With the majority of obligations for general-purpose AI (GPAI) models set to take effect on 2 August 2025 (AI Act, Chapter V, Art. 53), the European Commission has published the long-awaited GPAI Code of Practice on 10 July 2025. The document—developed by independent experts—serves as voluntary guidance to help GPAI providers prepare for compliance under the EU AI Act. It focuses on three key areas: Copyright, Transparency, and Safety & Security.

On 8 May 2025, the Danish Parliament adopted a bill aimed at introducing additional provisions for the regulation of artificial intelligence in Denmark, in accordance with the EU AI Act. The text lays down the designation of national competent authorities and the penalties for violations of the EU AI Act, the law as well as related national legislation and implementing acts.

In a decisive move early on July 1, the U.S. Senate voted 99–1 to pass an amended version of the One Big Beautiful Bill (OBBBA), stripping out a controversial provision that would have blocked state-level regulation of artificial intelligence. The amendment, introduced by Sen. Marsha Blackburn (R-TN), eliminated a proposed 10-year moratorium that had tied state compliance to access to federal funds.

The French data protection authority (CNIL) published two new practical fact sheets designed to help actors developing AI systems to comply with the GDPR. The CNIL shares its recommendations on the use of legitimate interest as a legal basis for the development of AI systems and focuses on the collection of data through web scraping.  

The European Commission has launched a public consultation on high-risk AI systems, seeking stakeholder insights to clarify classifications, obligations, and governance under the EU AI Act. Open until 18 July 2025—contribute to shaping future AI regulation in Europe.

The AI Regulation Chair is proud to announce its significant contribution to the book “The EU Artificial Intelligence (AI) Act: A Commentary”. This comprehensive work contains analyses from numerous experts and academics in the field. The Chair’s contribution includes a commentary on Articles 16 and 17 of the AI Act, which deal with the obligations of providers of high-risk AI systems and the implementation of a quality management system.

Insights on how GDPR should adapt to the rise of Generative AI as host Sergio Maldonado interviews Professor Theodore Christakis, director of the MIAI AI-Regulation Chair. They examine the EDPB’s latest Opinion, the DeepSeek case, the challenge of AI “hallucinations,” and the future of AI governance.

The Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection authority, recently published two recommendations to support innovation in the field of artificial intelligence (AI) in accordance with the General Data Protection Regulation (GDPR). It adopts a didactic approach, issuing recommendations, best practice and explanations on how to apply the principles of the GDPR in the context of AI.

In a decision rendered on 30 December, 2024, the Conseil d’État (Council of State) dismissed the appeal made by four associations against Decree 2023-283 on the use of drones by law enforcement agencies.  The Conseil d’État has reversed its position and authorised law enforcement agencies to use drones.  It stated that the existing legal framework guaranteed compliance with the requirements for the protection of personal data and privacy as laid down by national and European law.

The United States’ Intelligence Community1 (IC) has released Interim Guidance about the acquisition and use of foundation AI models (FMs).  This guidance has been provided by inter-agency lawyers and concerns the application of AG guidelines and policies to the IC’s acquisition and use of FMs. As well as clearly suggesting that IC elements will use FMs for intelligence purposes, the document provides additional guidance concerning model acquisition, modification, augmentation, prompts and outputs.

In October 2024 the International Enforcement Cooperation Working Group (IECWG) from the Global Privacy Agency(GPA) issued a Concluding Joint Statement on data scraping and the protection of privacy. It completes the Initial Joint Statement on data scraping and the protection of privacy published in August 2023. It contains three objectives: firstly, to outline the key privacy risks associated with data scraping; secondly, to set out how Social Media Companies (SMCs) and other organisations should protect individual personal information; and thirdly, to set out measures that individuals can take to protect their personal data. 

The European Commission’s Artificial Intelligence (AI) office has initiated a targeted consultation with stakeholders on guidelines for defining AI systems and applying prohibitions on certain high-risk AI practices, as outlined in the EU AI Act. This consultation represents a significant step in preparing for the implementation of these provisions, which will come into effect on 2 February 2025, six months after the AI Act’s entry into force. The guidelines are expected to be finalised and published in early 2025, providing practical assistance to businesses, regulators, and other stakeholders in meeting their obligations under the Act.