AI-relevant Regulation in the EU
AI-relevant Regulation in the EU (July 2025):
“what is already known and binding under existing law”
Although the EU AI Act will eventually provide a dedicated legal structure for AI governance, it will not replace existing legal obligations. Instead, it will operate alongside them, complementing and expanding the current regulatory landscape.
The EU already has a broad legal framework governing artificial intelligence, using tools and regulations from data protection, cybersecurity, and consumer protection.
Below is a list of acts explicitly referenced in the EU AI Act as regulating and affecting actors in the AI value chain, alongside the EU AI Act itself:
Note:
The 30 acts listed below do not represent an exhaustive list of laws that may apply to the AI you use or develop. The full scope of applicable legislation will depend on the characteristics of the AI system, its area of application, and the countries in which it is available.
Most importantly, this list covers EU-level acts. Member States may adopt and enforce additional national legislation that is not introduced at the EU level and is based on their own national priorities and legal frameworks.
-
Data Protection & Privacy
-
GDPR (Regulation (EU) 2016/679)
Sets rules for processing personal data of individuals in the EU. Applies globally to anyone handling such data. Defines legal bases, user rights, data breach duties, and documentation requirements.
-
ePrivacy Directive (Directive 2002/58/EC)
Regulates privacy in electronic communications. Covers consent for cookies, traffic and location data, and confidentiality of communications.
-
Regulation (EU) 2018/1725
Governs how EU institutions process personal data. Aligns with GDPR, covering lawfulness, transparency, rights of individuals, and oversight by the EDPS.
-
Law Enforcement Directive (LED) (Directive (EU) 2016/680)
Applies to personal data processed by law enforcement. Sets rules for lawful use, safeguards for sensitive data, and rights of data subjects.
-
-
Digital & Cybersecurity
-
Digital Services Act (Regulation (EU) 2022/2065)
Sets legal duties for online services like marketplaces, social media, and search engines on content moderation, transparency, algorithm use, risk management, and user redress.
-
Cybersecurity Act (Regulation (EU) 2019/881)
Creates EU-wide cybersecurity certification for Information and Communication Technology (“ICT”) products, services, and processes.
-
Data Governance Act (Regulation (EU) 2022/868)
Creates rules for data sharing and reuse of protected public-sector data.
-
Web Accessibility Directive (Directive (EU) 2016/2102)
Requires public websites and apps to meet EU accessibility standards, with monitoring and feedback systems.
-
-
Consumer Protection
-
Unfair Commercial Practices Directive (Directive 2005/29/EC)
Prohibits misleading, aggressive, or unfair commercial practices in business-to-consumer marketing.
-
General Product Safety Regulation (Regulation (EU) 2023/988)
Sets baseline product safety rules. Requires traceability, incident reporting, and recalls when needed.
-
Representative Actions Directive (Directive (EU) 2020/1828)
Allows consumer groups or public bodies to take businesses to court on behalf of consumers harmed by illegal practices.
-
New Product Liability Directive (Directive (EU) 2024/2853 repealing Council Directive 85/374/EEC)
Holds producers strictly liable for harm from defective products, even without fault.
-
-
Market Surveillance & Product Compliance
-
Regulation (EC) No 765/2008
Sets rules for checking that products sold in the EU meet safety and quality standards. Forms the basis for CE marking and enforcement by national authorities.
-
Market Surveillance Regulation (Regulation (EU) 2019/1020)
Enhances product surveillance, enforcement against online sellers, and importer responsibilities.
-
Regulation (EU) 2024/900
Sets rules for political advertising transparency. Requires clear labelling of political ads, disclosure of who paid for them, and limits on how personal data is used for ad targeting.
-
Directive 2014/31/EU
Applies to non-automatic weighing instruments (e.g. retail scales). Sets accuracy and marking rules.
-
Directive 2014/32/EU
Covers measuring instruments (e.g. gas meters, taximeters). Harmonizes technical and conformity rules.
-
-
Financial & Insurance Regulation
-
Solvency II (Directive 2009/138/EC)
Sets capital, governance, and risk management standards for insurers and reinsurers.
-
Capital Requirements Directive (Directive 2013/36/EU)
Regulates access to banking. Sets prudential rules, capital buffers, and oversight of institutions.
-
Insurance Distribution Directive (Directive (EU) 2016/97)
Imposes conduct, transparency, and product oversight rules for insurance sellers and distributors.
-
-
Employment & Labour
-
Information and Consultation Directive (Directive 2002/14/EC)
Requires employers to inform and consult workers on major business and employment decisions, including ensuring that workers and their representatives are informed about the planned deployment of high-risk AI systems in the workplace, where the conditions for such obligations are not already fulfilled under other legal instruments.
-
-
Justice, Asylum & Whistleblower Protection
-
Directive 2013/32/EU
Defines procedures for granting, rejecting, or withdrawing asylum. Sets standards for fairness and legal aid.
-
Directive (EU) 2019/1937
Protects people reporting breaches of EU law, including the EU AI Act.
-
-
Critical Infrastructure & Essential Entities
-
Directive (EU) 2022/2557
Requires critical entities (e.g. transport, energy, banking) to assess risks and ensure resilience.
-
Without any limits
76-78 avenue des Champs-Élysées Staircase D, 2nd floor, 75008 Paris
+33 6 50 37 41 44 info@claimsip.com