As EU AI Act Enters Into Force, Other Jurisdictions Lag On Legislation

Fashion technology’s latest trend isn’t on the runway—it’s in the law.

Earlier this year, the EU passed watershed AI legislation with the EU AI Act, which effectively segments certain use cases for the technology by risk level. The legislation officially came into force Thursday.

More from Sourcing Journal

• Lenzing 'Forces' Textile Value Chain Reform with EU-Backed Project

• Podcast: Inside the SJ x WWD Tech Report: The Artificial Intelligence Issue

• Legislation Shouldn't Exacerbate Supply Chain Inequities, Garment Manufacturers Say

Most of the AI Act’s provisions will become effective starting August 2, 2026, but systems presenting what the EU would deem “unacceptable risk” will be prohibited in six months, and rules for general-purpose models, often referred to as foundation models, will be applicable in August 2025.

Companies that develop or deploy the technology in European markets will be responsible for adhering to the regulations, regardless of whether they have a physical presence in the bloc. So, for instance, if a U.S.-based company sells to EU consumers digitally, it will still be responsible for aligning its practices with the law if it uses AI systems.

Some use cases, like biometric identification and categorization, social scoring and behavioral manipulation of vulnerable groups, will be banned. Other use cases will be considered high risk or limited risk; high-risk applications face more stringent requirements.

Generative AI, which includes tools for text generation, like ChatGPT, and technology focused on image generation, like Midjourney, is not automatically considered high risk. However, companies will have to disclose that content has been generated by AI or that a user is interacting with an AI system. That applies to deepfakes—images, audio or video designed to look or sound like a real-life person, which are sometimes used by fashion brands for product images.

Karen Schuler, principal and head of global privacy and data protection at consulting firm BDO, said companies should start preparing for the regulation’s implementation. To do so, Schuler suggested taking a hard look at data collection, storage and usage, particularly for personalization use cases that have to do with a consumer’s body measurements or biometric characteristics.

“A lot of [this] always comes down to what kind of information are you going to collect, and how long are you going to store it for [and] where are you going to store it? Who’s going to store it for you, and how are you going to protect it?” she said.

As companies and regulators alike work to interpret the stipulations of the EU AI Act, Schuler said, the bloc will likely work to help retailers understand their true requirements. Emily Burrows, an attorney with Bass, Berry & Sims, said she has started recommending her clients conduct risk assessments on their systems preemptively.

If companies violate the EU AI Act, they could face hefty fines, which exceed even the strictest penalties for the GDPR. According to the EU, “Non-compliance with certain AI practices can result in fines up to €35 million or 7 percent of a company’s annual turnover. Other violations can result in fines up to €15 million or 3 percent of a company’s annual turnover. Providing incorrect or misleading information can result in fines up to €7.5 million or 1 percent.”

Schuler said once the EU has made its full expectations clear, she doesn’t expect much leniency on enforcement.

“Especially for large companies, if they don’t take the EU AI Act seriously, they will likely face steep penalties and might even be impacted from delivering certain products or services in the EU,” she said.

But consumers’ data is far from the only consideration large companies need to take into account, Burrows said. The EU AI Act also has stipulations around acceptable levels of risk for internal people management.

“I think a lot of [companies] focus on consumers and don’t always think about the employees who are also people and have privacy and personal rights, especially in the EU. The Act is very focused on using AI for recruitment, targeted job advertising, filtering applications and things like that,” Burrows explained. “Even once somebody is already hired, is AI making decisions that affect actual work relationships? So things like promotion, termination, monitoring performance [and more].”

The EU has a head start on comprehensive AI regulation, particularly as compared with other countries—the United States among them—that lack federal-level regulation around AI in a meaningful way.

President Biden’s Executive Order, focused on the safe and trustworthy development and use of the technology, was a catalyst for some movement from certain departments and some industry titans. The National Institute of Standards and Technology (NIST), for example, has proposed a plan for developing global AI standards, published several draft publications on safe use of generative AI and more.

Last year, some of technology’s heavy hitters made voluntary commitments around AI transparency and fairness alongside the Biden administration.

But even as NIST and other entities continue to solicit public feedback about AI and develop frameworks to guide companies, some states have started to become impatient. They have proposed their own legislation or called on federal regulators to pass legislation. Much of the potential regulation circulating on the U.S. front has little to do with the fashion, apparel and retail industries.

However, those industries have started to pop up in some AI-based legislation. The New York Fashion Workers Act added language to protect models from unauthorized use of their digital likenesses.

Burrows said while she thinks the EU AI Act will likely influence other nations’ decisions about AI regulation, it has come under scrutiny in a way that the General Data Protection Regulation (GDPR) did, too. That’s because some countries in the EU bloc have expressed concerns over the AI Act being too restrictive.

“Comparing back in 2016 [with the GDPR] versus now, it seems like there’s a bit more criticism on the [AI] Act potentially hampering innovation, and countries are taking more of a policy framework approach versus being prescriptive,” she told Sourcing Journal.

Even despite its critics, Schuler said, the EU’s regulations could soon become a globally accepted standard in the way the GDPR did. At the moment, the EU AI Act is the highest bar companies have to meet for AI deployment and development, which means that many have started to make plans to adhere to it.

Adding another layer of contradictory regulation in a different area of the world could throw a wrench in those plans or create complexities that would make it even more difficult for companies to assess and implement tools as the technology continues to evolve.

“I do believe the EU AI Act will have a similar halo effect as the GDPR. Where the GDPR became the global standard for data protection and privacy, the EU AI Act could definitely influence other regions and countries to adopt similar or compatible rules for AI,” Schuler said. “You are going to need to pay attention to the EU AI Act if you want to do business in the European market or collaborate with partners in Europe.”