AI Act: Understanding European AI Regulation

Introduction

In 2024, the European Union adopted the AI Act, the world’s first law dedicated to artificial intelligence. Often compared to GDPR for personal data, this regulation aims to establish a clear framework: protect citizens against drifts, while encouraging responsible innovation.

But what does this mean concretely for developers, startups and open source actors like PrestaShop? This article offers a pedagogical reading, with historical perspective, stakes in France and practical impacts for SMEs.

1. A Bit of History: From Proposal to Adoption

  • 2021: the European Commission proposes the text.
  • 2022–2023: intense debates between Parliament and Council. Controversial subjects appear: facial recognition, generative AI, provider responsibility.
  • 2024: final adoption. The regulation came into force on August 1, 2024, but obligations will apply progressively until 2026.

This temporality allows companies to prepare, but also raises concerns: some voices judge the calendar too rapid and insufficiently supported.

2. The AI Act’s Objectives

The AI Act is structured around a risk management logic:

  • Prohibit the unacceptable: practices like Chinese-style social scoring, psychological manipulation exploiting vulnerabilities, or mass biometric recognition in public space.
  • Frame high-risk AI: health, education, employment, justice, security… These AIs must prove their safety, absence of bias in their data and effective human supervision.
  • Ensure transparency: deepfake reporting, mandatory mention when interacting with a chatbot or when content is AI-generated.
  • Stimulate a trust market: by harmonizing rules at European level and avoiding 27 divergent national laws.

Behind this project, the EU wants to repeat the GDPR effect: become a global standard in ethical AI.

3. Obligations for AI Actors

Low or Limited Risk AI

  • Total freedom (video games, anti-spam filters).
  • Simple transparency obligation: inform the user that content is AI-generated.

High-Risk AI

  • Complete technical documentation (data, algorithms, test methods).
  • Conformity assessment + CE marking before market release.
  • Continuous risk management and regular audits.
  • Mandatory human supervision for certain sensitive decisions.
  • Serious incident reporting in a European database.

Sanctions

Fines up to €30M or 6% of global turnover, modulated for SMEs.

4. Focus France: Opportunities and Tensions

National Implementation

In France, three authorities will supervise application:

  • CNIL (data and freedoms),
  • DGCCRF (market surveillance),
  • Defender of Rights (discrimination and fundamental rights).

The DGE (Ministry of Economy) pilots adaptation and support, via guides and workshops.

Debate on Facial Recognition

France has been in tension with Brussels:

  • The EU prohibits real-time biometric recognition except in very serious cases.
  • But for the 2024 Olympics, Paris pleaded for smart camera experimentation.

Example clearly showing the difficulty: reconciling public security and protection of freedoms.

Framed Innovation

France is preparing regulatory sandboxes, inspired by fintech, to allow startups to test their AIs under supervision. This illustrates the will to support, not slow down, innovation.

5. Impact on SMEs, Startups and Developers

Opportunities

  • Access to free sandboxes to test AIs in real conditions.
  • Support by the Commission via codes of conduct (e.g. for generative AI).
  • Strengthening customer trust: a compliant startup gains credibility.

Risks

  • Compliance costs (lawyers, audits, documentation) heavy for small structures.
  • Risk of competitive disadvantage against US/Asian giants better armed to absorb these costs.
  • Fear of regulatory fragmentation if interpretation differs from one country to another.

Open Source

  • Planned exemption: freely published projects don’t fall under the law, unless they’re used in high-risk systems.
  • If an open source component is integrated into critical AI, it’s the final operator who must assume compliance.
  • An essential guarantee for ecosystems like PrestaShop, which works in open source.

PrestaShop Case

  • Concrete example: a fraud detection or customer scoring AI module could be classified “high risk”.
  • PrestaShop developers will therefore need to provide:
    • transparency (explanation of AI decisions),
    • technical documentation,
    • human supervision mechanism.

Conclusion

The AI Act is an ambitious and unprecedented regulation. It combines citizen protection (against AI drifts) and will for responsible innovation.

For French SMEs, startups and developers, the message is clear:

  • Anticipate now the rules (transparency, documentation, supervision),
  • Use sandboxes to become compliant,
  • Transform this constraint into competitive advantage.

Like GDPR, those who master the AI Act fastest will gain user trust. See you in 2026 to see if Europe has succeeded in its bet.

Article published on August 29, 2025 by Nicolas Dabène - PHP & PrestaShop expert with 15+ years of experience.