines and a Code of Practice for General Purpose AI. At the same time, as part of a 'Digital Omnibus,' it will propose extending the deadlines for high-risk systems from August 2026 to the end of 2027. Digital Strategy Europe, Digital Strategy Europe, Reuters, OneTrust

For companies, this means that AI compliance is a strategic task, especially in sectors such as financial services, healthcare, or public administration, where many use cases fall into the 'high-risk AI system' category. Artificial Intelligence Law EU, AI Act Service Desk

Understanding EU AI Act Changes 2025

The EU AI Act regulates AI based on risk levels: unacceptable, high, limited, and minimal risk, supplemented by a separate track for General Purpose AI models. ECNL

The European Commission's official implementation timeline foresees four central stages:

In 2025, the focus shifts to General Purpose AI and the question of how quickly high-risk obligations will actually be implemented.

Key milestones and deadlines of the EU AI Act, illustrating the phased introduction of the regulation until 2027.

Source: mindfoundry.ai

Key milestones and deadlines of the EU AI Act, illustrating the phased introduction of the regulation until 2027.

Guidelines and Code of Practice for General Purpose AI

In July 2025, the European Commission will publish three key instruments for regulating foundation models: guidelines for GPAI providers, a GPAI Code of Practice, and further interpretation aids. Digital Strategy Europe

The GPAI guidelines and official FAQs clarify when a model is considered General Purpose AI (broad tasks, extensive training effort, versatile applicability) and when an adaptation creates its own provider with obligations. Digital Strategy Europe

The GPAI Code of Practice is a voluntary instrument that provides providers with concrete recommendations on organizing documentation, transparency, and copyright processes to prepare for legal requirements. Digital Strategy Europe

The Commission admits that the Code of Practice was completed later than planned (end of 2025 instead of May). This prolonged the uncertainty for foundation model providers and was one reason for requests from large tech companies for a 'pause' on the AI Act. Reuters, Reuters

Digital Omnibus: Moved Deadlines for High-Risk Systems

In November 2025, the Commission will present a package titled 'Digital Omnibus.' A key element is the postponement of the application of high-risk obligations from August 2026 to the end of 2027. Reuters, euronews, OneTrust

This would affect applications such as biometric identification in public spaces, AI for job applications and exams, AI in energy and transport networks, creditworthiness assessment, or AI-assisted decisions in healthcare and law enforcement. Reuters, AI Act Service Desk

The proposed delay is a postponement to finalize standards, guidelines, and supervisory structures, not a rollback of regulation. Nevertheless, NGOs and some MEPs speak of a 'rollback' of digital protection mechanisms, as relaxations on data protection and cookie rules are also being discussed. The Guardian

Companies should use this period as a window to establish governance structures. This is also emphasized by compliance analyses from, for example, Nemko or Compliance & Risks. digital.nemko.com, complianceandrisks.com

National AI Plans

In parallel to the EU, Australia is pursuing a different approach: A National AI Plan bundles investments in data centers, data infrastructure, and training. AI will be largely regulated through existing laws, flanked by its own AI Safety Institute from 2026. Industry Page, ABC, Reuters

Australia's National Artificial Intelligence Plan: Infrastructure, Data, People

While the EU is refining the EU AI Act, Australia is setting a different focus with its National AI Plan 2025: fewer new bans, but rather coordinated expansion of infrastructure, data access, and skills. Industry Page

The plan follows three central lines:

The Australian government emphasizes that, for the time being, it intends to rely on existing laws – for example, in data protection, competition law, and consumer protection – rather than creating its own AI Act. ABC, The Guardian

For companies operating in multiple jurisdictions, a contrast emerges: In the EU, AI compliance is tied to a specific framework (EU AI Act), while Australia relies more heavily on sectoral regulators and existing legal instruments, flanked by a national investment and qualification program.

AI Compliance for Companies

The debate boils down to the question: How do I build an AI compliance strategy that addresses both the EU AI Act and national AI plans? A pragmatic approach is to treat AI as an extension of existing governance structures, similar to compliance-by-design approaches. complianceandrisks.com

What does 'High-Risk AI System' mean in the EU specifically?

The central question for many projects is: 'What does high-risk AI system EU mean – does it apply to our project?'

The AI Act defines high-risk systems through two avenues: First, AI that is part of or a safety component of an already regulated product (e.g., medical devices, vehicles). Second, AI systems in certain sensitive application areas listed in Annex III. Artificial Intelligence Law EU, Artificial Intelligence Law EU

Annex III includes, among other things: Biometrics (e.g., remote face ID in public spaces), critical infrastructure (energy, transport, water), education (admissions, exam monitoring), employment and HR (selection and evaluation of applicants), access to essential services (e.g., loans, insurance), law enforcement, migration, and justice. Artificial Intelligence Law EU, AI Act Service Desk

Practical Examples:

Legally decisive is whether a system poses a significant risk to health, safety, or fundamental rights. The AI Act allows exceptions for some Annex III cases if no 'significant risk' exists, for example, in limited fraud detection scenarios. Al Act, dpo-consulting.com

Strict obligations apply to high-risk AI systems: documented risk management, robust data governance, technical documentation, logging, human oversight concepts, and requirements for accuracy, robustness, and cybersecurity. Artificial Intelligence Law EU

Companies using AI in these areas should analyze early on which projects fall into the high-risk category and start documenting.

The risk classification of AI systems according to the EU AI Act, from minimal to unacceptable risk.

Source: ctol.digital

The risk classification of AI systems according to the EU AI Act, from minimal to unacceptable risk.

General Purpose AI Models: New EU Guidelines for Foundation Models

The second major area of focus is General Purpose AI models (GPAI), often called foundation models. The AI Act defines a 'general-purpose AI model' as a model trained on large amounts of data, exhibiting broad generality, and capable of competently performing a wide variety of different tasks. Artificial Intelligence Law EU

Examples include models like GPT-4, DALL·E, or BERT, which only become domain-specific through their integration into concrete systems. Taylor Wessing

As of August 2, 2025, special obligations apply to providers of such General Purpose AI models:

Systemically risky models are classified based on technical threshold values (training compute) and their potential impact, among other factors. Artificial Intelligence Law EU, Stibbe

The GPAI framework is practically relevant for two groups within companies:

The proposed postponement in the Digital Omnibus primarily affects high-risk requirements, not GPAI obligations across the board, which come into effect from August 2025. OneTrust

Anyone already automating internal decision processes with a foundation model today should check whether their own setup can be understood as a GPAI provider, a high-risk system, or a combination of both roles.

Three Practical Observations for the AI Compliance Strategy

  1. No Strategy Without an Inventory: Companies that create an AI map – identifying which systems are in use where, what data they use, and what decisions they influence – can more quickly recognize which use cases potentially fall under Annex III or involve foundation models. eyreACT, dpo-consulting.com
  2. Clarify Risk Class + Role: The combination of risk class (High-Risk vs. Limited Risk) and role (Provider vs. Deployer) determines the obligations. For example, someone using a US foundation model in an EU banking context may simultaneously be a deployer of a high-risk system and a 'downstream user' of a GPAI model – with different, overlapping obligations. Artificial Intelligence Law EU
  3. Think of Compliance as a Product Feature: Especially in regulated industries, AI compliance becomes a selling point. A fintech that has established AI risk management according to the EU AI Act will find it easier to secure B2B customers. Structured impact assessments (e.g., human rights or fundamental rights impact assessments) make risks visible. arXiv, arXiv

Those who use the extended deadline for high-risk systems until 2027 to establish such processes will be better positioned when formal supervision intensifies and will benefit earlier from a trust bonus.

Key Definitions

A diagram shows seven principles for the use of AI, arranged in a circle with text descriptions.

Source: user-added

A diagram shows seven principles for the use of AI, arranged in a circle with text descriptions.

Resources & Outlook

For those who prefer to have topics explained, some videos are well-suited – always as a supplement to the original texts:

Countries are tightening AI regulations – but not everywhere in the same way. In Europe, the EU AI Act is being refined and, in parts, extended in time without abandoning its fundamental logic of strictly risk-based regulation. In Australia, there is a National AI Plan for infrastructure, skills, and security, which relies more heavily on existing laws and sectoral supervision. AI Act Service Desk, Industry Page

For companies, this means: Don't choose between innovation and regulation, but set up your own AI strategy in such a way that it supports both. Those who identify their high-risk AI systems, correctly classify foundation models, and establish AI governance as an integral part of product and process development will use the current 'regulatory shift' as an opportunity.

Share our post!