AI & Law

📖AI Agents Under EU Law: Compliance Architecture Proposal Published A new paper titled “AI Agents Under EU Law: A Compliance Architecture for AI Providers” analyzes how AI agents are regulated under the EU legal framework. The authors define AI agents as systems capable of autonomous planning, tool use, and multi-step execution with reduced human involvement, deployed across domains such as customer service, recruitment, clinical decision support, and critical infrastructure management. The paper maps regulatory obligations under the EU AI Act alongside GDPR, Cyber Resilience Act, Digital Services Act, Data Act, Data Governance Act, NIS2 Directive, Product Liability Directive, and other sectoral rules. It also integrates draft harmonised standards under CEN/CENELEC JTC 21, the GPAI Code of Practice (July 2025), the CRA standards programme (April 2025), and Digital Omnibus proposals (November 2025). A taxonomy of nine deployment categories is proposed, linking agent actions to regulatory triggers. Key compliance issues identified include cybersecurity risks (including privilege minimization outside the model), human oversight limitations due to reinforcement learning-based evasion, transparency challenges in multi-party action chains, and runtime behavioral drift under Article 3(23). The authors propose a twelve-step compliance architecture and a regulatory trigger mapping system, concluding that agentic systems with untraceable behavioral drift cannot currently meet essential AI Act requirements, and that providers must focus on exhaustive mapping of actions, data flows, systems, and affected individuals rather than classification alone. #AIRegulation#EULaw#AIAgents#AIAct#Compliance

🌐📖Holistic AI: “AI Regulations in 2026” Maps Compliance by Sector Holistic AI released a new ebook, AI Regulations in 2026, describing 2025 as a mixed year for AI regulation: policy attention remained high in HR tech, financial services, insurance, and generative AI, while both the US and EU made efforts to soften or withdraw certain AI rules. The report shifts from a country-by-country format to a sector-based approach to help organizations identify relevant obligations by use case. Key themes highlighted include non-discrimination and transparency in HR tech (including notice requirements and bias audits), sandbox-style oversight for AI in financial services, and insurance-specific regulation alongside reliance on existing regulatory frameworks, including laws such as Colorado’s SB169. The ebook also notes increasing scrutiny of AI-driven dynamic pricing in the US, targeting areas such as rent and ticket pricing. Generative AI remains a regulatory priority globally, with laws focusing on deepfakes, AI use in the judiciary, and AI companions with disclosure requirements. The report emphasizes that risk-based frameworks, especially the EU AI Act, continue to shape global approaches, while international cooperation is growing through initiatives linked to UNESCO, the UN, the Council of Europe, and ASEAN. Holistic AI recommends proactive compliance through system inventorying and lifecycle safeguards. #AIRegulation#AIGovernance#Compliance#EUAIAct#HRTech#FinTech

📖IAPP Expands Its AI Governance Lexicon to 101 Key Terms The International Association of Privacy Professionals (IAPP) has released an expanded version of its Key Terms for AI Governance, now including over 100 core concepts used by professionals across the AI policy and compliance space. The initial glossary, published in fall 2023, contained 61 terms; the 2025 update integrates new terminology reflecting emerging AI use cases and governance challenges identified by the IAPP community and its collaborators. Each definition draws on authoritative sources, including legislative texts, international frameworks, and governmental reports, ensuring alignment with the evolving global AI governance landscape. By codifying shared language and meaning, the IAPP glossary functions as a reference point for practitioners seeking consistency in interpretation and application of AI governance principles across jurisdictions. #AI#Governance#Law#Ethics#IAPP#Terminology#Compliance#AIGovernance

📖Global AI Governance: One Landscape, Many Roads A new report from Bird & Bird provides a comparative snapshot of how different regions are approaching AI governance—and what this means for global businesses. Covering the EU, UK, Asia, the Middle East, and Australia, the analysis maps current frameworks, industry-specific challenges, and emerging trends. In parallel, the report outlines key areas companies must address to stay ahead of regulation: from defining internal responsibility and building robust risk management systems, to updating compliance processes and renegotiating AI-related contracts. As regulatory divergence deepens, this kind of cross-border understanding is no longer optional—it's strategic. #AIGovernance#Compliance#AIRegulation

📖EU AI Act: Compliance Challenges and Costs The EU AI Act categorizes AI systems by risk level, requiring different compliance measures accordingly. A new paper, "European AI Standards – Technical Standardization and Implementation Challenges under the EU AI Act", analyzes these requirements and provides practical guidance for adherence. The authors argue that the current standardization framework creates a disproportionate financial burden for companies. They propose policy changes to reduce compliance costs while maintaining regulatory objectives. The paper also compares the EU AI Act’s standards with the ISO AI framework, highlighting key differences. #AIAct#AIRegulation#Compliance#LegalTech#AIStandards

🇸🇪Sweden’s Data Protection Authority on GenAI & GDPR The Swedish Data Protection Authority (IMY) has released new guidance on how public authorities—and by extension, private organizations—should approach generative AI while ensuring GDPR compliance. The report addresses key legal questions, from determining the legal basis for processing personal data to assessing risks and implementing safeguards. With automated decision-making and cross-border data transfers under scrutiny, this guidance offers a structured approach to responsible AI deployment. As generative AI adoption grows, aligning with these principles will be crucial for organizations navigating the evolving regulatory landscape. #AIRegulation#DataProtection#GDPR#GenAI#Compliance

European Commission's AI Codes of Practice: A Self-Regulation Concern? According to Euractiv, the European Commission plans to let AI model providers draft codes of practice for compliance with the AI Act, with civil society organizations consulted during the process. This approach has sparked concerns about industry self-regulation, as these codes will serve as compliance measures for general-purpose AI models until harmonized standards are set. The Commission may grant EU-wide validity to these codes through an implementing act. Some civil society members worry this could enable Big Tech to essentially write their own rules. The AI Act's language on stakeholder participation in drafting these codes is ambiguous. The Commission has stated that an upcoming call for expressions of interest will clarify how various stakeholders, including civil society, will be involved. However, specifics are still lacking. An external firm will be hired to manage the drafting process, including stakeholder engagement and weekly working group meetings. The AI Office will oversee the process but will primarily focus on approving the final codes. #AIRegulation#EUCommission#AICodes#AIAct#Compliance

Corporate Leaders Skeptical About AI Policy Effectiveness, BRG Report Finds According to Berkeley Research Group's Global AI Regulation Report, only 36% of corporate leaders believe current and future AI policies will provide the necessary guardrails. This report, drawing from over 200 corporate leaders and executive-level lawyers worldwide, evaluates the current AI regulatory landscape and identifies key challenges and priorities for effective AI governance. The report highlights a significant gap in confidence regarding compliance readiness, with many organizations struggling to implement internal safeguards for responsible AI use. Notably, the retail and consumer goods sectors are particularly lagging in this aspect. Future AI policy priorities include data integrity, security, and accuracy, though opinions vary by region and industry. Executives and respondents from the technology and financial services sectors prioritize adaptability and transparency, while lawyers and those in retail favor enforceability and strictness. The report underscores the growing divergence between the US and EU on AI regulation, complicating the creation of broad, comprehensive guidelines. #AI#AIRegulation#Compliance#AIEthics

France's CNIL Releases Initial Opinions on AI and GDPR Compliance Hello, everyone! France's data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), has unveiled its initial perspectives on ensuring that artificial intelligence (AI) deployments adhere to the European Union's General Data Protection Regulation (GDPR). In its assessment, the CNIL recognizes the GDPR's role in providing an "innovative and protective framework" for AI. Moreover, the CNIL emphasizes how specific GDPR principles can be applied across a spectrum of AI technologies. #AI#GDPR#CNIL#DataProtection#Compliance

German AI Association highlights the key issues that need to be addressed in the AI Act negotiations German AI Association issued a position paper on the Artificial Intelligence Act, the text of which is currently subject to trilogue negotiations between the EU legislators. The paper singles out generative AI, definitions of AI, high-risk AI systems, standardisation and support for innovation as the key topics negotiators should get right during trilogues. #AI#EuropeanUnion#AIRegulations#AIAct#GenerativeAI#Transparency#Compliance#ResponsibleAI

Civil society calls for a broad scope and definition of AI systems On July 4, 2023, a number of Civil society Organisations participating in the European Committee on the Artificial Intelligence (CIA) sent a letter to the CAI Chair and Secretariat. In the statement the CSOs underscore the urgency of the Framework Convention on AI, rule of law, human rights and democracy as the challenges arising from the design, development and deployment of AI systems increase. The CSOs call on the drafting group to ensure, among other priorities: 1️⃣ A transversal, binding legal instrument with a broad definition of AI and without blanket exemptions (e.g., excluding AI systems for national defence and/or national security). 2️⃣ Mandatory and publicly accessible impact assessments on human rights, democracy and rule of law for AI systems deployed by public entities or otherwise presenting a high level of risk. 3️⃣ Clear guidelines and criteria for prohibitions of unacceptable AI systems. 4️⃣ Effective redress mechanisms, independent oversight and enforcement mechanisms for the Convention implementation. #AI#EuropeanUnion#AIRegulations#AIAct#GenerativeAI#Transparency#Compliance#ResponsibleAI

Research on compliance with the AI Act Stanford University researchers have conducted a thorough evaluation of major foundation model providers, including OpenAI and Google, to assess their compliance with the European Parliament's version of the AI Act. The findings reveal that these providers currently do not fully meet the Act's requirements, but the researchers believe that it is possible for them to do so in the future. One key observation from the analysis is the lack of adequate information disclosure by foundation model providers. Important details regarding data, compute, deployment, and key characteristics of their models are often not transparently shared. This raises concerns about transparency and accountability in the AI ecosystem. To address these challenges, the researchers suggest that EU policymakers consider additional factors to ensure that foundation model providers become more transparent and accountable. They emphasize the need for policymakers to apply these requirements selectively to influential providers, while avoiding excessive burden on smaller companies. Furthermore, it is crucial to allocate the necessary technical resources and expertise to the agencies responsible for enforcing the AI Act. Can policymakers ensure transparency and accountability in the rapidly evolving field of AI, while also fostering innovation and supporting smaller companies? #AIAct#FoundationModels#Transparency#Accountability#Compliance#Innovation