EU AI Act milestone: GPAI,  National Authorities, Governance, confidentiality and penalties

2 August 2025

Summertime milestone leaves no time for novels by the beach

Intro

2 August (while Irish people enjoy the August bank holiday weekend) marks a watershed moment in artificial intelligence regulation as key provisions of the EU AI Act (AI Act) come into effect. As the AI Act gradually enters into force across member states, from 2 August provisions regarding  national authorities, general-purpose AI (GPAI), governance frameworks, penalties and confidentiality apply.

Details

The AI Act, formally known as Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, represents the first-ever comprehensive legal framework on AI worldwide. The legislation establishes a risk-based approach to AI regulation, with different risk categories. Examples include ‘social scoring’ is prohibited, AI in the employment context is high risk (subject to some narrow exemptions) and limited risk, for example an AI chatbot with transparency requirements.

GPAI

Chapter V of the AI Act is dedicated to GPAI models  (which was not in earlier draft versions of the legislation). From 2 August 2025, GPAI providers must comply with new requirements designed to ensure responsible AI development and deployment.

On 18 July 2025, the European Commission published Guidelines Guidelines on the scope of obligations for providers of general-purpose AI models under the AI Act | Shaping Europe’s digital future seeking to clarify key provisions of the AI Act applicable to GPAI models, providing guidance just weeks before the 2 August milestone.  Prior to these guidelines, on 10 July the European Commission published the GPAI Code of Practice (Code) The General-Purpose AI Code of Practice | Shaping Europe’s digital future. The Code  comprises three (3) parts: Transparency, Copyright, and Safey and Security. The Code is a voluntary tool designed to help organisations comply with the GPAI obligations under the AI Act.

Notifying authorities and notified bodies

While Ireland is taking steps to comply with Chapter III Section 4, at the time of writing it appears that Ireland has not yet communicated the identity of the notifying authorities to the European Commission.

Ireland has taken a number of steps in terms of its obligations, including under Art. 77 Powers of authorities protecting fundamental rights. The Government published the list of nine (9) authorities (including the Data Protection Commission (DPC)) who will have additional powers under the AI Act to facilitate them in carrying out their current responsibilities for protecting fundamental rights. For example, the authorities will have the power to access documentation that developers and deployers of AI systems are required to hold under the AI Act. For further detail see Government announcement: Minister Calleary announces key milestone in the implementation of the EU regulation on AI

In March 2025, the Government designated eight public bodies as national competent authorities under Article 70 of the AI Act. Article 70 requires each EU Member State to establish or designate at least one notifying authority and one market surveillance authority for AI oversight. These competent authorities will be responsible for supervising the implementation of the AI Act within their respective sectors, for example the DPC will be responsible for overseeing AI applications involving personal data, in alignment with GDPR obligations. We have already seen the DPC take a lead in the area of AI and personal data.

Penalties

With the exception of penalties relating to GPAI (which commence in August 2026), 2 August 2025 also brought the AI Act’s penalty regime into effect. However there is ambiguity regarding how enforcement of these penalties will occur in practice. It is intended and hoped that Irish legislation will ease the ambiguity.

Takeaways

The 2 August 2025 implementation represents a significant milestone in AI regulation and also the EU’s digital strategy.

Organisations must assess their use of AI and current compliance status and implement necessary governance structures to ensure compliance and the successful adoption of AI.

Key actions for affected organisations include conducting comprehensive compliance audits, establishing dedicated AI governance teams, and implementing robust documentation processes. The financial and reputational risks of non-compliance make immediate action essential.

This regulatory framework will and is influencing AI governance approaches globally (the Brussels effect), positioning European standards as the de facto international benchmark for responsible AI development.

We await with bated breath for Irish AI legislation this autumn. Alas the Summer novels will have to stay on the shelf for another year.

Further reading

• EU AI Act text: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

• Minister Calleary announces key milestone in the implementation of the EU regulation on AI

• Guidelines on the scope of obligations for providers of general-purpose AI models under the AI Act | Shaping Europe’s digital future

• Additional resources are available through the European Commission's digital strategy portal: Shaping Europe’s digital future | Shaping Europe’s digital future

For any queries on this article or how Rock Consultancy can support your organisation, please contact us at info@rockconsultancy.ie