EU AI Act Imposes Risk-Based Rules on High-Risk and Biometric AI
The European Union has adopted Regulation (EU) 2024/1689, creating a harmonised legal framework for the development, marketing, deployment, and use of AI systems across the bloc. The law applies a risk-based model that bans certain uses deemed unacceptable, including social scoring, manipulative AI, untargeted facial-image scraping, and some emotion-recognition and biometric-categorisation practices, while imposing mandatory obligations on high-risk AI systems. It also extends in some cases to providers and deployers outside the EU when AI outputs are intended for use in the Union.
The regulation sets detailed requirements for high-risk AI used in areas such as critical infrastructure, education, employment, essential services, law enforcement, migration and border control, justice, and elections. Providers, importers, distributors, authorised representatives, and deployers must meet obligations covering risk management, data governance, technical documentation, logging, transparency, human oversight, robustness, accuracy, cybersecurity, post-market monitoring, accessibility, and AI literacy. The Act also places strict limits on real-time remote biometric identification in publicly accessible spaces, with narrow exceptions, authorisation requirements, and oversight, while preserving the application of existing EU rules on data protection, consumer protection, product safety, liability, and related sectoral frameworks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
EU publishes General-Purpose AI Code of Practice
The European Commission published the General-Purpose AI Code of Practice as part of implementing the EU AI Act's framework for general-purpose AI. This introduced a new compliance and governance development beyond the Act's adoption and formal publication.
EU publishes Regulation (EU) 2024/1689 in the Official Journal
The adopted EU AI Act was published in the Official Journal and on EUR-Lex as Regulation (EU) 2024/1689. The published text formalised the regulation's provisions covering prohibited AI uses, high-risk AI obligations, and restrictions on biometric and law-enforcement applications.
EU adopts the Artificial Intelligence Act
Regulation (EU) 2024/1689 was adopted, establishing the EU AI Act as a harmonised legal framework for AI systems based on a risk-based model. The act prohibits certain AI practices and imposes obligations including transparency, human oversight, robustness, and cybersecurity requirements for high-risk systems.
Sources
5 references tracked. Mallory keeps watching after this page renders.
The General-Purpose AI Code of Practice | Shaping Europe’s digital future
digital-strategy.ec.europa.eu
Open sourceRegulation - EU - 2024/1689 - EN - EUR-Lex
eur-lex.europa.eu
Open sourceRegulation - EU - 2024/1689 - EN - EUR-Lex
data.europa.eu
Open sourceRegulation - EU - 2024/1689 - EN - EUR-Lex
eur-lex.europa.eu
Open sourceAI Act | Shaping Europe’s digital future
digital-strategy.ec.europa.eu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU AI Act Deal Bans Nudifier Apps and Sexualized Deepfake Tools
EU Parliament and Council negotiators reached a provisional agreement to amend the **EU Artificial Intelligence Act**, adding a ban on AI systems used to create **non-consensual sexualized depictions of identifiable people** and **synthetic child sexual abuse material**, including so-called **"nudifier" apps**. The deal also advances related transparency rules by setting watermarking obligations for AI-generated content to **2 December 2026**, while the new ban would also take effect on that timeline if formally adopted. The agreement still requires final approval by both Parliament and the Council. The package also delays several AI Act compliance deadlines and simplifies parts of the regime under the EU's digital omnibus effort. Obligations for standalone high-risk AI systems would move to **2 December 2027**, while AI used as safety components in products covered by sectoral safety laws would shift to **2 August 2028**. Negotiators also narrowed some machinery-related requirements, allowed limited use of sensitive personal data to detect and correct algorithmic bias, extended certain SME exemptions to small mid-cap firms, and centralized enforcement for some general-purpose AI systems through the **EU AI Office**.
Jun 8, 2026
European Commission Proposes Deregulatory Changes to GDPR and AI Regulations
The European Commission has introduced a legislative package, known as the Digital Omnibus, aimed at simplifying and consolidating digital regulations across the European Union. This proposal seeks to merge multiple pieces of legislation into a single framework, streamlining rules on artificial intelligence, cybersecurity, and data management. A key component of the package is the relaxation of certain General Data Protection Regulation (GDPR) provisions, including delaying the enforcement of regulations on high-risk AI systems and permitting companies to use personal data for AI training without prior user consent in most cases. The initiative also includes the launch of a European Business Wallet to facilitate digital operations for companies and public sector bodies, and a new Data Union Strategy to unlock high-quality data for AI development. EU officials argue that these changes will reduce administrative burdens and compliance costs for businesses, fostering innovation and competitiveness within the bloc. However, the proposal has drawn criticism from privacy and digital rights advocates, as well as some political parties, who warn that it could significantly weaken data privacy protections that have been a hallmark of the EU's regulatory landscape. The legislative package must still be approved by the European Parliament and the Council of the European Union, and its future remains uncertain amid ongoing debate over the balance between innovation and fundamental rights.
Mar 21, 2026
EU Moves to Curb AI-Generated Sexual Abuse and Deepfake Harms
European policymakers advanced new measures aimed at limiting **AI-enabled sexual abuse and impersonation harms**, with the **European Council** proposing amendments to the AI Act that would ban AI systems used to generate non-consensual intimate imagery, including **nudification tools** and child sexual abuse material. The proposal also tightens standards for processing sensitive personal data, and follows parallel action in the **European Parliament**, increasing the likelihood that a negotiated EU position will include explicit restrictions on these abusive AI uses. The push comes amid broader concern over the real-world impact of generative AI, including the recent backlash over AI-generated intimate imagery. Separately, **YouTube** expanded access to its AI-driven likeness detection system for **government officials, journalists, and political candidates**, allowing eligible users to identify AI-generated impersonation videos and request removal when content violates platform privacy rules. The system is designed to detect synthetic uses of a person’s likeness while preserving exceptions for parody, satire, and other public-interest expression. Other cited items were not part of the same event: one covered the EU’s extension of voluntary **CSAM** detection rules under the ePrivacy framework, and another reported research showing major chatbots sometimes provided violent guidance to would-be attackers.
Mar 30, 2026