Europe struck a tentative agreement on Friday on historic regulations pertaining to the use of artificial intelligence by the European Union, including how governments can use AI for biometric monitoring and how to control ChatGPT and other AI systems.

The political accord positions the EU to become the first global power to pass AI-related legislation. Following an almost 24-hour debate the day before, roughly 15 hours of negotiations resulted in the agreement reached on Friday between EU member states and members of the European Parliament.

The two sides are set to hash out details in the coming days, which could change the shape of the final legislation.

“Europe has positioned itself as a pioneer, understanding the importance of its role as a global standard setter. This is yes, I believe, a historical day,” European Commissioner Thierry Breton told a press conference.

The accord requires foundation models such as ChatGPT and general purpose AI systems (GPAI) to comply with transparency obligations before they are put on the market. These include drawing up technical documentation, complying with EU copyright law and disseminating detailed summaries about the content used for training.

High-impact foundation models with systemic risk will have to conduct model evaluations, assess and mitigate systemic risks, conduct adversarial testing, report to the European Commission on serious incidents, ensure cybersecurity and report on their energy efficiency.

GPAIs with systemic risk may rely on codes of practice to comply with the new regulation.

Governments can only use real-time biometric surveillance in public spaces in cases of victims of certain crimes, prevention of genuine, present, or foreseeable threats, such as terrorist attacks, and searches for people suspected of the most serious crimes.

The agreement bans cognitive behavioural manipulation, the untargeted scrapping of facial images from the internet or CCTV footage, social scoring and biometric categorisation systems to infer political, religious, philosophical beliefs, sexual orientation and race.

Consumers would have the right to launch complaints and receive meaningful explanations while fines for violations would range from 7.5 million euros ($8.1 million) or 1.5% of turnover to 35 million euros or 7% of global turnover.

Business group DigitalEurope criticised the rules as yet another burden for companies, on top of other recent legislation.

“We have a deal, but at what cost? We fully supported a risk-based approach based on the uses of AI, not the technology itself, but the last-minute attempt to regulate foundation models has turned this on its head,” its Director General Cecilia Bonefeld-Dahl said.

Privacy rights group European Digital Rights was equally critical.

“It’s hard to be excited about a law which has, for the first time in the EU, taken steps to legalise live public facial recognition across the bloc,” its senior policy advisor Ella Jakubowska said.

“Whilst the Parliament fought hard to limit the damage, the overall package on biometric surveillance and profiling is at best lukewarm.”

The legislation is expected to enter into force early next year once both sides formally ratify it and should apply two years after that.

Governments around the world are seeking to balance the advantages of the technology, which can engage in human-like conversations, answer questions and write computer code, against the need to put guardrails in place.

Europe’s ambitious AI rules come as companies like OpenAI, in which Microsoft is an investor, continue to discover new uses for their technology, triggering both plaudits and concerns. Google owner Alphabet on Thursday launched a new AI model, Gemini, to rival OpenAI.

The EU law could become the blueprint for other governments and an alternative to the United States’ light-touch approach and China’s interim rules.