EU AI Act Audits Begin Targeting Big Tech

The European Union has officially begun its first wave of compliance audits under the EU AI Act, targeting major technology companies operating in the bloc. This marks the most significant regulatory enforcement action in the history of artificial intelligence governance, sending a clear signal that the era of self-regulation is over.

Regulators from the newly established EU AI Office are conducting on-site and remote audits of companies deploying high-risk AI systems across the 27-member bloc. The initial enforcement phase focuses on general-purpose AI models and prohibited AI practices, with penalties reaching up to €35 million or 7% of global annual turnover — whichever is higher.

Key Facts at a Glance

• First audits target companies deploying general-purpose AI (GPAI) models, including OpenAI, Google, Meta, and Microsoft
• Penalties for non-compliance can reach €35 million or 7% of global revenue
• The EU AI Office leads enforcement with support from national authorities in each member state
• Companies had until February 2, 2025 to comply with prohibited practices provisions
• High-risk AI system requirements take full effect in August 2026
• An estimated $4.6 billion in compliance costs is expected across the industry by 2027

Regulators Zero In on General-Purpose AI Models

The first compliance audits focus heavily on general-purpose AI (GPAI) models — the foundation models that power tools like ChatGPT, Gemini, and Meta's Llama. Under the EU AI Act, providers of these models must meet transparency requirements, provide detailed technical documentation, and comply with EU copyright law.

Companies offering GPAI models deemed to pose 'systemic risk' face even stricter obligations. Models trained with more than 10^25 FLOPs of computing power automatically fall into this category, which currently captures systems like GPT-4, Gemini Ultra, and other frontier models.

The EU AI Office has reportedly sent formal information requests to at least 6 major AI providers, asking for detailed documentation on model training data, safety evaluations, and risk mitigation measures. Unlike the relatively gradual rollout of GDPR enforcement in 2018, regulators appear to be taking an aggressive early stance with AI oversight.

What Auditors Are Looking For

Compliance auditors are examining several critical areas during this initial enforcement phase. The scope extends beyond simple documentation checks to substantive evaluations of how companies manage AI risk.

Key areas under scrutiny include:

• Training data transparency: Companies must disclose detailed summaries of training data, including how copyrighted material was handled
• Model safety testing: Evidence of red-teaming, adversarial testing, and internal safety evaluations before deployment
• Systemic risk assessments: For frontier models, comprehensive analysis of potential large-scale societal harms
• Energy consumption reporting: Disclosure of computational resources and energy used during model training and inference
• Downstream deployment monitoring: How providers track and manage the use of their models by third-party developers
• Incident reporting mechanisms: Systems for detecting, documenting, and reporting serious AI incidents to authorities

Auditors are paying particular attention to how companies handle the intersection of AI-generated content and misinformation. The requirement for AI-generated content to be clearly labeled and detectable through technical means is already in effect.

Big Tech Responds With Compliance Teams and Legal Challenges

Microsoft and Google have each reportedly invested more than $100 million in EU AI Act compliance infrastructure over the past 12 months. Both companies have established dedicated European compliance teams and appointed AI Act compliance officers within their European operations.

OpenAI has taken a particularly visible approach, publishing a detailed EU AI Act compliance framework on its website and engaging directly with the EU AI Office on technical standards for GPAI transparency. The company has argued that its model cards and system documentation already meet many of the Act's requirements.

However, not all companies are embracing the new regime. Meta has publicly questioned certain provisions, particularly around open-source AI models. The company's release of Llama 3.1 raised questions about how open-weight model providers can meaningfully control downstream uses — a core requirement under the Act's systemic risk provisions.

Some industry groups have hinted at potential legal challenges. The European AI Industry Alliance, a coalition of over 30 technology companies, has urged regulators to adopt a 'proportionate and innovation-friendly' interpretation of the Act's requirements, warning that overly aggressive enforcement could push AI development outside Europe.

The GDPR Playbook: Lessons Learned and Differences

Comparisons to GDPR enforcement are inevitable, but there are critical differences. When GDPR took effect in May 2018, regulators were widely criticized for slow and inconsistent enforcement across member states. The EU AI Act's architects appear to have learned from that experience.

The centralized role of the EU AI Office represents a major structural improvement. Unlike GDPR, where enforcement was fragmented across 27 national data protection authorities, AI Act enforcement for GPAI models is coordinated from Brussels. This should reduce the 'forum shopping' problem that plagued early GDPR enforcement.

The penalty structure also reflects lessons learned. While GDPR's maximum fine of 4% of global turnover seemed dramatic in 2018, the AI Act raises the bar to 7% for the most serious violations. For a company like Google parent Alphabet, with approximately $307 billion in annual revenue, that translates to a theoretical maximum penalty of over $21 billion.

However, experts caution that large fines may take years to materialize. GDPR's biggest penalties — including Amazon's €746 million fine in 2021 and Meta's €1.2 billion fine in 2023 — came several years after the regulation took effect. The same pattern is likely for AI Act enforcement.

Startups and SMEs Face Disproportionate Burden

While headlines focus on Big Tech audits, smaller companies face significant challenges as well. European AI startups report spending between $250,000 and $1.5 million on compliance preparations, a substantial burden for early-stage companies.

The Act includes some accommodations for smaller players. Regulatory sandboxes — controlled environments where companies can test AI systems under regulatory supervision — are being established in at least 15 member states. These sandboxes offer startups a pathway to compliance without the full cost of independent conformity assessments.

Still, venture capital investors have expressed concern. Several European VC firms report that the regulatory burden is already influencing investment decisions, with some AI startups considering relocating their primary operations to the United States or United Kingdom, where regulatory frameworks are less prescriptive.

The European Commission has attempted to address these concerns by allocating €1 billion through the Digital Europe Programme to support AI development and compliance across the bloc. Whether this funding adequately offsets the compliance burden remains an open question.

What This Means for Developers and Businesses

For companies building or deploying AI systems in Europe, the enforcement phase creates immediate practical obligations. The most critical near-term requirements affect several groups:

• GPAI model providers must have transparency documentation and copyright compliance measures in place now
• High-risk AI deployers should begin conformity assessment preparations ahead of the August 2026 deadline
• Companies using AI for hiring, credit scoring, or law enforcement face the strictest scrutiny and must implement human oversight mechanisms
• Any business using AI-generated content must ensure proper labeling and disclosure to end users
• Developers building on top of foundation models need to understand their obligations under the Act's value chain provisions

Legal experts recommend that companies conduct an AI system inventory as a first step — cataloging every AI system in use, classifying its risk level under the Act, and identifying compliance gaps. Companies that completed similar exercises for GDPR will find the process familiar, though the technical complexity of AI compliance is considerably greater.

Looking Ahead: The Global Ripple Effect

The EU's enforcement actions are already influencing AI governance worldwide. Brazil, Canada, and India are developing AI regulations that borrow heavily from the EU framework. Even in the United States, where federal AI legislation remains stalled, state-level initiatives in California, Colorado, and Connecticut reflect European influence.

The next major milestone arrives in August 2026, when high-risk AI system requirements become fully enforceable. This will bring sectors like healthcare, education, employment, and law enforcement under comprehensive AI oversight for the first time.

Industry observers expect the first formal enforcement decisions — and potentially the first fines — to emerge by late 2025 or early 2026. These initial cases will set critical precedents for how the Act's broad provisions are interpreted in practice.

The EU AI Act's enforcement phase represents a watershed moment for the global AI industry. Whether it becomes a model for responsible AI governance or a cautionary tale of regulatory overreach will depend largely on how these first audits unfold — and how companies respond to the new reality of AI accountability.