The EU regulates AI through a layered framework combining contract, tort and product liability, data protection, IP, product safety, employment, consumer protection and criminal law, alongside the AI Act (Regulation (EU) 2024/1689). These regimes apply cumulatively.

Predictive, generative and agentic AI each raise distinct risks. In contract law, predictive AI may influence pricing or eligibility, generative AI may draft terms, and agentic AI may negotiate or conclude contracts, raising issues of consent, attribution and enforceability.

Data protection law – particularly the General Data Protection Regulation (GDPR) – applies wherever personal data is processed, with profiling, training data and accountability in complex decision chains raising type-specific risks.

IP law relies on existing frameworks, with generative AI raising key issues around training data and outputs.

Product safety law requires safe design and risk mitigation for AI-enabled products.

Employment, consumer protection and criminal law apply in parallel, with predictive AI affecting hiring and access to services, generative AI enabling misleading content, and agentic AI increasing complexity in attribution and control.

EU AI deployment spans traditional machine learning, foundation models/LLMs, RAG systems, and agentic AI.

Traditional machine learning remains most widely deployed in insurance, financial services, healthcare, transport and manufacturing for fraud detection, diagnostics, predictive maintenance and quality control. Foundation models and LLMs function as horizontal productivity tools across legal services, public administration, education and software development, while RAG systems support regulated sectors by grounding generative outputs in controlled data sources. Agentic AI is emerging across industrial robotics, intelligent transport and digital workflows.

Cross-industry, EU data-sharing frameworks – the Data Governance Act (Regulation (EU) 2022/868), the Data Act (Regulation (EU) 2023/2854) and European data spaces – support deployment across all architectures, yielding efficiency gains, cost reduction and improved decision support.

EU AI innovation is supported through public investment, financial incentives, infrastructure and regulation. Key programmes – Horizon Europe, Digital Europe, InvestEU and InvestAI – mobilise large-scale investment through the STEP platform and EuroHPC for strategic technologies. The AI Act complements this by providing a risk-based framework that limits restrictions to high-risk uses, enables broad deployment and reduces fragmentation through regulatory sandboxes and SME support.

The EU adopts a hybrid, risk-based and innovation-enabling approach, underpinned by accountability obligations. The cornerstone is the AI Act, in force since August 2024, establishing harmonised rules across the internal market alongside the GDPR and broader digital legislation. The AI Act regulates by risk and use case – not technical architecture – distinguishing prohibited systems (eg, social scoring), high-risk systems (eg, employment, healthcare), limited-risk systems (eg, generative AI, subject to transparency obligations) and minimal-risk systems.

For high-risk systems, the AI Act mandates human oversight and scales supervision, transparency, traceability and value-chain responsibility. The framework aligns with OECD principles and international ethics standards, making them legally binding and globally influential. Regulation spans the full AI life cycle:

• design and development (data governance, risk management);
• pre-market (conformity assessments);
• deployment (human oversight, transparency); and
• post-market (incident reporting, market surveillance).

The AI Act establishes a harmonised, risk-based framework governing AI development, market placement and use, to protect fundamental rights, health and safety, while supporting innovation. Its scope is extraterritorial, applying to providers, deployers and other actors outside the EU where outputs are used within the Union.

The AI Act applies the risk-based classification set out in 3.1 General Approach to AI-Specific Legislation, with corresponding obligations for each tier. For high-risk systems, requirements include risk management, data governance, transparency, human oversight and conformity assessments. The AI Act establishes a dedicated general-purpose AI (GPAI) and foundation model regime, with enhanced obligations for systemic-risk models. Enforcement relies on national market surveillance authorities co-ordinated at EU level, with sanctions of up to 7% of global turnover; the AI Omnibus introduces modulated penalty rules for SMEs.

Non-binding instruments complement the AI Act at EU level, including:

• Commission guidelines on the definition of AI systems and prohibited practices (2025);
• the Ethics Guidelines for Trustworthy AI (setting out principles of transparency, human oversight, accountability and non-discrimination); and
• international frameworks such as the OECD AI Principles and UNESCO Recommendation.

Harmonised technical standards, while voluntary, create a presumption of conformity with the AI Act where referenced in the Official Journal.

The AI Act follows a phased implementation model. Prohibitions on unacceptable-risk AI applied from February 2025, GPAI and national authority rules from August 2025, and full obligations for high-risk systems from August 2026, with limited sectoral extensions to 2027. On 7 May 2026, the European Parliament, Council and Commission reached a political agreement on the AI Omnibus, postponing Annex III high-risk obligations to December 2027; formal adoption and Official Journal publication remain pending.

The AI Office supervises GPAI at EU level, supported by the European AI Board. Member states designate enforcement, market-surveillance and conformity-assessment authorities, adopting institutional measures to support implementation. High-risk systems require ex ante conformity assessment; a new Article 2(13) mechanism allows the Commission to limit AI Act requirements where sectoral law provides equivalent or higher protection. Member states must establish regulatory sandboxes, with the August 2026 deadline extended.

US state AI laws may apply to systems used in the EU where there is a sufficient connection to a state, such as provider headquarters or regulated activities, creating parallel compliance obligations alongside EU law. Operators must therefore assess both EU requirements and applicable state laws, particularly where they develop or manage AI systems from the USA.

At EU level, AI-related developments in data protection, copyright and content law arise from the interaction of the GDPR, Directive (EU) 2019/790 on copyright and related rights in the Digital Single Market (the “DSM Copyright Directive”) and the AI Act. On text and data mining (TDM), the DSM Copyright Directive establishes a mandatory exception for scientific research (Article 3) and a broader commercial exception subject to rights-holder opt-out (Article 4). The AI Act reinforces this by requiring GPAI providers to respect opt-outs and document training data use.

For AI-related data processing, the GDPR remains the governing framework. The Digital Omnibus proposes amendments to the GDPR, the ePrivacy Directive, NIS2 and the Data Act, pending finalisation later in 2026. Web scraping legality depends on copyright compliance, contractual terms and GDPR requirements. Synthetic data has no dedicated EU regime and falls outside the GDPR only where effective anonymisation is achieved.

There is no separate EU proposal for agentic AI or autonomous agents; the AI Act already captures highly autonomous systems through its function- and risk-based framework. On 7 May 2026, the EU institutions reached a political agreement on the AI Omnibus following a third trilogue. The deal postpones Annex III high-risk system obligations to December 2027, excludes Annex I machinery products from AI Act scope, introduces bans on nudifiers and CSAM generation, and mandates watermarking of AI-generated content from December 2026; formal adoption and Official Journal publication remain pending.

The AI Act allocates obligations across providers, deployers, importers and distributors, reclassifying downstream actors as providers where they modify or rebrand systems. The AI Liability Directive was withdrawn in 2025, leaving no dedicated AI liability proposal at EU level.

AI-specific case law at EU level remains limited. In OQ v Land Hessen (Schufa) (C-634/21, 2023), the CJEU held that credit scoring may constitute a “decision” under Article 22 GDPR where it determines an outcome; in Dun & Bradstreet Austria (C-203/22, 2025), it confirmed a right of explanation for automated decisions, including access to trade-secret information where necessary.

In IP, the pending CJEU case Like Company v Google Ireland Limited will address LLM training, TDM exceptions and output liability. Consumer protection, competition law and AI-output liability remain governed by existing principles pending EU-level rulings.

AI oversight at EU level operates through a multi-layered framework. The European Commission oversees AI Act implementation and directly supervises GPAI models through the EU AI Office, which monitors systemic risks and may require corrective measures or impose sanctions. The European AI Board issues guidance on consistent application. The European Data Protection Board (EDPB) interprets GDPR requirements in AI contexts, including training data, profiling and automated decision-making; the European Data Protection Supervisor (EDPS) acts as competent authority for AI used by EU institutions. At national level, designated authorities handle enforcement, market surveillance and conformity assessment for high-risk systems, alongside sector-specific regulators.

EU-level guidance on AI operates through a body of non-binding instruments. Commission guidance includes the Ethics Guidelines for Trustworthy AI (2019), the Guidelines on the definition of an AI system (2025) and the Guidelines on prohibited AI practices (2025), supplemented by emerging AI Office guidance on documentation, life cycle governance and transparency. The EDPB has issued Opinion 28/2024 on AI models and AI auditing guidance. International frameworks, including the OECD AI Principles, the UNESCO Recommendation and Council of Europe instruments, further shape the EU approach.

Currently, AI enforcement remains largely driven by existing regimes – particularly the GDPR, consumer law and competition law – rather than AI Act decisions. In Meta v Bundeskartellamt (C-252/21, 2023), the CJEU confirmed that personal data practices may be assessed in competition proceedings, linking data protection and market power. The Commission’s Digital Fairness Fitness Check signals increased use of unfair commercial practices rules against misleading AI interfaces. For GPAI and foundation models, AI Act obligations now apply with the AI Office playing a central supervisory role, and enforcement is shifting towards foundation models, high-risk systems and transparency failures.

National standard-setting bodies are key intermediaries in EU AI governance. The Commission issues standardisation mandates to CEN (European Committee for Standardization) and CENELEC (European Committee for Electronic Standardization), which develop harmonised standards through member state participation covering risk management, data governance, transparency, human oversight, robustness and conformity assessment. Standards are developed on FRAND terms and operate as a quasi-regulatory layer, translating legal obligations into technical requirements and shaping product liability exposure.

For EU-based companies, the AI Act is the legal baseline; international standards – ISO/IEC 42001 (AI management systems), ISO/IEC 23894 (risk management), ISO/IEC 22989 (terminology), IEEE standards and the NIST AI RMF – function primarily as compliance tools rather than legal obligations. None is sufficient on its own: where standards are less demanding than EU law on fundamental rights, transparency or bias, the AI Act prevails. These standards can reduce legal uncertainty and support conformity assessment, but entail implementation costs (particularly for SMEs) and must be adapted to EU-specific and sectoral requirements.

EU institutions and agencies deploy AI across administrative, regulatory and operational functions within a constrained legal framework, ranging from document analysis and classification tools to biometric identification and GPAI models. Under the AI Act, these uses are classified by risk, with particular scrutiny for systems in law enforcement, migration, border control, justice and critical infrastructure (typically high-risk under Article 6 and Annex III).

EU bodies are bound by the Charter of Fundamental Rights (notably Articles 7, 8, 41 and 47) and EU data protection law, including EDPS oversight under Regulation (EU) 2018/1725. The AI Act applies horizontally, prohibiting certain practices under Article 5 and imposing high-risk and GPAI obligations on EU institutions; in practice, institutions must classify systems correctly, avoid prohibited uses, implement high-risk compliance where applicable, and ensure supplier compliance for GPAI.

There is no developed body of CJEU case law expressly addressing AI use by EU institutions. Existing case law establishes governing principles: in Berlioz Investment Fund v Directeur de l'administration des contributions directes, the CJEU confirmed that individuals must be able to challenge data-driven decisions with courts verifying proportionality; and in Inuit Tapiriit Kanatami v Parliament and Council, acts producing binding legal effects are reviewable under Article 263 TFEU based on substance rather than formal classification, implying that AI-influenced decisions may be reviewable.

AI in national security and defence is shaped by Article 4(2) TFEU, under which national security remains the responsibility of member states. The AI Act reflects this through a national-security exclusion, but it is not absolute: where systems developed for defence are also used for civilian purposes – such as law enforcement or border management – they may fall within scope. Within internal security, certain practices are prohibited under Article 5, with narrow exceptions for law enforcement subject to prior authorisation and safeguards. High-risk deployments must comply with Articles 9–15, deployers may need to conduct fundamental rights impact assessments, and EU data protection law requires that restrictions on data subject rights be necessary, proportionate and subject to independent oversight.

In the EU, generative AI raises interconnected legal issues governed primarily by the AI Act alongside EU copyright and data protection frameworks. Model-level governance for GPAI and foundation models is addressed in 3.2 Jurisdictional Law; copyright in AI training and outputs in 16.3 Copyright and AI Training Data; and data protection issues in 17. Data Protection. Liability for harmful or infringing outputs remains unresolved given the multiplicity of actors; the AI Act imposes preventative obligations rather than a comprehensive liability regime, leaving gaps to product liability and national tort principles. Transparency obligations include disclosure of capabilities, training data summaries and labelling of synthetic content.

AI in the EU legal profession is increasingly common across legal research, contract review, litigation prediction and generative drafting, governed by the AI Act, the GDPR and professional conduct rules requiring competence, independence and confidentiality. A key concern is “hallucinations” – incorrect legal authorities generated by AI – creating risks for lawyers’ duty of competence and requiring independent verification. Related risks include unauthorised practice of law, as AI systems cannot assume professional responsibility in the EU, and confidentiality exposure when using cloud-based tools where sensitive data may be retained or reused in model training.

EU regulation treats AI as a tool subject to oversight: human accountability remains paramount, with the AI Act reinforcing supervision and GDPR rules maintaining responsibility with lawyers.

Liability for AI-caused harm in the EU relies on a combination of product liability, negligence, strict liability, vicarious liability and content-based liability; there is no comprehensive AI-specific regime. The updated EU Product Liability Directive extends strict liability to software and AI systems classified as “products”, though application is challenging given AI’s probabilistic and adaptive nature. Negligence remains important for developers and deployers, focusing on reasonable care in data selection, training, testing and deployment.

Vicarious liability may apply where organisations deploy AI as a tool; content liability in defamation or copyright infringement is typically allocated based on control over deployment. Causation and evidentiary challenges are significant across all doctrines: AI systems often operate as “black boxes”, making it difficult to establish how outputs were generated, though the AI Act’s transparency and auditability obligations support ex post liability claims.

EU regulatory approaches to AI liability combine updated product liability rules, existing civil liability doctrines and AI governance under the AI Act, favouring an integrated model rather than a single AI-specific regime. The scope and application of the revised EU Product Liability Directive to AI systems, including its treatment of software updates and defects in adaptive systems, are addressed in 10.1 General Theories of Liability.

The AI Act supports liability indirectly by imposing documentation, logging, transparency and human oversight obligations for high-risk systems, improving traceability and facilitating causation. The AI Liability Directive – which would have introduced causation presumptions and disclosure obligations – was withdrawn, signalling a shift towards preventative regulation. General negligence-based liability remains governed by national law.

Agentic AI systems are not recognised as legal persons under EU law; their effects are attributed to human or organisational actors under existing private law principles, with contractual and legal responsibility generally resting with the deploying entity. The legislative framework is addressed in 3.7 Proposed AI-Specific Legislation and Regulations.

For high-risk systems, deployers must be able to monitor, intervene in and override autonomous behaviour. Accountability in cross-organisational settings is addressed through value-chain responsibility across providers, deployers, importers and distributors, though determining effective control in complex systems remains uncertain. The AI Act imposes logging, documentation and traceability requirements to enable reconstruction of outputs and support regulatory review; multi-agent systems have no dedicated EU framework, with AI Act principles of traceability, accountability by design and life cycle risk management expected to apply, and emergent behaviour remaining a key regulatory gap.

Liability for harm caused by autonomous AI systems is governed by existing civil liability rules, allocated between developers, deployers and users based on control and foreseeability: developers may be liable for design or training defects, deployers for monitoring failures, and users for misuse. Existing regimes remain only partly adequate, as negligence and product liability struggle with AI opacity and continuous learning; for analysis of EU product liability reforms and the withdrawal of the AI Liability Directive, see 10.1 General Theories of Liability and 10.2 Regulatory Approaches to Liability for AI. Contractual arrangements commonly allocate risk but cannot override mandatory protections, and in multi-agent systems cascading failures may produce harm that is difficult to attribute to a single actor.

Algorithmic bias refers to systematic unfairness in AI outputs arising from biased data, proxy variables or optimisation choices. In the EU, it is governed by equality principles, sector-specific rules, the AI Act and the GDPR.

The AI Act requires providers of high-risk systems to identify and reduce discriminatory risks, particularly in employment, credit, education and public services, using representative datasets, bias testing and post-deployment monitoring, without imposing specific fairness metrics.

Liability may arise under EU non-discrimination law, GDPR rules on automated decision-making and national tort law, though causation remains difficult to establish due to AI opacity. Enforcement relies primarily on ex ante conformity assessments under the AI Act and supervision by data protection authorities.

Biometric AI systems in the EU are regulated under the AI Act and the GDPR, alongside the EU Charter (Articles 7 and 8). Real-time remote biometric identification in public spaces is generally prohibited for law enforcement, with narrow exceptions subject to prior authorisation and strict necessity and proportionality requirements. Emotion recognition systems are restricted in sensitive contexts (workplaces, educational institutions), and biometric categorisation systems inferring sensitive attributes are prohibited where they enable discriminatory profiling. Permitted biometric systems are classified as high-risk, triggering the obligations in 3.2 Jurisdictional Law, with emphasis on accuracy, robustness and bias testing.

Under the GDPR, biometric data used for unique identification is special category data under Article 9, requiring a strict legal basis, necessity, proportionality and enhanced security. Enforcement is carried out by national AI authorities and data protection authorities, with powers including fines, bans and withdrawal of non-compliant systems.

Deepfakes and synthetic media in the EU are regulated through the AI Act, the GDPR and the Digital Services Act (DSA). The AI Act requires synthetic content to be clearly labelled or identifiable, particularly where it may mislead; deepfakes must be disclosed unless they fall within narrow exceptions such as artistic or authorised uses.

Platform liability is governed by the DSA: platforms must implement notice-and-action systems, conduct risk assessments and mitigate illegal or harmful synthetic media, without direct liability for user content. Civil liability may arise under defamation, data protection and IP law where a person’s image, voice or likeness is used without consent. Mandatory watermarking of AI-generated content applies from 2 December 2026; AI systems generating non-consensual intimate imagery are prohibited under Article 5, with sector-specific rules applying in elections, consumer protection and data protection contexts.

AI transparency and disclosure requirements are central to the AI Act. There is a general obligation to disclose AI use where individuals might otherwise assume human interaction; chatbots and conversational agents must disclose their artificial nature at the start of interaction.

The AI Act requires AI-generated content – text, images, audio and video – to be clearly labelled; mandatory machine-readable watermarking of AI-generated content applies from 2 December 2026. Explainability obligations apply mainly to high-risk systems, which must provide meaningful information on logic, capabilities, limitations and key decision-making factors sufficient to ensure accountability without requiring full algorithmic disclosure.

Disclosure may not be required where AI use is obvious, where systems are purely assistive, or where it would interfere with law enforcement. The AI Act also prohibits systems using subliminal techniques or exploiting vulnerable groups in ways that materially distort behaviour and cause harm.

Foundation models must additionally document training methods, architecture, evaluation processes and known limitations, with enhanced obligations for systemic-risk models.

AI procurement requires contracts that address probabilistic behaviour, evolving performance and data dependence, unlike traditional software. Key elements include:

• risk allocation between provider and deployer for bias, hallucinations, unsafe outputs and regulatory breaches;
• SLAs extending beyond uptime to metrics such as accuracy, safety thresholds and model drift, often limited by non-determinism; and
• data rights clauses defining whether customer data may be used for training or improvement, aligned with GDPR obligations.

IP clauses address ownership of models, fine-tuned systems and outputs, with uncertainty around AI-generated content. Compliance warranties and indemnities allocate regulatory and IP risk, typically with limited scope, alongside audit rights enabling compliance assessment through documentation or third-party review. Contracts also include exit and portability provisions to ensure data retrieval and system transition, and liability caps linked to contract value, often supported by insurance.

AI supply chain accountability covers how organisations manage responsibility across the AI life cycle, including developers, model providers, data suppliers and deployers. Key elements include due diligence assessing suitability, bias and regulatory risks, and verification that vendors meet transparency, documentation, cybersecurity and data protection obligations.

Responsibility is shared across the value chain, with the AI Act allocating obligations between providers, importers, distributors and deployers based on their role. High-risk systems require technical documentation, instructions for use and record-keeping to support audits and regulatory review, alongside provenance and traceability requirements to track model origin, training data and system changes.

Cascading contractual obligations require suppliers to impose equivalent duties on subcontractors, reinforcing the AI Act’s value-chain model of shared responsibility across the life cycle.

AI use in hiring and termination is governed by the GDPR, the AI Act, the Platform Work Directive (2024) and Directive (EU) 2023/970 on equal pay. Recruitment and dismissal systems are generally classified as high-risk (AI Act, Annex III); social scoring and workplace emotion recognition are prohibited (Article 5).

Employers must comply with GDPR principles and avoid solely automated decisions producing significant effects (Article 22) unless meaningful human oversight, clear information and challenge rights are provided. Enforcement exposure is significant, with potential AI Act and GDPR sanctions alongside employment law and discrimination claims.

AI-enabled employee evaluation and monitoring is governed by the GDPR, the AI Act, the Platform Work Directive and EU fundamental rights on privacy and non-discrimination, encompassing productivity tracking, algorithmic scoring, AI-enhanced video surveillance and biometric systems.

Monitoring is subject to strict necessity and proportionality: it must pursue a legitimate purpose and remain limited to what is necessary, and continuous surveillance or monitoring of private communications or rest areas is generally unlawful. Biometric and other sensitive data is restricted under Article 9 GDPR.

AI-based monitoring raises discrimination risks where profiling influences evaluations or sanctions; the AI Act classifies such systems as high-risk, requiring risk management, data quality controls and human oversight. Employers must inform employees of the existence, purpose and functioning of monitoring systems, and typically consult employee representatives before deployment.

Non-compliance may lead to fines of up to 4% of global turnover, inadmissible evidence in employment disputes, and claims for breach of privacy, health and safety and discrimination.

In the EU, AI use by digital platforms is governed by a layered framework combining the AI Act, the DSA, the Digital Markets Act (DMA), the GDPR and consumer protection rules, covering content moderation, recommender systems, targeted advertising, profiling, fraud detection and generative AI tools. Under the AI Act, high-risk uses are subject to transparency requirements including AI disclosure and synthetic content labelling; the DSA requires disclosure of recommender system parameters, advertising transparency and systemic risk assessments for very large platforms.

The DMA constrains gatekeepers on data use and self-preferencing, while the GDPR and consumer law apply horizontally. Prohibited practices under the AI Act include manipulative design and certain biometric inferences; enforcement is active, with data protection authorities scrutinising profiling and generative AI, the Commission enforcing DSA obligations, and the AI Office expected to play a central role for GPAI models.

AI is widely used in financial services for credit scoring, fraud detection, anti-money laundering, algorithmic trading, robo-advice and customer analytics. The core AI-specific framework is the AI Act, applied alongside Markets in Financial Instruments Directive II (MiFID II) and the Digital Operational Resilience Act (DORA) on ICT risk management, complemented by the GDPR, consumer protection rules, the Data Act, the Data Governance Act, Directive (EU) 2022/2555 (the “NIS2 Directive”) and the Cyber Resilience Act (Regulation (EU) 2024/2847).

Under the AI Act, creditworthiness assessment and decisions affecting access to financial services are classified as high-risk, triggering the obligations described at 3.2 Jurisdictional Law. Transparency and explainability are particularly emphasised where AI contributes to decisions with significant individual effects.

MiFID II extends governance to algorithmic trading and automated advice, while DORA requires ICT risk management, including for AI systems and third-party providers. Prohibited practices include manipulation, exploitation of vulnerabilities and certain biometric inferences.

AI use in healthcare operates under a layered framework combining the AI Act, the Medical Device Regulation (MDR), the In Vitro Diagnostic Regulation (IVDR) and the GDPR, covering diagnostics, imaging, clinical decision support, patient triage and drug development. Where a system qualifies as a medical device, it must comply with MDR/IVDR requirements including clinical evaluation, CE marking and post-market surveillance.

Under the AI Act, most healthcare AI is classified as high-risk, triggering the obligations described at 3.2 Jurisdictional Law, integrated into existing medical device conformity processes. The GDPR remains central as such systems typically involve sensitive health data under Article 9, with restrictions on automated decision-making and requirements for human intervention.

Prohibited practices include AI that manipulates behaviour or exploits patient vulnerabilities. Enforcement remains driven by medical device regulation and data protection law, supplemented by AI Act market surveillance.

AI is central to autonomous vehicles across environment perception, decision-making and driver assistance. The core framework is the General Safety Regulation, complemented by the Automated Driving Systems Regulation and UNECE Regulation No 157.

The AI Act applies horizontally, classifying autonomous driving AI as high-risk and triggering the obligations described at 3.2 Jurisdictional Law, alongside specific cybersecurity requirements. The GDPR governs personal data collected through vehicle sensors and cameras, while the Data Act introduces obligations on connected vehicle data access and portability, and the updated Product Liability Directive covers AI-enabled defects.

Restrictions are primarily safety-driven: systems must operate within defined conditions and meet strict performance thresholds. AI Act prohibitions apply where in-cabin or connected systems process biometric or behavioural data beyond what is necessary.

Enforcement combines type-approval ex ante, market surveillance ex post, data protection authorities for GDPR compliance and product liability rules enabling compensation for damage.

AI is widely used in retail across recommender systems, personalised pricing, targeted advertising, chatbots, credit scoring and connected products. The framework combines the AI Act, the GDPR, the DSA, the DMA, the Data Act and consumer protection law, with credit scoring and AI in regulated products qualifying as high-risk.

The GDPR applies where personal data is processed. The DSA imposes recommender system transparency and systemic risk management on large platforms, and the Data Act addresses connected product data. The Cyber Resilience Act covers AI embedded in consumer products.

Transparency is a common thread: businesses must inform users of AI use, data processing, and ranking or pricing parameters. The AI Act prohibits systems that manipulate behaviour or exploit vulnerable users, while EU consumer law prohibits misleading practices, including non-transparent pricing and dark patterns.

Enforcement is active under existing frameworks, with the AI Act adding market surveillance powers and fines.

In industrial settings, AI is used for predictive maintenance, quality control, collaborative robots, process optimisation and supply chain forecasting, often embedded in safety-critical machinery. Following the AI Omnibus political agreement of 7 May 2026, AI embedded in Annex I machinery products is excluded from the AI Act, with compliance governed solely by Regulation (EU) 2023/1230 (the “Machinery Regulation”), replacing Directive 2006/42/EC from January 2027, Directive (EU) 2022/2555 (the “NIS2 Directive”), the Cyber Resilience Act (Regulation (EU) 2024/2847), the Data Act and, where personal data is involved, the GDPR.

Industrial AI outside the Annex I machinery exclusion may qualify as high-risk under the AI Act, triggering the obligations described at 3.2 Jurisdictional Law; for excluded machinery products, safety and liability exposure is governed solely by the Machinery Regulation, requiring essential health and safety standards and CE marking. Additional constraints arise from cybersecurity rules (NIS2 and Cyber Resilience Act), data access obligations (Data Act) and GDPR proportionality requirements for workforce monitoring. Non-compliant AI-enabled machinery cannot be placed on the market; enforcement is decentralised across market surveillance, cybersecurity and data protection authorities.

IP protection for AI systems in the EU is governed by the European Patent Convention (EPC), copyright directives, the Database Directive (96/9/EC) and trade secrets law (Directive (EU) 2016/943), supplemented by contract. AI algorithms are not patentable as such under Article 52 EPC, but AI-related inventions may qualify where embedded in a technical application producing a further technical effect, as reflected in EPO case law (eg, Vicom, Hitachi).

Copyright protects AI software and code as literary works under Directive 2009/24/EC where the originality threshold is met; algorithms, functionalities and data formats are not protected (CJEU, SAS Institute). Datasets may qualify for copyright where selection or arrangement is original, and for sui generis database rights where there has been substantial investment, particularly for training datasets.

Trade secret protection plays a central role for model weights, training methods and optimisation techniques, provided secrecy, commercial value and reasonable protection are maintained. Contractual IP allocation is critical, addressing ownership of inputs, outputs, models and improvements, with provider terms often granting broad rights and limiting customer ownership.

AI systems also create infringement risks where training data includes protected works or outputs reproduce protected content, requiring dataset governance, licensing and contractual risk allocation.

AI cannot currently be named as inventor or author under EU law. Copyright requires an “author’s own intellectual creation” – a human-centred test – and patent systems treat inventors as natural persons. Purely AI-generated works with no meaningful human contribution are unlikely to qualify for protection.

AI-assisted works may qualify for protection where a human exercises significant creative control (eg, selection, arrangement, editing), with ownership following ordinary copyright rules. In the absence of sufficient human contribution, outputs may remain unprotected, subject only to contract, database rights or trade secrets. Moral rights remain human-centred; AI cannot hold attribution or integrity rights, though AI use may infringe those of human creators in deepfakes or voice replication. The EU has not created a specific IP right for autonomous AI-generated works; current frameworks focus on transparency, copyright compliance and synthetic content labelling under the AI Act.

At EU level, copyright issues in AI training are governed by the InfoSoc Directive (2001/29/EC), the DSM Copyright Directive ((EU) 2019/790) and the AI Act. Use of copyrighted works for training will generally constitute reproduction under Article 2 InfoSoc Directive, as ingestion, copying and storage of works (including via web scraping) fall within its scope, requiring authorisation unless an exception applies.

The main exceptions are the text and data mining (TDM) provisions under Articles 3 (for scientific research) and 4 (for commercial exception subject to lawful access and rights-holder opt-out) of Directive 2019/790. There is no EU equivalent to “fair use”; exceptions are interpreted strictly.

Where no exception applies, licences are required, though individual licensing is often impractical at scale. Liability risks arise where outputs reproduce or closely resemble training data, with model memorisation and recognisable reproduction potentially constituting infringement.

The AI Act imposes obligations on GPAI providers, including copyright compliance policies, training data summaries and respect for opt-outs, ensuring that EU copyright law applies regardless of where training occurs.

At EU level, AI-generated works of art are assessed under the CJEU’s “own intellectual creation” test, requiring free and creative human choices. Purely AI-generated works are unlikely to qualify for copyright protection. AI-assisted works may be protected where a human makes significant creative choices through prompt selection, curation, editing or arrangement, with ownership following normal rules. Moral rights remain attached to human authors; the AI Act imposes transparency and copyright compliance obligations on GPAI providers but does not create a specific right for autonomous AI-generated works.

IP issues for foundation models and open-source AI in the EU sit at the intersection of copyright law and the AI Act. Models, weights, code and datasets may attract protection, with licensing and contractual arrangements as the main governance tools. Proprietary models restrict access via API; open-weight models provide weights under bespoke licences limiting use or redistribution, and fully open-source models follow established licences (eg, GPL, MIT), generally upheld by EU courts.

API users bear limited model-level IP risk, while self-hosting involves copying or modifying weights, making users responsible for licence compliance. Fine-tuning typically constitutes a derivative work, requiring authorisation unless permitted by licence; under copyleft, derivative models must usually be distributed under the same terms. Commercial deployment creates both training and output-stage infringement risks; provider terms commonly restrict downstream use, competing training and reverse engineering, and model merging and distillation may require authorisation and extend copyleft obligations to resulting models.

AI training involving personal data is governed primarily by the GDPR and EDPB guidance. Training datasets must rely on a valid legal basis under Articles 6 and 9 GDPR: legitimate interests (Article 6(1)(f)) commonly applies subject to a balancing test; special category data requires an additional Article 9(2) condition.

Purpose limitation under Article 5(1)(b) requires a compatibility assessment (Article 6(4)), considering the link to the original purpose, context, nature of data, impact and safeguards. Data minimisation (Article 5(1)(c)) requires restricting dataset scope and embedding privacy by design (Article 25).

Data subject rights apply to training datasets and potentially to models where personal data is embedded. Processing special category data must be strictly necessary and supported by enhanced safeguards, including Data Protection Impact Assessments (DPIAs). Pseudonymised data remains within scope; anonymised data falls outside only where re-identification is not reasonably possible. Controllers must document legal bases, purposes, assessments and safeguards, maintain records and conduct DPIAs for high-risk AI, with the AI Act adding training data governance and risk mitigation requirements.

Deployment of AI systems involving personal data is governed by the GDPR, supplemented by the AI Act, which imposes additional governance and transparency obligations, particularly for high-risk systems. A lawful basis under Article 6 GDPR is required; special category data also requires an Article 9 condition.

Privacy notices must explain AI processing, including purposes, legal basis, recipients, retention, transfers and rights; where automated decision-making or profiling is involved, they must provide meaningful information on logic and consequences. Data subjects retain all GDPR rights, with the right of access (Article 15) requiring understandable information, as confirmed in Dun & Bradstreet (2025).

Article 22 GDPR restricts solely automated decisions with legal or similarly significant effects, unless permitted by contract, consent or law, and subject to safeguards including human intervention and the right to contest. Retention must be defined for inputs, outputs, logs and model improvement data.

Children’s data requires heightened protection, including stricter minimisation, age-appropriate transparency and safeguards against harm. Compliance requires GDPR analysis, privacy-by-design measures, clear notices and effective rights mechanisms aligned with the AI Act.

EU AI data governance combines the GDPR and the AI Act: the GDPR governs personal data, while the AI Act adds life cycle requirements for high-risk systems on data quality, traceability and risk management. DPIAs are required under Article 35 GDPR where processing is likely to result in high risk – a threshold frequently met in AI contexts involving profiling, automated decision-making, large-scale processing or sensitive data. Data protection by design and by default (Article 25 GDPR) requires integrating minimisation, purpose limitation, transparency and security from the outset, complemented by AI Act data governance requirements on data quality, representativeness and bias detection.

In AI supply chains, controllers remain responsible for determining purposes and means of processing even where third-party providers are used; Article 28 GDPR requires processor contracts covering instructions, security, data subject rights assistance and audit rights. Cross-border transfers are governed by Chapter V GDPR and permitted via adequacy decisions or safeguards, with transfer impact assessments required.

Antitrust issues in AI markets are assessed under Articles 101 and 102 TFEU, the EU Merger Regulation (139/2004) and the DMA. AI acquisitions and “acqui-hires” may raise concerns where large firms acquire start-ups, talent, models, datasets or compute below traditional thresholds, with the Commission’s Article 22 referral practice being particularly relevant. Algorithmic collusion is a key concern: pricing algorithms may facilitate tacit co-ordination, and companies remain responsible for outcomes. Abuse of dominance may arise where market power derives from datasets, cloud infrastructure, GPUs, APIs or foundation models, raising issues of access, discriminatory terms, self-preferencing and ecosystem leveraging.

Vertical integration is sensitive where a provider controls cloud, compute, models and downstream applications, potentially foreclosing rivals or leveraging customer data. Exclusive dealing, tying and bundling may raise concerns where adopted by dominant firms. Foundation model markets present additional risks from high barriers to entry, network effects and limited portability.

EU cybersecurity rules apply to AI through the AI Act, NIS2, the Cybersecurity Act, the Cyber Resilience Act and the GDPR. For high-risk systems, the AI Act requires accuracy, robustness and cybersecurity, including resilience to adversarial attacks, data poisoning and input manipulation. AI systems must follow a secure life cycle: high-risk systems require risk management, documentation, logging, human oversight and post-market monitoring, while the Cyber Resilience Act adds secure-by-design obligations. Incident reporting arises under NIS2, the GDPR and the Cyber Resilience Act; supply chain security is addressed through supplier risk management. AI may also be used for cybersecurity defence, provided it complies with the GDPR and AI Act proportionality and human oversight requirements.

AI raises environmental, social and governance (ESG) considerations, though the framework remains indirect. Environmentally, the key issue is energy consumption from large-scale models and data infrastructure; the Corporate Sustainability Reporting Directive (CSRD) requires in-scope companies to report material environmental impacts, including AI-related energy use and emissions. Socially, the AI Act addresses bias, opacity, surveillance and workforce impact through requirements for high-risk systems, reinforced by the GDPR and EU non-discrimination rules.

On governance, the AI Act requires risk management, documentation and human supervision, complemented by the EU Ethics Guidelines for Trustworthy AI on fairness, robustness, transparency and accountability. ESG considerations are increasingly reflected in AI procurement and investment decisions, with attention to data quality, bias controls, cybersecurity, energy use and vendor governance.

The AI Act defines required governance outcomes – risk management, documentation, human oversight and accountability – without prescribing internal structures. Most organisations combine regulatory requirements with risk, compliance and technical functions, sometimes supported by dedicated AI or ethics boards. The AI Act requires a continuous, life cycle-based risk management approach from design through deployment and post-market monitoring, including logging, incident tracking and testing for high-risk systems.

High-risk systems require extensive technical documentation and, in some cases, fundamental rights impact assessments alongside DPIAs. Third-party governance extends due diligence, contractual safeguards and compliance verification to external providers, with incident reporting and corrective action obligations supplementing GDPR breach notification. The primary challenge is aligning AI governance with data protection, cybersecurity, product compliance and sectoral frameworks while co-ordinating technical and legal teams.