European Union member states on Tuesday gave final agreement to the world’s first major law for regulating artificial intelligence, as institutions around the world race to introduce curbs for the technology.

The EU Council said it had approved the AI Act — a groundbreaking piece of regulatory law that sets comprehensive rules surrounding artificial intelligence technology.

“The adoption of the AI act is a significant milestone for the European Union,” Mathieu Michel, Belgium’s secretary of state for digitization said in a Tuesday statement.

“With the AI act, Europe emphasizes the importance of trust, transparency and accountability when dealing with new technologies while at the same time ensuring this fast-changing technology can flourish and boost European innovation,” Michel added.

The AI Act applies a risk-based approach to artificial intelligence, meaning that different applications of the technology are treated differently, depending on the perceived threats they pose to society.

The law prohibits applications of AI that are considered “unacceptable” in terms of their risk level. Such applications feature so-called “social scoring” systems that rank citizens based on aggregation and analysis of their data, predictive policing and emotional recognition in the workplace and schools.

High-risk AI systems cover autonomous vehicles or medical devices, which are evaluated on the risks they pose to the health, safety, and fundamental rights of citizens. They also include applications of AI in financial services and education, where there is a risk of bias embedded in AI algorithms.

U.S. Big Tech firms in the spotlight

Matthew Holman, a partner at law firm Cripps, said the rules will have major implications for any person or entity developing, creating, using or reselling AI in the EU — with U.S. tech firms firmly in the spotlight.

“The EU AI is unlike any law anywhere else on earth,” Holman said. “It creates for the first time a detailed regulatory regime for AI.”

“U.S. tech giants have been watching this developing law closely,” Holman added. “There has been a lot of funding into public-facing generative AI systems which will need to ensure compliance with the new law that is, in some places, quite onerous.”

The EU Commission will have the power to fine companies that breach the AI Act as much 35 million euros ($38 million) or 7% of their annual global revenues — whichever is higher.

The change in EU law comes after OpenAI’s November 2022 launch of ChatGPT. Officials realized at the time that existing legislation lacked the detail needed to address the advanced capabilities of emerging generative AI technology and the risks around the use of copyrighted material.

A long road to implementation

The law imposes tough restrictions on generative AI systems, referred to by the EU as “general-purpose” AI. These include requirements to respect EU copyright law, transparency disclosures on how the models are trained, routine testing and adequate cybersecurity protections.

But it’s going to take some time before these requirements actually kick in, according to Dessi Savova, a partner at Clifford Chance. The restrictions on general-purpose systems won’t begin until 12 months after the AI Act comes into force.

And even then, generative AI systems that are currently commercially available, like OpenAI’s ChatGPT, Google’s Gemini, and Microsoft’s Copilot, get a “transition period” that gives them 36 months from the day it comes into force to get their technology compliant with the legislation.

“Agreement has been reached on the AI Act — and that rulebook is about to become a reality,” Savova told CNBC via email. “Now, attention must turn to the effective implementation and enforcement of the AI Act.”