EU AI Act: Changes 2025 Explained
Companies are investing in AI pilots, often without considering the changing legal framework. Questions about high-risk AI systems or reporting obligations for foundation models only arise later. This article sheds light on the adjustments to the EU AI Act and national AI plans, such as the one in Australia, to provide guidance.
EU AI Act: Basics & Changes
The EU AI Act has been in force since 2024 and will be gradually implemented by August 2027. It is based on a risk-based model with four risk levels and an additional category for General Purpose AI models (GPAI), also known as foundation models. AI Act Service Desk, ECNL
In 2025, this framework will be refined. The EU will publish guidelines and a Code of Practice for General Purpose AI. At the same time, as part of a 'Digital Omnibus,' it will propose extending the deadlines for high-risk systems from August 2026 to the end of 2027. Digital Strategy Europe, Digital Strategy Europe, Reuters, OneTrust
For companies, this means that AI compliance is a strategic task, especially in sectors such as financial services, healthcare, or public administration, where many use cases fall into the 'high-risk AI system' category. Artificial Intelligence Law EU, AI Act Service Desk
Understanding EU AI Act Changes 2025
The EU AI Act regulates AI based on risk levels: unacceptable, high, limited, and minimal risk, supplemented by a separate track for General Purpose AI models. ECNL
The European Commission's official implementation timeline foresees four central stages:
- From February 2, 2025, general provisions (definitions, AI literacy) and the prohibition of 'unacceptable' AI practices, such as certain forms of social scoring, will apply. AI Act Service Desk
- From August 2, 2025, the rules for General Purpose AI models (GPAI) will come into effect, and the governance structure (AI Board, Scientific Panel, etc.) must be in place. AI Act Service Desk, Digital Strategy Europe
- Originally, from August 2, 2026, most rules, including the high-risk annexes (Annex III) and transparency obligations, were to become effective, along with national AI sandboxes and operational supervision. AI Act Service Desk
- From August 2, 2027, the rules for high-risk AI embedded in regulated products (e.g., medical devices, vehicles) will also apply. AI Act Service Desk
In 2025, the focus shifts to General Purpose AI and the question of how quickly high-risk obligations will actually be implemented.

Source: mindfoundry.ai
Key milestones and deadlines of the EU AI Act, illustrating the phased introduction of the regulation until 2027.
Guidelines and Code of Practice for General Purpose AI
In July 2025, the European Commission will publish three key instruments for regulating foundation models: guidelines for GPAI providers, a GPAI Code of Practice, and further interpretation aids. Digital Strategy Europe
The GPAI guidelines and official FAQs clarify when a model is considered General Purpose AI (broad tasks, extensive training effort, versatile applicability) and when an adaptation creates its own provider with obligations. Digital Strategy Europe
The GPAI Code of Practice is a voluntary instrument that provides providers with concrete recommendations on organizing documentation, transparency, and copyright processes to prepare for legal requirements. Digital Strategy Europe
The Commission admits that the Code of Practice was completed later than planned (end of 2025 instead of May). This prolonged the uncertainty for foundation model providers and was one reason for requests from large tech companies for a 'pause' on the AI Act. Reuters, Reuters
Digital Omnibus: Moved Deadlines for High-Risk Systems
In November 2025, the Commission will present a package titled 'Digital Omnibus.' A key element is the postponement of the application of high-risk obligations from August 2026 to the end of 2027. Reuters, euronews, OneTrust
This would affect applications such as biometric identification in public spaces, AI for job applications and exams, AI in energy and transport networks, creditworthiness assessment, or AI-assisted decisions in healthcare and law enforcement. Reuters, AI Act Service Desk
The proposed delay is a postponement to finalize standards, guidelines, and supervisory structures, not a rollback of regulation. Nevertheless, NGOs and some MEPs speak of a 'rollback' of digital protection mechanisms, as relaxations on data protection and cookie rules are also being discussed. The Guardian
Companies should use this period as a window to establish governance structures. This is also emphasized by compliance analyses from, for example, Nemko or Compliance & Risks. digital.nemko.com, complianceandrisks.com
National AI Plans
In parallel to the EU, Australia is pursuing a different approach: A National AI Plan bundles investments in data centers, data infrastructure, and training. AI will be largely regulated through existing laws, flanked by its own AI Safety Institute from 2026. Industry Page, ABC, Reuters
Australia's National Artificial Intelligence Plan: Infrastructure, Data, People
While the EU is refining the EU AI Act, Australia is setting a different focus with its National AI Plan 2025: fewer new bans, but rather coordinated expansion of infrastructure, data access, and skills. Industry Page
The plan follows three central lines:
- Data Centers & Infrastructure: The federal government supports investment in modern, GPU-optimized data centers and sovereign data capabilities to keep AI workloads within the country. Reuters, Daily Telegraph
- Training & Skills: A key goal is to empower employees at all levels to use AI safely and productively – from the public service (APS AI Plan) to industry. finance.gov.au, go8.edu.au
- Safety & Governance: An AI Safety Institute, funded with AUD 30 million, is to be established by 2026 and serve as a center of expertise for safe AI development, particularly concerning national security and sovereignty. News.com.au
The Australian government emphasizes that, for the time being, it intends to rely on existing laws – for example, in data protection, competition law, and consumer protection – rather than creating its own AI Act. ABC, The Guardian
For companies operating in multiple jurisdictions, a contrast emerges: In the EU, AI compliance is tied to a specific framework (EU AI Act), while Australia relies more heavily on sectoral regulators and existing legal instruments, flanked by a national investment and qualification program.
AI Compliance for Companies
The debate boils down to the question: How do I build an AI compliance strategy that addresses both the EU AI Act and national AI plans? A pragmatic approach is to treat AI as an extension of existing governance structures, similar to compliance-by-design approaches. complianceandrisks.com
What does 'High-Risk AI System' mean in the EU specifically?
The central question for many projects is: 'What does high-risk AI system EU mean – does it apply to our project?'
The AI Act defines high-risk systems through two avenues: First, AI that is part of or a safety component of an already regulated product (e.g., medical devices, vehicles). Second, AI systems in certain sensitive application areas listed in Annex III. Artificial Intelligence Law EU, Artificial Intelligence Law EU
Annex III includes, among other things: Biometrics (e.g., remote face ID in public spaces), critical infrastructure (energy, transport, water), education (admissions, exam monitoring), employment and HR (selection and evaluation of applicants), access to essential services (e.g., loans, insurance), law enforcement, migration, and justice. Artificial Intelligence Law EU, AI Act Service Desk
Practical Examples:
- Bank: A scoring model that automatically determines credit limits and conditions for private customers is classified as high-risk because it intervenes in financial opportunities. eyreACT
- Hospital: A triage system that prioritizes emergency patients based on AI evaluation of vital signs is high-risk due to the risk to health and life. twobirds.com
- Authority: An employment agency that uses a model to assess the employability of applicants typically falls under Annex III due to its interference with social rights. Stibbe
Legally decisive is whether a system poses a significant risk to health, safety, or fundamental rights. The AI Act allows exceptions for some Annex III cases if no 'significant risk' exists, for example, in limited fraud detection scenarios. Al Act, dpo-consulting.com
Strict obligations apply to high-risk AI systems: documented risk management, robust data governance, technical documentation, logging, human oversight concepts, and requirements for accuracy, robustness, and cybersecurity. Artificial Intelligence Law EU
Companies using AI in these areas should analyze early on which projects fall into the high-risk category and start documenting.

Source: ctol.digital
The risk classification of AI systems according to the EU AI Act, from minimal to unacceptable risk.
General Purpose AI Models: New EU Guidelines for Foundation Models
The second major area of focus is General Purpose AI models (GPAI), often called foundation models. The AI Act defines a 'general-purpose AI model' as a model trained on large amounts of data, exhibiting broad generality, and capable of competently performing a wide variety of different tasks. Artificial Intelligence Law EU
Examples include models like GPT-4, DALL·E, or BERT, which only become domain-specific through their integration into concrete systems. Taylor Wessing
As of August 2, 2025, special obligations apply to providers of such General Purpose AI models:
- Transparency requirements (including technical documentation, description of capabilities, known limitations, summaries of training data).
- Provisions for handling copyright, for instance, through policies and mechanisms for respecting chains of rights.
- For systemically risky models, additional obligations such as model evaluations, risk mitigation, adversarial testing, and incident reporting. Digital Strategy Europe, Digital Strategy Europe, Reuters
Systemically risky models are classified based on technical threshold values (training compute) and their potential impact, among other factors. Artificial Intelligence Law EU, Stibbe
The GPAI framework is practically relevant for two groups within companies:
- Model Providers: Teams that train their own foundation models and provide them 'as-a-service' or broadly internally.
- Downstream Users, who integrate an external foundation model into a specific system, thereby entering the role of system provider or deployer. Eipa, EY
The proposed postponement in the Digital Omnibus primarily affects high-risk requirements, not GPAI obligations across the board, which come into effect from August 2025. OneTrust
Anyone already automating internal decision processes with a foundation model today should check whether their own setup can be understood as a GPAI provider, a high-risk system, or a combination of both roles.
Three Practical Observations for the AI Compliance Strategy
- No Strategy Without an Inventory: Companies that create an AI map – identifying which systems are in use where, what data they use, and what decisions they influence – can more quickly recognize which use cases potentially fall under Annex III or involve foundation models. eyreACT, dpo-consulting.com
- Clarify Risk Class + Role: The combination of risk class (High-Risk vs. Limited Risk) and role (Provider vs. Deployer) determines the obligations. For example, someone using a US foundation model in an EU banking context may simultaneously be a deployer of a high-risk system and a 'downstream user' of a GPAI model – with different, overlapping obligations. Artificial Intelligence Law EU
- Think of Compliance as a Product Feature: Especially in regulated industries, AI compliance becomes a selling point. A fintech that has established AI risk management according to the EU AI Act will find it easier to secure B2B customers. Structured impact assessments (e.g., human rights or fundamental rights impact assessments) make risks visible. arXiv, arXiv
Those who use the extended deadline for high-risk systems until 2027 to establish such processes will be better positioned when formal supervision intensifies and will benefit earlier from a trust bonus.
Key Definitions
- EU AI Act: A regulation by the European Union to regulate Artificial Intelligence, which follows a risk-based approach.
- General Purpose AI (GPAI) / Foundation Models: AI models trained on large amounts of data, exhibiting broad generality, and capable of performing a wide variety of different tasks.
- High-Risk AI System: AI systems that pose a significant risk to health, safety, or fundamental rights, either as part of regulated products or in specific sensitive application areas (Annex III).
- Digital Omnibus: A package of proposals from the EU Commission that includes, among other things, a postponement of deadlines for high-risk AI systems.
- National AI Plan (Australia): Australia's strategy to promote AI through investments in infrastructure, data access, and training, with regulation primarily based on existing laws.

Source: user-added
A diagram shows seven principles for the use of AI, arranged in a circle with text descriptions.
Resources & Outlook
For those who prefer to have topics explained, some videos are well-suited – always as a supplement to the original texts:
- A concise introduction to the structure, risk classes, and global reach is provided by „EU AI Act Explained 2025“.
- A slightly more fundamental overview is provided by „The EU’s AI Act Explained“.
- Anyone already working with foundation models can get a practical insight into the GPAI Code of Practice from the interview „Unpacking the EU AI Act Code of Practice with Marietje Schaake“ a practical insight into the GPAI Code of Practice..
- For the Australian context, it is worthwhile to look into discussions about its AI strategy and AI ecosystem, for example, in the format „Australia’s AI ecosystem growth and opportunities“ of the National AI Centre..
Countries are tightening AI regulations – but not everywhere in the same way. In Europe, the EU AI Act is being refined and, in parts, extended in time without abandoning its fundamental logic of strictly risk-based regulation. In Australia, there is a National AI Plan for infrastructure, skills, and security, which relies more heavily on existing laws and sectoral supervision. AI Act Service Desk, Industry Page
For companies, this means: Don't choose between innovation and regulation, but set up your own AI strategy in such a way that it supports both. Those who identify their high-risk AI systems, correctly classify foundation models, and establish AI governance as an integral part of product and process development will use the current 'regulatory shift' as an opportunity.