April 2026 has made one thing clear: the European AI regulatory landscape is no longer a patchwork of aspirational white papers. It is a working enforcement system, with the EU AI Act's core obligations now in force, the UK's sector-led approach crystallising into binding guidance, and Switzerland aligning its federal AI framework with Brussels. For general counsels and chief AI officers at multinationals operating across the continent, the question is no longer whether to comply. It is which jurisdiction sets the highest-cost precedent first, and how to avoid becoming the reference case.
The Shape of the European Perimeter
Europe's regulatory cluster has converged on four enforceable threads: risk-based classification of AI systems, mandatory generative AI content labelling, corporate liability tied to turnover, and extraterritorial reach for any system that affects EU residents. The EU AI Act's prohibition-layer obligations took effect in February 2025, its high-risk system requirements became enforceable in August 2026, and the general-purpose AI model rules are now fully live. Compliance teams can no longer treat these as future obligations; they are current enforcement realities.
The UK's approach remains structurally different but is hardening. The AI Safety Institute, now operating as the AI Security Institute under DSIT, has moved from publishing voluntary frameworks to conducting formal evaluations of frontier models. The Government's proposed AI Opportunities Action Plan, published in January 2025, set a direction of travel that combines sector-specific binding rules with a cross-economy monitoring function. Firms with dual EU and UK footprints face two distinct compliance stacks, not one harmonised regime.
Switzerland, meanwhile, has chosen EU alignment over independent divergence. Its Federal Council confirmed in 2025 that it would adapt domestic law to mirror the EU AI Act's risk categories, preserving access to the single market for Swiss AI developers, notably those clustered around ETH Zurich and the EPFL in Lausanne.
Fines That Concentrate Minds
The EU AI Act's penalty structure is explicitly designed to make non-compliance commercially irrational. Violations of the prohibited-practices layer carry fines of up to 35 million euros or 7% of global annual turnover, whichever is higher. High-risk system violations attract fines of up to 15 million euros or 3% of turnover. Supplying incorrect information to regulators carries a 7.5 million euro or 1.5% turnover cap. These are not headline figures; they are the operative maxima that national market surveillance authorities are empowered to impose today.
Andrea Renda, senior research fellow at the Centre for European Policy Studies in Brussels, has argued publicly that the Act's turnover-linked penalties bring it structurally closer to GDPR enforcement than to the softer sectoral guidance that preceded it. That analogy matters. GDPR's first major fines took roughly 18 months to land after the regulation became operative; AI Act enforcement actions are likely to follow a similar curve, meaning the first headline cases should emerge by late 2026 or early 2027.
The UK's Information Commissioner's Office has separate powers under the UK GDPR and sector-specific AI guidance issued through the Financial Conduct Authority and the Medicines and Healthcare products Regulatory Agency. Daily accrual of penalties for continuing breaches is a feature of UK enforcement that general counsels should note specifically: a failure to remediate a live high-risk deployment does not produce a single fine, it produces an escalating liability.
What Regulators Are Prioritising
Three priorities are consistent across the most active European regulators. First, generative AI content labelling: this is the single most operational requirement under the AI Act's general-purpose AI provisions, and every platform with European users is racing to implement provenance metadata, visible disclosure labels, or both. The European AI Office, established within the European Commission in early 2024 and now fully staffed, has made GPAI transparency its opening enforcement focus.
Second, high-risk system inventories. The AI Act requires firms to register high-risk systems in the EU database, and national authorities have begun cross-referencing registration records against product launches. Gaps between a firm's market presence and its registration record are the fastest route to a regulator's attention.
Third, governance documentation: named responsible officers, board-level oversight evidence, and internal risk-assessment audit trails. Margrethe Vestager, during her tenure as Executive Vice President for the digital agenda, consistently framed governance paperwork not as bureaucratic overhead but as the mechanism through which regulators verify that risk management is substantive rather than theatrical. That framing has shaped how the European AI Office approaches its first wave of audits.
| Jurisdiction | Key Instrument | In Force | Top Penalty | Extraterritorial? |
|---|---|---|---|---|
| European Union | EU AI Act | Aug 2026 (high-risk) | 35m euros / 7% turnover | Yes |
| United Kingdom | Sector-led AI guidance (ICO, FCA, MHRA) | Phased, 2025-2026 | Sector-specific | Partial |
| Switzerland | Federal AI alignment framework | 2026 expected | EU-mirrored | Under review |
| Germany | AI Act + national NCA enforcement | 2026 | Per AI Act maxima | Yes |
| France | AI Act + CNIL AI guidelines | 2026 | Per AI Act maxima | Yes |
The Compliance Reality for Multinationals
Multinational compliance teams are now operating against three axes: the substantive requirement, the timing of grace periods, and the risk tolerance of individual national competent authorities. Germany's Bundesnetzagentur and France's CNIL are both treating AI Act enforcement as an extension of their existing digital regulatory mandates, which means firms that already have GDPR compliance infrastructure in those markets have a head start, but cannot simply copy-paste that infrastructure into their AI compliance stack.
The most common mistake currently visible in practice is treating the EU as a single homogeneous enforcement environment. It is not. National competent authorities have discretion over how they prioritise cases, and early signals suggest that Germany will focus on high-risk systems in employment and credit, while France is prioritising generative AI transparency in media and public services. Firms operating across both markets need jurisdiction-level deployment maps, not a single continental policy document.
The UK divergence also creates real operational complexity. Firms that built their compliance programmes around EU AI Act logic need to layer on UK-specific sector guidance from the FCA for financial services AI, MHRA requirements for medical AI, and Ofcom's forthcoming AI content rules for platforms. These are not minor addenda; in some sectors they are more operationally demanding than the Act itself.
What to Watch in the Next 90 Days
Four developments will shape the compliance picture through to July 2026. The European AI Office publishing its first GPAI model evaluation results and any accompanying enforcement signals. The UK Government confirming whether the AI Opportunities Action Plan translates into a cross-sector AI liability bill or remains a framework of sector-specific guidance. Germany's Bundesnetzagentur issuing its national competent authority operating procedures under the AI Act. And, most consequentially, the first public enforcement action by any EU national authority under the Act's high-risk system obligations.
That last event will function as a reference point for every other national authority on the continent. When it arrives, expect a surge of compliance memos, revised vendor contracts, and emergency board briefings. The firms that have already built their deployment inventories, appointed responsible AI officers, and completed conformity assessments will spend that week updating documentation. Everyone else will spend it explaining to their board why they did not.
Comments
Sign in to join the conversation. Be civil, be specific, link your sources.