As of 2 August 2025, the European Union’s AI Act moved from regulatory theory to operational reality. Member States’ market surveillance authorities (MSAs) are now empowered to enforce Article 5 prohibitions on harmful AI practices — the most severe category of infringement under the regulation. For CFOs, General Counsel, and compliance officers at mid-market companies deploying or developing AI systems in Europe, this is not a future risk to be monitored. It is a present legal exposure requiring immediate governance action.
What Changed on 2 August 2025 — and Why It Matters
The EU AI Act operates on a staggered implementation timeline, but the August 2025 milestone is structurally significant for two reasons. First, national competent authorities — MSAs and, in several Member States, Data Protection Authorities (DPAs) — have now been formally designated and notified to the European Commission. Enforcement is live, decentralized, and operationally active. Second, obligations for General-Purpose AI (GPAI) models also became applicable on this date, though providers of pre-existing models retain a transitional window until 2 August 2027.
The penalty framework leaves little room for ambiguity. Violations of Article 5 prohibited practices — including real-time biometric surveillance in public spaces, social scoring by public authorities, and AI systems exploiting psychological vulnerabilities — carry fines of up to €35 million or 7% of worldwide annual turnover, whichever is higher. Violations related to data governance and transparency obligations attract penalties of up to 4% of global turnover. For mid-market firms with international revenue bases, these figures are material at the board level.
The structural parallel to GDPR enforcement is deliberate and instructive. Just as data protection authorities became the primary supervisors of personal data processing under GDPR, DPAs in several jurisdictions are now co-responsible for AI Act oversight — particularly for high-risk AI systems that intersect with data privacy and automated decision-making. This overlap creates both compliance complexity and, for well-prepared organizations, an opportunity to leverage existing GDPR infrastructure.
Decentralized Enforcement and the Multi-Regulator Risk
Unlike the centralized model of the European Central Bank in financial supervision, AI Act enforcement is explicitly fragmented. MSAs, DPAs, and the EU AI Office each hold jurisdictional roles depending on the AI system’s risk classification and the nature of the alleged infringement. For multinational organizations operating across multiple Member States, this creates a material enterprise risk management challenge: a single AI deployment may be subject to concurrent scrutiny from regulators in different jurisdictions applying locally nuanced interpretations of the same regulation.
This mirrors the early years of GDPR enforcement, where divergent national DPA priorities created uneven compliance landscapes. Companies that treated GDPR as a pan-European compliance program — rather than a country-by-country exercise — generally fared better. The same logic applies here. Organizations should map their AI systems against Article 5 and Annex III risk classifications at the enterprise level, not the subsidiary level, and establish a single point of accountability for regulatory compliance across jurisdictions.
For firms subject to AML obligations or operating in regulated financial services, the intersection is particularly acute. AI-driven transaction monitoring, credit scoring, and customer due diligence tools may simultaneously engage AI Act risk classifications, GDPR Article 22 automated decision-making restrictions, and sector-specific EBA or ESMA guidance. Legal and compliance teams should conduct a cross-regulatory impact assessment before the end of Q3 2025.
Implications for Corporate Governance and ESG Reporting
The AI Act’s Article 10 requirements — governing data quality, accuracy, and fairness for high-risk AI systems — are increasingly being read alongside ESG reporting frameworks. Institutional investors and rating agencies are beginning to treat AI governance maturity as a proxy for broader corporate governance quality. Boards that cannot demonstrate structured oversight of AI risk — including documented prohibited-practice screening and GPAI transparency compliance — face reputational and financing risk beyond the regulatory fine itself.
The EU AI Pact and the AI Act Service Desk offer voluntary early compliance pathways, particularly useful for GPAI transparency and copyright obligations. Mid-market firms should treat participation not merely as a goodwill gesture, but as a documented record of good-faith compliance effort — a factor that national authorities are likely to weigh in enforcement discretion decisions.
Key Takeaway for Decision-Makers
The window for treating EU AI Act compliance as a roadmap exercise has closed. Article 5 is enforceable today. Boards and executive teams should prioritize three actions immediately:
- Conduct an Article 5 prohibited-practice audit across all AI systems currently deployed or in development, with documented legal sign-off.
- Establish cross-functional AI governance ownership — integrating Legal, Compliance, Data Privacy, and Technology — with clear escalation paths to the board.
- Align AI risk classification with existing GDPR and AML compliance frameworks to avoid duplicative effort and ensure coherent regulatory positioning across jurisdictions.
The firms that navigate this transition successfully will be those that treat AI governance not as a compliance cost, but as a component of durable enterprise value.