Innovating in Line with the EU AI Act

Last week, the first provisions of the European Union AI Act, the world’s first comprehensive AI regulation, went into effect. At Microsoft, we’re building our products and services to comply with our obligations under the EU AI Act and working with our customers to help them deploy and use the technology compliantly. We also encourage customers to consider their own circumstances and unique risks as they determine how the Act might apply to them, and to seek legal advice as needed.  

The AI Act extends beyond the EU—it applies to companies that operate in countries that place AI products on the EU market or produce AI systems whose outputs are used in the EU. Microsoft has been involved in dialogue with EU regulators from the AI Act’s earliest stages, and we continue to engage with regulators to share our insights, seek clarity on open questions, and advocate for practical outcomes. Below, we go into more detail on how we and our customers can innovate in line with the EU AI Act. 

Building Microsoft products and services that comply with the EU AI Act  

Organizations around the world use Microsoft products and services for innovative AI solutions that empower them to achieve more. For these customers, particularly those operating globally and across different jurisdictions, regulatory compliance is extremely important. This is why, in every customer agreement, Microsoft has committed to comply with all laws and regulations applicable to Microsoft. This includes the EU AI Act. It is also why we made early decisions to build and continue to invest in our AI governance program.  

"At Microsoft, we are ready to help our customers do two things at once: innovate with AI and comply with the EU AI Act." - Chief Responsible AI Officer Natasha Crampton

Our framework for guiding engineering teams building Microsoft AI solutions—the Responsible AI Standard—was drafted with an early version of the EU AI Act in mind.   

Building on these foundational components of our program, we have devoted significant resources to implementing the EU AI Act across Microsoft. Cross-functional working groups combining AI governance, engineering, legal, and public policy experts have been working for months to identify whether and how to update our internal standards and practices.  

For example, as the EU AI Act’s prohibited practices provisions became among the first provisions to go into effect on February 2, 2025, we have taken a proactive, layered approach to compliance that includes:  

• Conducting a thorough review of Microsoft-owned systems already on the market to identify any places where we might need to adjust our approach.  

• Creating new restricted uses in our internal company policy to ensure Microsoft doesn’t design or deploy AI systems for uses prohibited by the EU AI Act.  

• Updating our contracts, including our Generative AI Code of Conduct, so that our customers clearly understand they cannot engage in any prohibited practices.  
• Working with customers to help them deploy and use Microsoft products and services in compliance with the EU AI Act .

One of the core concepts of the EU AI Act is that obligations need to be allocated across the AI supply chain. This means that an upstream regulated actor like Microsoft must support downstream regulated actors, like our enterprise customers, when they integrate a Microsoft tool into a high-risk AI system. We embrace this concept of shared responsibility and aim to support our customers with their AI development and deployment activities by sharing our knowledge, providing documentation, and offering tooling. This all ladders up to the AI Customer Commitments that we made in June of last year to support our customers on their responsible AI journeys.  

Because tooling is necessary to achieve consistent and efficient compliance, we make available to our customers versions of the tools that we use for our own internal purposes. These tools include Microsoft Purview Compliance Manager, which helps customers understand and take steps to improve compliance capabilities across many regulatory domains, including the EU AI Act; Azure AI Content Safety to help mitigate content-based harms; Azure AI Foundry to help with evaluations of generative AI applications; and Python Risk Identification Tool or PyRIT, an open innovation framework that our independent AI Red Team uses to help identify potential harms associated with our highest-risk AI models and systems.  

Going forward  

Microsoft will continue to make significant product, tooling, and governance investments to help our customers innovate with AI in line with new laws like the EU AI Act. Implementation practices that are efficient, effective, and interoperable internationally are key to supporting useful and trustworthy innovation on a global scale.  

Since the dates for compliance with the EU AI Act are staggered and key implementation details are not yet finalized, we will continue to publish information and tools on an ongoing basis. Those interested in keeping up with the latest developments can consult our EU AI Act documentation on the Microsoft Trust Center to stay up to date.