What is AI regulation in Europe?
AI regulation: countries and regions
AI regulation in Europe is layered, not single. The EU operates the binding, risk-based AI Act alongside the GDPR for data and a revised product liability regime. Non-EU states differ: the UK uses a principles-based, regulator-led approach, Switzerland keeps a sector-specific model, and Norway brings the AI Act in through the EEA. Above all sits the Council of Europe treaty, a human-rights instrument open beyond Europe. This hub maps those layers and routes you to country detail.
Reviewed by Jackie, Head of Learning & Development, Levellers · Last reviewed 8 June 2026
What this means
There is no one "European AI law". Instead there are several overlapping layers. The most detailed is the European Union's AI Act, a binding regulation that sorts AI by risk and applies across all 27 EU members. Sitting beside it are the GDPR, which governs personal data, and a revised product liability regime that now treats software and AI as products.
A second layer covers states outside the EU. The United Kingdom has so far declined a single AI statute and instead asks existing regulators to apply common principles. Switzerland is keeping its sector-by-sector approach while preparing targeted legal changes. Norway, Iceland and Liechtenstein are not EU members but are tied to the single market through the EEA, so the AI Act reaches them by a separate route.
A third layer is the Council of Europe's Framework Convention on AI, the first international treaty on the subject. It is a human-rights instrument rather than a product-safety rulebook, and it is open to countries well beyond Europe. This page explains how these pieces fit together and points you to the dedicated articles for each instrument and country.
Why it matters
If you build, sell or deploy AI that touches people in Europe, more than one regime can apply to the same system at the same time. An AI hiring tool can be a high-risk system under the EU AI Act, a personal-data operation under the GDPR, and a "product" under the revised liability rules, all at once. The layers also diverge by country: what is principle and guidance in London can be binding obligation in Dublin or Rome. Reading Europe as a single block leads to compliance gaps. Reading it as a map of related layers is the practical way to plan.
How it works
The EU layer: the AI Act
The EU AI Act (Regulation (EU) 2024/1689) is the centrepiece. It entered into force on 1 August 2024 and applies in phases. Bans on a set of "unacceptable risk" practices, plus AI literacy duties, applied from 2 February 2025. Governance rules and obligations for general-purpose AI models applied from 2 August 2025. The heaviest duties, for high-risk systems, were originally set for 2 August 2026, with product-embedded high-risk systems following in 2027. We do not restate the Act in detail here; see the dedicated EU AI Act page.
The timeline is changing. On 19 November 2025 the European Commission proposed a "Digital Omnibus" to simplify implementation, and on 7 May 2026 the Council and Parliament reached a provisional agreement. If adopted as agreed, obligations for stand-alone (Annex III) high-risk systems move from 2 August 2026 to 2 December 2027, and product-embedded (Annex I) high-risk systems move to 2 August 2028. The agreement also adds a new prohibited practice on AI-generated non-consensual intimate imagery and child sexual abuse material. As at the date of writing this is a provisional political agreement, not yet adopted law, so the original dates remain the legal baseline until the amendment is published in the Official Journal. Treat the new dates as expected, not settled.
Who runs it: the Commission, the AI Office and the boards
Enforcement is two-tiered. The European AI Office, inside the European Commission, supervises general-purpose AI models and coordinates the EU-wide approach. National authorities supervise most other AI systems in their territory. Three advisory bodies support the system: the European Artificial Intelligence Board (representatives of the member states), a Scientific Panel of independent experts, and an Advisory Forum of stakeholders. The Board coordinates national authorities; the Scientific Panel can issue alerts on systemic risks from general-purpose models.
How member states implement it
A regulation applies directly, but the AI Act still leaves member states to designate national competent authorities, at least one market surveillance authority and one notifying authority, by 2 August 2025. Many missed the deadline, and designation has been uneven. Italy went furthest, adopting Law No. 132/2025, the first national AI law in the EU, which names AgID and the National Cybersecurity Agency as its authorities. Spain created AESIA (Agencia Espanola de Supervision de la Inteligencia Artificial) by Royal Decree 729/2023 of 22 August 2023, operational since June 2024 and described as the first dedicated AI supervisory agency in the EU, headquartered in A Coruna. Several large states were still finalising designations into 2026. Country detail lives in the individual country articles linked below.
The GDPR layer
The GDPR (Regulation (EU) 2016/679) is not an AI law, but it governs any AI that processes personal data. Article 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects. The Court of Justice confirmed in SCHUFA Holding (Scoring), Case C-634/21, judgment of 7 December 2023 (OQ v Land Hessen), that automated credit scoring is "automated individual decision-making" under Article 22 where a third party to which that probability value is transmitted draws strongly on it to establish, implement or terminate a contractual relationship. On 18 December 2024 the European Data Protection Board adopted Opinion 28/2024 "on certain data protection aspects related to the processing of personal data in the context of AI models", requested by the Irish Data Protection Commission under Article 64(2) GDPR, addressing when a model is anonymous and when legitimate interest can justify training on personal data. The AI Act and GDPR apply cumulatively: a high-risk system making individual decisions must satisfy both.
The liability layer
The picture here changed in 2025. The proposed AI Liability Directive, which would have eased the burden of proof for people harmed by AI, was withdrawn by the Commission, formally confirmed in 2025, citing no foreseeable agreement. What survives is the revised Product Liability Directive (Directive (EU) 2024/2853), which member states must transpose by 9 December 2026. It treats software and AI systems as "products" subject to no-fault liability and eases evidence rules for claimants. With the AI Liability Directive gone, this directive plus national tort law now carries civil liability for AI harm. See the AI liability page.
Non-EU Europe: the UK, Switzerland, Norway and the EEA
The United Kingdom has no single AI Act. Its framework rests on the March 2023 White Paper's five cross-sector principles, applied by existing regulators such as the ICO, FCA, CMA and Ofcom. The AI Safety Institute was renamed the AI Security Institute in February 2025. Ministers have signalled targeted legislation for the most powerful "frontier" models, but no government Bill has yet passed.
Switzerland has no horizontal AI law. On 12 February 2025 the Federal Council decided to ratify the Council of Europe Convention and to make targeted, mostly sector-specific changes to Swiss law, with broad cross-sector rules confined to areas such as data protection. Switzerland signed the Convention in March 2025; a consultation draft is expected by the end of 2026.
Norway, Iceland and Liechtenstein are EEA EFTA states. The AI Act is marked EEA-relevant and is being assessed for incorporation into the EEA Agreement; the three participate in AI Board meetings as observers. Norway published a draft national AI Act (KI-loven) for consultation in mid-2025, proposing the communications regulator Nkom as coordinating supervisor, with entry into force aligned to the EU in 2026.
The Council of Europe layer
The Council of Europe Framework Convention on AI (CETS No. 225) is the first international legally binding treaty in the field. It was adopted by the Council of Europe Committee of Ministers on 17 May 2024 and opened for signature on 5 September 2024 in Vilnius. Per the Council of Europe, it will enter into force on the first day of the month following the expiration of a period of three months after the date on which five signatories, including at least three Council of Europe member states, have ratified it. Unlike the AI Act, it is a human-rights instrument: technology-neutral, focused on human rights, democracy and the rule of law, and open to states worldwide. Its membership therefore extends well beyond the EU. The two are complementary: the EU implements the Convention largely through the AI Act.
Examples
1. AI recruitment tool used across the EU. The same system can be high-risk under the AI Act (employment is an Annex III use), governed by GDPR Article 22 for automated decisions, and a "product" under the revised Product Liability Directive from December 2026. Three layers, one tool.
2. A generative image model offered in the EU. Article 50 transparency duties (marking AI-generated content) largely remain on the original schedule, with watermarking for systems already on the market deferred to 2 December 2026 under the provisional Omnibus agreement. The same agreement adds a prohibition on non-consensual intimate imagery.
3. A Norwegian deployer. A company in Oslo is not in the EU, but once the AI Act is incorporated into the EEA Agreement and Norway's national AI Act takes effect, broadly the same risk-based duties apply, supervised nationally rather than by Brussels.
Common misunderstandings
1. "Europe has one AI law." It does not. The EU AI Act is the most prominent layer, but GDPR, product liability, national laws and the Council of Europe treaty are separate instruments.
2. "The EU AI Act and the Council of Europe Convention are the same thing." They are not. The Act is a binding EU product-safety-style regulation; the Convention is a human-rights treaty open to non-European states.
3. "High-risk duties are fully in force in August 2026." Under current law many were, but the provisional Digital Omnibus agreement would push stand-alone high-risk duties to December 2027. The position is in flux.
4. "There is now an EU AI Liability Directive." There is not. That proposal was withdrawn. Civil liability runs through the revised Product Liability Directive and national law.
5. "The UK has an AI Act like the EU." It does not. The UK relies on principles applied by existing regulators, with possible frontier-model legislation still pending.
Risks and boundaries
This is a fast-dating area and an orientation hub, not legal advice. Dates and statuses are stated as at the date of writing and several are expected to move, in particular the AI Act high-risk timeline under the Digital Omnibus. Member-state designations and national laws are still being finalised. The Council of Europe Convention's entry into force depends on ratifications that are still accruing. For binding detail, rely on the primary sources and the dedicated pages, and check the current position before acting.
What to do next
Start by mapping which layers touch each AI system: AI Act risk tier, GDPR processing, and product liability exposure. Build and maintain an AI inventory now, because classification work does not get easier with delay. Track the Digital Omnibus through to publication in the Official Journal before relying on the later dates. For multi-country operations, identify the national competent authority in each market and watch for national laws such as Italy's. If you operate in the UK, Switzerland or Norway, follow the relevant national approach rather than assuming the EU regime applies directly. Use the dedicated pages below for depth.
Explore individual entries: AI regulation in Albania, AI regulation in Andorra, AI regulation in Austria, AI regulation in Belarus, AI regulation in Belgium, AI regulation in Bosnia and Herzegovina, AI regulation in Bulgaria, AI regulation in Croatia, AI regulation in Cyprus, AI regulation in the Czech Republic, AI regulation in Denmark, AI regulation in Estonia, AI regulation in the European Union, AI regulation in Finland, AI regulation in France, AI regulation in Georgia, AI regulation in Germany, AI regulation in Greece, AI regulation in Hungary, AI regulation in Iceland, AI regulation in Ireland, AI regulation in Italy, AI regulation in Latvia, AI regulation in Liechtenstein, AI regulation in Lithuania, AI regulation in Luxembourg, AI regulation in Malta, AI regulation in Moldova, AI regulation in Monaco, AI regulation in Montenegro, AI regulation in the Netherlands, AI regulation in North Macedonia, AI regulation in Norway, AI regulation in Poland, AI regulation in Portugal, AI regulation in Romania, AI regulation in Russia, AI regulation in San Marino, AI regulation in Serbia, AI regulation in Slovakia, AI regulation in Slovenia, AI regulation in Spain, AI regulation in Sweden, AI regulation in Switzerland, AI regulation in Turkey, AI regulation in Ukraine, AI regulation in the United Kingdom.
Have a question or a suggestion, or want to understand how we research and review these guides? Read about our editorial standards and how to reach us.
FAQs
Is there a single AI law for all of Europe?
No. The EU AI Act covers EU members, but data protection, liability, national laws and the Council of Europe treaty are separate layers, and non-EU states have their own approaches.
When do the EU AI Act's high-risk rules apply?
Under current law, 2 August 2026 for stand-alone high-risk systems. A provisional Digital Omnibus agreement of 7 May 2026 would move that to 2 December 2027, but it is not yet adopted law.
What happened to the AI Liability Directive?
The Commission withdrew it, confirmed in 2025, citing no foreseeable agreement. The revised Product Liability Directive, due to be transposed by 9 December 2026, now carries much of the AI liability question alongside national law.
How does the GDPR relate to the AI Act?
They apply cumulatively. The GDPR governs personal data and automated decisions (Article 22); the AI Act regulates the AI system itself. A high-risk system that makes individual decisions must satisfy both.
Does the EU AI Act apply in the UK?
Not directly. But it can reach UK providers whose systems are placed on the EU market or whose outputs are used in the EU. Domestically the UK uses a principles-based, regulator-led approach.
Does the AI Act apply in Norway?
It is expected to, through the EEA Agreement, once incorporated, with national supervision. Norway has drafted its own AI Act to implement it.
How is the Council of Europe Convention different from the EU AI Act?
The Convention is an international human-rights treaty, technology-neutral and open to non-European states. The AI Act is a binding EU regulation with detailed, risk-based product rules.
Has the Council of Europe Convention entered into force yet?
Not as at the date of writing. It needs five ratifications, including three Council of Europe member states. The EU ratified on 15 May 2026 at the 135th Session of the Committee of Ministers in Chisinau, Moldova, but the threshold had not yet been met.