Home/News

Major transparency consultation as industry divides

·12 min read

The European Commission launched a pivotal consultation on AI transparency obligations as tech giants split over GPAI compliance. Meta refuses to sign Code of Practice while competitors engage despite concerns.

Major transparency consultation launched as industry divides over GPAI compliance

The European Commission launched a pivotal consultation on AI transparency obligations on September 4, 2025, marking the most significant regulatory development this week as businesses grapple with newly activated General-Purpose AI requirements. The consultation seeks to develop guidelines and a Code of Practice for transparency obligations under the AI Act, with responses due by October 2, 2025. Meanwhile, the tech industry has fractured over compliance approaches, with Meta refusing to sign the GPAI Code of Practice while competitors Google, OpenAI, and Microsoft opted for cooperative engagement despite expressed concerns.

This week captures the EU AI Act at a critical juncture - one month after the August 2 deadline when GPAI obligations took effect, but still a year before full enforcement powers activate. The period reveals substantial implementation challenges: many Member States haven't designated required authorities, technical standards are delayed until 2026, and companies face legal uncertainties about compliance requirements. For compliance professionals, this environment demands strategic navigation between immediate obligations and evolving regulatory guidance.

New regulatory developments reshape transparency requirements

The European Commission's September 4 consultation represents the week's most consequential regulatory action. The initiative targets three critical transparency areas that will fundamentally affect AI deployment across Europe. Organizations must inform users when they're interacting with AI systems, exposed to emotion recognition or biometric categorisation systems, or viewing AI-generated content.

The Commission has invited providers and deployers of generative AI models, biometric systems, academic experts, civil society organizations, and supervisory authorities to participate. The consultation runs until October 2, 2025, with an accompanying call for stakeholders to help develop the Code of Practice. This accelerated timeline signals the Commission's urgency in clarifying transparency obligations that many businesses find ambiguous.

Applications for the AI Act Advisory Forum remain open until September 14, 2025, offering another avenue for stakeholder engagement. The Forum will provide independent technical expertise on implementation challenges, standardisation efforts, and practical compliance issues. Positions are unpaid with two-year terms, seeking balanced representation from civil society, academia, industry, SMEs, and startups.

The European AI Office, operational since August 2, has begun its central coordination role for AI Act implementation. With plans for over 140 staff including technology specialists, lawyers, and economists, the Office will oversee GPAI model compliance and support Member States in enforcement activities. However, its enforcement powers for GPAI models won't activate until August 2, 2026, creating a year-long gap between obligations and enforcement capability.

Tech giants split over GPAI code while industry seeks delays

The industry's response to GPAI obligations has crystallized into distinct camps this week. Meta's public refusal to sign the Code of Practice stands in sharp contrast to competitors' approaches. Joel Kaplan, Meta's Chief Global Affairs Officer, declared the code introduces "legal uncertainties for model developers" and "measures which go far beyond the scope of the AI Act." His warning that Europe is "heading down the wrong path on AI" and would "throttle the development and deployment of frontier AI models" represents the strongest industry pushback to date.

Google took a more nuanced position, signing the Code despite reservations. Kent Walker, President of Global Affairs, acknowledged concerns that "the AI Act and Code risk slowing Europe's development and deployment of AI" but committed to supporting European citizens' access to AI tools. Walker specifically warned that departures from EU copyright law, approval delays, or trade secret exposure requirements could "chill European model development and deployment."

OpenAI aligned with regulatory expectations, stating that signing reflects their "commitment to providing capable, accessible and secure AI models for Europeans." Microsoft, Amazon, Anthropic, Cohere, IBM, and Mistral AI also became signatories, positioning themselves as cooperative partners in the regulatory process.

The broader business community mounted a coordinated push for implementation delays. Over 45 leading European companies, including Siemens, Airbus, ASML Holding, and BNP Paribas, sent an open letter requesting a two-year "clock-stop" on the AI Act. The Computer & Communications Industry Association (CCIA Europe) separately called for EU leaders to "pause implementation," warning that "Europe cannot lead on AI with one foot on the brake." The European Commission firmly rejected all postponement requests, with officials stating "there is no grace period" and implementation would proceed as scheduled.

Technical standards lag creates compliance uncertainty

The development of harmonized technical standards has fallen significantly behind schedule, creating substantial challenges for organizations preparing for August 2026 requirements. CEN-CENELEC's Joint Technical Committee 21 submitted two critical draft standards for internal ballot in June 2025 - one addressing AI risk management requirements under Article 9, another covering quality management systems per Article 17. Comment resolution meetings continue, but final adoption has been pushed to 2026, missing the original April 2025 deadline.

This delay creates a critical timing gap. Companies need harmonized standards by October 2025 to prepare adequately for August 2026 implementation, yet current projections suggest standards won't be complete until year-end 2025 at earliest. The eight-month compression between standard availability and compliance deadlines leaves minimal time for system adaptation and testing.

ETSI has made more progress, publishing Technical Specification 104 223 on April 23, 2025, establishing baseline cybersecurity requirements for AI models and systems. The specification defines 13 core principles expanding to 72 trackable principles across five lifecycle phases. ETSI's Technical Committee on Securing AI became operational to support AI Act requirements, with a new Technical Committee on Data Solutions launched February 17, 2025, to address data interoperability needs.

JTC21 continues developing supplementary standards covering datasets, bias mitigation, computer vision applications, cybersecurity protocols, robustness testing, logging requirements, and natural language processing. Each standard requires extensive consultation and validation, contributing to overall timeline pressures. The integration of existing international standards like ISO/IEC 42001:2023 requires substantial adaptation to meet specific AI Act provisions, adding complexity to the standardization process.

Member state implementation reveals significant gaps

Implementation at the national level shows concerning disparities one month after the August 2 deadline for designating competent authorities. Only three Member States have clearly designated both notifying and market surveillance authorities, while 14 countries haven't designated any competent authorities. This fragmentation undermines the Act's goal of harmonized enforcement across the EU single market.

Poland and Spain stand out as the only countries proposing new AI-specific supervisory bodies rather than assigning responsibilities to existing agencies. Ten Member States have pending proposals or have appointed only one required authority, leaving critical regulatory gaps. Hungary and Italy haven't designated fundamental rights authorities, missing the November 2, 2024 deadline by nine months.

The Czech Republic, Denmark, Finland, and Latvia demonstrate more comprehensive preparation, having designated authorities for all three major data laws - the Data Governance Act, Data Act, and AI Act. This integrated approach may prove advantageous as these regulations increasingly intersect. The EU Data Act's provisions take effect September 12, 2025, potentially creating additional compliance complexities for AI systems that process or generate data.

Member States must report the financial and human resources status of their authorities to the Commission, revealing capacity constraints across multiple countries. The variation in preparedness raises questions about consistent enforcement when full AI Act provisions activate in August 2026. Cross-border coordination remains limited, with the EU AI Office tasked to support joint investigations that many national authorities aren't yet equipped to conduct.

Legal experts identify critical enforcement uncertainties

Leading law firms have highlighted substantial legal uncertainties in the immediate post-implementation period. DLA Piper's analysis identifies a fundamental disconnect between when GPAI obligations took effect (August 2, 2025) and when enforcement powers activate (August 2, 2026). Thorsten Ammann, Florian Achnitz, and Danny Tobey note that while the penalty regime technically applies now, practical enforcement remains severely limited without investigatory powers.

The penalty structure itself is formidable - administrative fines reach EUR 35 million or 7% of global turnover for prohibited AI practices, EUR 15 million or 3% for other violations, and EUR 7.5 million or 1% for providing incorrect information. However, the one-year enforcement gap for GPAI models creates what Greenberg Traurig describes as a "compliance twilight zone" where obligations exist without clear enforcement mechanisms.

Baker McKenzie confirmed that GPAI model obligations apply to all models placed on market after August 2, 2025, with the Commission's July 18 Guidelines providing interpretative framework while the August 1 Code of Practice offers specific compliance measures. The firm emphasizes that companies substantially modifying existing GPAI models become providers for regulatory purposes, requiring careful legal analysis of fine-tuning activities in business applications.

Multiple firms recommend immediate action despite enforcement gaps. Essential steps include completing comprehensive AI system inventories with risk classification, clarifying organizational roles as provider, modifier, or deployer, developing technical documentation and transparency reports, appointing responsible persons per Article 4, and ensuring adequate AI literacy training for staff. The consensus view: waiting for full enforcement activation in 2026 creates unacceptable compliance risk given the penalty magnitudes involved.

Conclusion

The week of August 31-September 6, 2025 marks a pivotal moment in EU AI Act implementation, characterized by the Commission's major transparency consultation launch and deepening industry divisions over compliance approaches. Meta's public rejection of the GPAI Code contrasts sharply with competitors' cautious cooperation, while the broader business community's failed push for delays confirms the EU's unwavering implementation timeline.

For compliance professionals, three immediate priorities emerge from this week's developments. First, organizations should engage with the September 4 transparency consultation to shape practical guidance on disclosure obligations. Second, companies must proceed with GPAI compliance despite the enforcement gap, as retroactive penalties remain possible once powers activate in 2026. Third, businesses should accelerate technical standard preparation even without final harmonized standards, using available ETSI specifications and draft CEN-CENELEC standards as provisional frameworks. The gap between obligations and enforcement creates strategic opportunities for early movers to establish compliance leadership, but the penalty risks for those who wait have never been clearer.

References

Official EU Resources

Industry Analysis & News

Legal Analysis

Technical Standards & Implementation

National Implementation

Compliance Resources

About the EU AI Act Brief

Our compliance brief provides in-depth analysis of the latest EU AI Act developments, helping organizations stay informed on regulatory changes, industry responses, and practical compliance guidance.

Explore more compliance resources →