Scott Caravello: Well, it's great to have you. But so let's start at the top. And for our listeners who know the EU AI Act is a big deal, but could use an overview or a refresher about what it does, maybe you can give us the lay of the land. And before we get into that, though, you know, I'll say, Katherine, I know you had given an overview of the Act on the podcast when it came into force back in August 2024, which feels like a lifetime ago. But, you know, now it's almost, but not quite, two years later, and some of the obligations and enforcement powers that are soon coming into effect are subject to potential revision. So I think we can take it from the top, John, with that overview.
John Pattern: Well, Scott, anything to do with EU regulation feels like a lifetime ago, so you're not alone. The key thing to understand is that the AI Act is a risk-based regulation. So, it doesn't regulate a single AI concept, but it sorts AI systems into tiers based on the risks they pose to health, safety, and most importantly, fundamental rights, with the obligations under the Act increasing depending on the risk level. There are three main buckets, the first of which is prohibited AI systems, effectively. So those are systems where the practices under them, the use cases, are simply banned. So that's government social scoring, certain manipulative and exploitative systems, untargeted scraping of facial images to build recognition databases. And that has been banned since February 2025.
Katherine Forrest: Right, and so that's really kind of a foundational component of the Act, things that you just can't do no matter what, and those are actually in place and actively rules that companies have to abide by now.
John Pattern: Exactly. So, then the second bucket, and this is the heart of the Act, something we'll spend probably the most time speaking about today in the area of recent EU political updates, is focused on high-risk AI systems. So these systems are not banned, but they trigger significant compliance obligations. There are two categories. There are AI systems that are products or safety components of products that are subject to other EU regulation. So examples are toys and medical devices, or AI systems that are used for purposes where there seems to be the biggest risk to fundamental rights. So biometrics, hiring, education, immigration, access to justice, law enforcement. Providers, by which we mean developers of AI systems, have to put in place risk management, data governance, technical documentation, human oversight, and meet standards for accuracy and security if their AI systems are high risk. And then importers, distributors, deployers, so the businesses that bring the AI systems to the EU market or use the AI systems in the EU, then have a slightly lighter set of obligations. And then to round off the third bucket of types of AI system under the Act, that is general purpose AI, or GPAI. These are the big foundation models. You and Scott talk about these the whole time on your podcast: the recently released Opus 4.8 that powers Claude, GPT 5.5 that powers ChatGPT. Developers of those models have transparency and documentation duties, including putting in place a copyright policy for compliance with EU copyright laws and publishing a summary of their training data. And then there is a subcategory of GPAI models which are deemed to pose systemic risks because of their potentially greater capabilities. And those face extra testing and incident reporting requirements. And then the rules impacting those GPAI systems kicked in last August, so August 2025, and we'll come on to the high-risk compliance deadlines.
Scott Caravello: Awesome. And so, you know, talking about those GPAI rules that kicked in last August, and when I say GPAI, I'm referring to the GPAI models that you mentioned, John, just for our listeners, even though those requirements are technically in effect, noncompliance isn't actually being enforced yet, right?
John Pattern: Correct. So even though those actually are in force at the moment, the ability to bring regulatory fines only kicks in in August 2026. And so that doesn't mean that they don't have to comply, but the fines cannot kick off until that date.
Scott Caravello: Well, that's very interesting. And I know that there are also these more general obligations on transparency requirements for AI systems, regardless of risk. And, you know, we can come back to that. But, John, the big EU AI Act news of late is the final position on the digital omnibus on AI. Can you walk us through that? Where are we today and what is it?
John Pattern: Yep. Of course. So omnibus is Brussels shorthand for a package of amendments to a number of laws at once. The Commission proposed the digital omnibus back in November 2025 with the goal of simplifying the AI Act and some other digital regulations to make Europe more competitive and business-friendly. The problem was getting the European Parliament and the Council of the EU, which are the other two governing bodies of the EU alongside the Commission, to agree on the details. For months, it looked stuck, and there was real doubt about whether a deal would land before the high-risk rules come into effect at their original date in this August because the Act was trying to move those dates, as we'll come on to. But then on May 7 this year, after negotiations that ran very late into the night, the Parliament and the Council reached an agreement to extend those dates.
Katherine Forrest: And what would the change under that provisional agreement actually mean? I think it's important. It's an important change for our clients in terms of when those high-risk AI systems actually now are due to come into effect.
John Pattern: Definitely, yeah. So one of the key parts of the omnibus was to push back the compliance deadlines for high-risk AI systems. And what the provisional agreement does is it does that in two ways. So as I mentioned, there are two types of high-risk AI systems. So for the first type, so standalone high-risk AI systems, which cover AI tools used for certain specific high-risk activities like hiring or law enforcement, those were due—the obligations in relation to them were due to come into effect from August 2, 2026, but they've now been moved back 16 months to December 2, 2027. And then the other category of high-risk AI systems, which are products or safety components of products, which are themselves regulated—so I gave the examples earlier of toys and medical devices—these were always meant to be on a slightly later clock, with obligations triggered in August 2027. That's now been pushed back a year to August 2028. And the logic behind all of this being pushed back is that the supporting standards and guidance required for businesses to comply with these obligations are just not in place. Interestingly, the Commission's original omnibus proposal back in November 2025 would have made the start dates conditional upon those standards and guidance being in place, with the later dates I've just mentioned being longstop dates. But in the end, the Parliament and Council thought this did not create enough legal certainty, so they've just given specific dates, but without an actual indication of when the guidance and standards will be in place.
Katherine Forrest: What's a longstop date? That’s gotta be, like, some sort of European term. Scott, have you ever heard longstop date?
Scott Caravello: No, no, you beat me to the question, Katherine.
Katherine Forrest: All right. This is like a really sophisticated European term that didn't come over at the time of the American Revolution. So you're gonna have to tell us, John.
John Pattern: Yeah, yeah, yeah. A final date by which there is no ability to extend later.
Katherine Forrest: Got it. Well, a large factor in all of this is that the standards and guidance that are required to actually help people comply with all of this are, as you were saying, are just not in place. And the compliance deadline, it was actually rapidly approaching. It was gonna be just a couple of months from now, but nobody actually understood what they were gonna have to do. I think I've got that right.
John Pattern: Yeah, that's exactly right. And there was a lot of concern both in government and among industry participants about that. So where we are now is a very welcome development. Another particularly interesting development that I just want to make sure we touch on is the addition of a new prohibited practice, which was actually not envisaged by the original November 2025 omnibus proposal, but that is to put in place this new prohibited practice, so an outright ban, and that's for AI-generated nonconsensual intimate imagery, as well as AI-generated child sexual abuse material. And most importantly, this doesn't just cover the kind of purpose-built nudifier apps that people have been speaking about, but it also covers developers of general purpose image, video, or audio models who put them on the market without reasonable safeguards against that kind of output. So that will cover a lot of the major generative AI providers, and they need to be thinking hard about input and output filtering. And the clock on this one is short. Compliance is required by December 2, 2026. So even though we're getting some industry breathing room in some areas, lawmakers are also expanding the list of outright bans to cover what regulators around the world are recognizing as one of the most harmful uses of AI.
Katherine Forrest: You know, that's absolutely right. And I think that the issue with the nudification apps being added raises an interesting point, which is that the technology's changing and there are new capabilities that are coming along, and the EU AI Act is trying to be flexible. But whenever you've got a codified regime, it's necessarily going to at some point in time come to sort of a resting place, and then we're gonna have to see how flexible language within the Act can be expanded to cover what comes new. But, John, you mentioned a moment ago that this is a provisional agreement, so it's not yet finalized. What actually has to happen for it to become final in the EU?
John Pattern: Yeah, there's always another step in the EU. So the Parliament and the Council have to both formally adopt the text, and then there's a legal linguistic review which effectively has to make sure the law is essentially the same across all of the 24 official languages of the EU.
Scott Caravello: And—I have a question on that, which is just that I assume that the point of that is to make sure that the law has the same weight and legal effect regardless of which version you or a member state are using, right?
John Pattern: Exactly. And because this is a regulation rather than a directive, there's no local or national implementing law. So this is it. So they have to make sure that it is exactly the same in all of those languages. And then I guess I just note that once that's all done, it's published in the Official Journal of the EU, and it enters into force three days later. And one thing that's obviously very important to note is that this all has to happen before the original August 2, 2026, date because if it doesn't, then the old deadlines will technically kick in without this amendment being in effect.
Scott Caravello: Well, you know, every single time I go to the Commission website to download the Act and I have to choose among the languages, I have always wondered how that quality is guaranteed across all languages. So this is great, and I'm learning a lot.
Katherine Forrest: Wait, I gotta question that. How many languages are you choosing between, Scott? Okay, you've got the English language.
Scott Caravello: No, no.
Katherine Forrest: Are you going for, like, you know, Catalan? I mean, like, what language are you choosing between?
Scott Caravello: You're right. Let me be more specific. Every single time I, like, you know, sort of have to really, really look closely at whether I'm hitting the EN for English among, like, the big row of all of the different languages, I'm wondering, you know, how they're making sure that the law is exactly the same across every single option that's presented to me. Only English, though, yeah.
Katherine Forrest: Okay. All right. I just thought maybe today you were gonna do language number 21, and tomorrow you're gonna do language number 18.
Scott Caravello: It would be valuable if I could, you know, recite the AI Act in all 24 different languages. So, it's something to consider.
Katherine Forrest: See, John, this is what I put up with.
Scott Caravello: But just to be totally clear, right? Not everything is getting delayed. You had mentioned before the GPAI model obligations, those—enforcement kicks in August 2 of this year. That's not delayed. And then the transparency obligations that I briefly mentioned a while ago, those are still coming into effect this August as well, right?
John Pattern: Correct, save there was one digital omnibus update which meant that for generative systems that are already on the market before August 2026, then there is a short grace period for certain watermarking compliance until December 2, 2026. But otherwise, you're exactly right. The latest omnibus press releases suggest that transparency rules are still going to apply from August 2, 2026. And these are rules that apply to all relevant AI systems under the Act, regardless of whether they're high risk, GPAI or not. These are—and just to run through what they are first—if the AI system is intended to interact directly with people, so a chatbot, you have to tell people they interact with AI. Second, if you generate synthetic content, the output has to be marked as artificially generated in a machine-readable way. Third, if you deploy emotion recognition or biometric categorization systems, you have to notify the people exposed to them. And fourth, if you publish deepfakes or AI-generated text on matters of public interest, you have to disclose that it's artificial, subject in all cases to some narrow carve-outs like law enforcement or clearly artistic content.
Katherine Forrest: You know, it's actually interesting that the synthetic content output has to be marked as artificially generated in a machine-readable way rather than in a human-readable way. But I suppose what it wants to do is it wants to have sort of a signal that is going, you know, within the code itself to indicate that it's artificially generated. So thanks for all of that. But there was another big development in May of 2026 because we finally have the draft guidance on what actually counts as a high-risk AI system. And so, John, can you walk us through that just a bit?
John Pattern: Yep, and absolutely long-awaited, as with most things under the AI Act. It had originally been expected back in February 2026, but on the 19th of May, the Commission published the first draft guidelines on how to classify high-risk AI systems and open them for consultation.
Scott Caravello: And so what's the big takeaway there, understanding that these guidelines are very likely to change before they're actually finalized?
John Pattern: Yeah, absolutely. So the central message is that if a system meets the base threshold of being an AI system under the AI Act, for which final guidance was released in February 2025, then the classification of it as a high-risk system is, as always, fact-specific and turns on the system's intended purpose, which may or may not be helpful. There is some help from the Commission, which says—which is kind of the negative, which is—you can't escape high-risk status by just writing a disclaimer that it's not intended for certain purposes if in your marketing materials you say it is intended for one of those purposes. So really what the guidance does is it pushes developers to describe their system's purpose clearly and consistently across all of their materials.
Scott Caravello: So if a company's tool is used in a high-risk area, is it automatically in scope for compliance obligations? Is that just the end of the story?
John Pattern: Not necessarily. There are a few limited carve-outs. These are codified in the Act, but then the guidance gives a bit more flesh to them and refers to them as a filter to exempt certain systems. So those are systems that conduct purely procedural tasks, systems that improve the result of a human activity that's already finished, systems that spot patterns or deviations in past decisions, or systems that solely conduct a preparatory step before the real assessment. But the guidance does emphasize that these exceptions should be interpreted very narrowly because these are exceptions to rules protecting people's fundamental rights.
Scott Caravello: And, you know, you talked a bit about how intent fits into whether something is high risk, but how do we think about that in an agentic world or a world where you have multiple AI systems that are contributing to a single process or a decision?
John Pattern: That's a great question, and obviously, agentic AI is top of thought at the moment. And unusually, the guidance has actually considered that. So if you've got several components combining to drive a high-risk decision, the Commission says they will assess the whole thing as a single system. So you can't try and slice up your system to avoid the compliance obligations because each piece is not high risk in isolation.
Katherine Forrest: And so what ends up being the next steps for all of this guidance?
John Pattern: So the consultation is open until June 23. And after that, the Commission will take the feedback on the draft, consult further with a body of member state representatives, revise the draft, maybe do another consultation, we'll see, and eventually get to a final version, which is likely to be later in 2026 or early in 2027. I think it's worth flagging that these are guidelines and are not legally binding. But in practice, they're a very strong signal of how the Commission and national regulators will approach classification and enforcement, so people should pay attention.
Katherine Forrest: So the picture is more time, a new red-line prohibition, draft guidance to consider, and standards that are still very much a work in progress. Do I have sort of like the upshot of all of this?
John Pattern: That's a fair summary.
Katherine Forrest: All right, John. Well, this has been fantastic. Thank you for joining us. And I also have to say that I love how you do your dates. It's like 2 December 2026 because it just sounds so much better than our, like, December 2. I don't know why.
John Pattern: Smallest to largest—day, month, year.
Katherine Forrest: I know, no, it makes sense. It makes sense. You know, we're very excited to have had you on. And we're gonna ask you to come back in a few weeks to discuss the regulatory landscape of AI in the UK, if that's okay with you.
John Pattern: That sounds wonderful, really looking forward to that. And thanks very much for having me today. It's been a great conversation.
Katherine Forrest: All right, well, this is Katherine Forrest signing off.
Scott Caravello: And I'm Scott Caravello. Don't forget to like and subscribe.
