AI Regulation 2026: US, EU AI Act, China & Global Frameworks Explained

Q: What are the penalties for EU AI Act violations?

Violations of prohibited AI practices (social scoring, real-time biometric surveillance, subliminal manipulation) carry fines up to €35 million or 7% of global annual revenue, whichever is higher. High-risk AI system violations: up to €15 million or 3% of global revenue. Providing incorrect information to regulators: up to €7.5 million or 1.5% of global revenue.

AI regulation has moved from theoretical debate to enforcement reality in 2026. The EU AI Act is in active implementation, US states are passing their own laws, and China has deployed the world's most detailed generative AI requirements. Here is the current state of play.

The EU AI Act: Implementation Status (June 2026)

The EU AI Act passed the European Parliament in March 2024 and follows a phased implementation:

Provision	Effective Date
Prohibited AI practices ban	February 2025
GPAI (General Purpose AI) model requirements	August 2025
High-risk AI system requirements	August 2026
Low-risk AI transparency requirements	August 2027

August 2026 marks the critical enforcement milestone — high-risk AI systems must now comply with full requirements.

What the EU AI Act Classifies as High-Risk

Category A (automatically high-risk):

AI in safety components of critical infrastructure
AI for general-purpose education or vocational training assessment
Employment screening, CV sorting, job advertisement targeting
Credit scoring, creditworthiness assessment
Insurance risk assessment, life and health insurance
Border control biometric identification
Criminal justice: risk assessment, prediction tools

Category B (sector-specific high-risk):

Medical devices with AI components
Autonomous vehicles
AI in essential public services (social benefits, utilities)

What High-Risk AI Compliance Requires

Organizations deploying high-risk AI systems in the EU must:

Register in the EU database of high-risk AI systems
Conformity assessment — internal or third-party verification of compliance
Technical documentation — system description, design choices, capabilities, limitations, testing results
Data governance — data quality requirements, documentation of training data
Logging and audit trails — automatic event logging for traceability
Transparency — users must know when interacting with AI
Human oversight — mechanisms allowing human monitoring and intervention
Accuracy and robustness — testing against error rates, bias, and adversarial inputs

General Purpose AI (GPAI) Requirements

GPT-5, Claude 4, and similar frontier models are subject to GPAI requirements:

All GPAI models: Technical documentation, copyright compliance, transparency to downstream deployers
Systemic risk models (trained with >10^25 FLOPs): Adversarial testing, incident reporting, cybersecurity measures, energy efficiency reporting

Anthropic, OpenAI, Google, and Meta all registered with the EU AI Office and have implemented initial GPAI compliance measures.

US Federal AI Regulation: Executive Orders and Agency Guidance

The US legislative approach to AI remains fragmented. Key federal frameworks:

Executive Order 14110 (October 2023, Updated 2025)

EO 14110 remains the primary federal AI governance instrument. Its requirements include:

Developers of frontier AI models must share safety test results with the federal government before public release
NIST developed AI Safety Framework benchmarks
Department of Homeland Security AI Safety Board established
Federal agencies required to appoint Chief AI Officers
Biodefense, chemical, and radiological AI outputs subject to screening requirements

NIST AI Risk Management Framework (AI RMF)

Voluntary but widely adopted. Organized around four functions: Govern, Map, Measure, Manage. The NIST AI RMF has become the de facto compliance standard for US federal contractors and many enterprises.

Agency-Specific Guidance

Agency	AI Jurisdiction	Key Actions (2025–2026)
FTC	AI marketing claims, deceptive AI	Guidance on AI endorsements; enforcement actions against false AI capability claims
FDA	AI in medical devices	Released AI/ML action plan; approved 950+ AI-enabled medical devices
EEOC	AI in employment decisions	Issued guidance on disparate impact liability for AI hiring tools
CFPB	AI in credit decisions	Required explainability in AI credit denial explanations
SEC	AI in financial advice	Disclosure requirements for AI-generated investment recommendations

US State AI Laws (2026)

The absence of federal legislation has created a patchwork of state laws:

California

AB 2013 (2026): Generative AI content provenance requirements
SB 1047 (vetoed 2024): Would have required safety assessments for large AI models
CPRA AI Amendment (2026): CCPA extended to include automated decision-making opt-out rights

Colorado

SB 205 (2024, effective February 2026): Requires "substantial human oversight" for high-risk AI decisions in housing, insurance, employment, and education

Illinois

AI Video Interview Act (2020, still in force): Employers using AI in video interviews must disclose and obtain consent

Texas

Responsible AI Governance Act (TRAIGA) (2025): Mirrors aspects of the EU AI Act; requires impact assessments for high-risk AI, fairness testing requirements

China's AI Regulations

China has taken the most aggressive and detailed approach to generative AI regulation:

Generative AI Regulations (effective August 2023):

Security assessment required before public release of generative AI services
Mandatory content filtering to prevent "distorted" historical content or content threatening "national security"
Algorithmic recommendation transparency
Real-name registration for users of AIGC (AI-Generated Content) services

Algorithmic Recommendation Management Provisions (2022):

Platforms must disclose algorithmic recommendation logic
Users can opt out of personalization
Requirements to prevent "filter bubbles"

Companies affected: Both Chinese companies (Baidu, ByteDance, Alibaba DAMO, Zhipu AI) and foreign companies serving Chinese users must comply.

What Compliance Requires in Practice

For a company deploying AI systems in 2026:

If deploying in the EU:

Classify your AI system by risk tier
If high-risk: implement full compliance program (documentation, logging, testing, human oversight)
If GPAI model provider: register with EU AI Office, implement GPAI requirements

If operating in the US:

Follow NIST AI RMF (especially if federal contractor)
Map your AI use cases against FTC, EEOC, CFPB, and FDA guidance as applicable
Assess state law requirements for states where you operate or have significant users

If serving both US and EU users: The EU AI Act applies to the EU-facing products. Most organizations adopt the EU's higher standard uniformly rather than building separate compliance frameworks.

Agentic AI governance: how enterprises are managing autonomous AI systems →

What is the EU AI Act and does it apply to US companies?

The EU AI Act is the world's first comprehensive AI regulatory framework, in enforcement since 2024–2026. It applies to any company whose AI systems are used in the EU — including US companies selling to European customers. High-risk AI systems require conformity assessments, technical documentation, and human oversight mechanisms.

Is there a federal AI law in the United States?

As of June 2026, the US has no comprehensive federal AI law. AI is regulated through sector-specific agencies (FDA, FTC, EEOC), executive orders (EO 14110), and NIST's voluntary AI Risk Management Framework. Multiple states (California, Colorado, Texas, Illinois) have enacted their own AI laws.

What are the penalties for EU AI Act violations?

Prohibited AI practices violations: up to €35 million or 7% of global annual revenue. High-risk AI system violations: up to €15 million or 3% of global revenue. Providing incorrect information to regulators: up to €7.5 million or 1.5% of global revenue.