2.3 AI-specific laws: the EU AI Act & the US landscape
Key Takeaways
- The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and sorts systems into four tiers—unacceptable/prohibited, high-risk, limited-risk transparency, and minimal-risk—with obligations scaled to risk.
- The EU AI Act adds separate obligations for general-purpose AI, with heightened duties for models posing systemic risk, presumed when training compute exceeds 10^25 FLOPs.
- EU AI Act obligations phase in: prohibitions from 2 February 2025, GPAI rules from 2 August 2025, and most high-risk obligations from 2 August 2026, with penalties reaching EUR 35 million or 7% of global turnover.
- The US has no comprehensive federal AI statute; policy runs through reversible executive orders (Biden's EO 14110 was revoked in January 2025) and NIST's voluntary, non-regulatory AI Risk Management Framework.
- US states lead on binding rules: Colorado's AI Act targets algorithmic discrimination in consequential decisions (effective 30 June 2026), and NYC Local Law 144 requires an annual bias audit for automated employment decision tools.
AI-specific law arrives: the EU AI Act and the US landscape
A new generation of statutes now targets AI directly. The AIGP exam gives the most weight to the EU AI Act—the world's first comprehensive AI law—and expects working familiarity with the fragmented US approach.
The EU AI Act's risk-based tiers
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and regulates AI by risk tier: the greater the risk to health, safety, or fundamental rights, the stricter the obligations.
| Tier | What it covers | Core obligation |
|---|---|---|
| Unacceptable (prohibited) | Social scoring, manipulative or subliminal techniques, exploiting vulnerabilities, untargeted facial-image scraping, emotion recognition at work or school, certain biometric categorization and predictive policing, most real-time remote biometric identification in public spaces | Banned outright (Article 5) |
| High-risk | Annex III uses (biometrics, critical infrastructure, education, employment, essential public and private services including credit, law enforcement, migration, justice) and safety components of products already regulated under Annex I | Risk management, data governance, technical documentation, logging, human oversight, accuracy/robustness/cybersecurity, conformity assessment and CE marking |
| Limited (transparency) | Chatbots, emotion-recognition and biometric systems, deepfakes and other synthetic media | Disclosure and labeling duties (Article 50) |
| Minimal | Spam filters, AI in video games, and most other AI | No mandatory obligations |
Prohibited practices (Article 5) form the hard floor. High-risk systems carry the heaviest load—a full quality-management and conformity-assessment regime before and after they reach the market. Limited-risk systems trigger only transparency: users must be told they are interacting with AI, and AI-generated or manipulated content (deepfakes) must be labeled as such. Minimal-risk AI, the vast majority of systems, faces no new duties.
The Act adds a distinct layer for general-purpose AI (GPAI)—foundation models. All GPAI providers must keep technical documentation, publish a summary of training content, and adopt a policy to respect EU copyright, including TDM opt-outs. GPAI models posing systemic risk—presumed when training compute exceeds 10^25 FLOPs—face extra duties: model evaluation and adversarial testing, systemic-risk assessment and mitigation, serious-incident reporting, and cybersecurity protection.
Obligations phase in over time, a favorite exam detail:
- 1 Aug 2024 — the Act enters into force.
- 2 Feb 2025 — prohibitions and the AI-literacy duty (Article 4) apply.
- 2 Aug 2025 — GPAI rules, the governance and enforcement bodies, and penalty provisions apply.
- 2 Aug 2026 — most high-risk obligations under Annex III apply.
- 2 Aug 2027 — high-risk obligations for AI embedded in regulated products (Annex I) apply.
Penalties are severe: up to EUR 35 million or 7% of global annual turnover for prohibited-practice violations, with lower caps for other breaches and for supplying misleading information. The Act also reaches beyond Europe—it covers providers and deployers outside the EU where the AI system's output is used within it.
The US landscape: executive action, NIST, and state laws
The US has no comprehensive federal AI statute. Federal policy runs largely through executive orders, which swing with administrations. President Biden's EO 14110 (October 2023) directed agencies to address AI safety, security, and civil rights. In January 2025 the Trump administration revoked it and issued a new order, Removing Barriers to American Leadership in Artificial Intelligence, favoring deregulation and innovation, followed by an AI Action Plan. The exam takeaway: US federal direction is policy, not durable legislation, and it can reverse.
NIST plays a pivotal but non-regulatory role. Its AI Risk Management Framework (AI RMF 1.0, January 2023) is a voluntary framework organized around four functions—Govern, Map, Measure, and Manage—and is widely adopted as a de facto standard even though NIST cannot enforce it. On the EU side, enforcement is layered: a new AI Office within the European Commission supervises general-purpose AI, while designated national competent authorities in each member state police high-risk systems—a structure worth contrasting with the single-agency models candidates may expect.
Because Congress has not acted, states have moved into the gap:
- Colorado AI Act (SB 24-205) — the first comprehensive US state AI law. It imposes a duty of reasonable care on developers and deployers of "high-risk" systems used in consequential decisions to protect consumers from algorithmic discrimination, with disclosure and impact-assessment obligations. Its effective date was pushed from February 2026 to 30 June 2026.
- NYC Local Law 144 — since July 2023, an employer using an automated employment decision tool (AEDT) must commission an independent annual bias audit, publish a summary of the results, and notify candidates in advance.
- Other measures include Illinois BIPA and its 2026 Human Rights Act amendments on AI in employment, Utah's AI Policy Act, Texas's Responsible AI Governance Act, and California transparency laws—an expanding, uneven patchwork.
The strategic contrast the exam wants you to draw is stark: the EU offers a single, comprehensive, risk-based regime with hard deadlines and very large fines, while the US relies on shifting executive orders, voluntary NIST guidance, and a growing quilt of sectoral and state laws. A global organization must therefore design its AI governance to the strictest applicable standard—often the EU AI Act—while continuously tracking fast-moving US state requirements.
Under the EU AI Act's risk-based approach, which obligation applies to a customer-service chatbot that is otherwise low-risk?
Which sequence correctly reflects the EU AI Act's phased application dates?
How is NIST's role in US AI governance best characterized?