The European Union is stepping toward formal oversight of ChatGPT, signaling a major shift in how Brussels plans to govern artificial intelligence. After extensive analysis, regulators have moved from debating whether to regulate the service to deciding how such rules should be applied. A potential classification as either a Very Large Online Platform (VLOP) or a Very Large Online Search Engine (VLOSE) would place ChatGPT at the forefront of the bloc’s toughest regulatory framework.

The driving force behind the heightened scrutiny is scale and influence. The Digital Services Act (DSA) targets platforms with a substantial footprint in Europe — roughly corresponding to a tenth of the bloc’s population. Crossing that threshold is viewed as carrying systemic risks to society, with potential impacts on public discourse and elections.

In Europe, user numbers for ChatGPT have grown rapidly, pushing the service into the territory where the DSA’s most stringent obligations could apply. If designated under this regime, ChatGPT would become the first AI chatbot to fall under the top tier of DSA rules, a status previously reserved for major social networks and traditional search engines.

Under such a classification, OpenAI would face stricter duties, including protections for online users (notably minors) and a comprehensive assessment and mitigation of systemic risks tied to its services. Measures would emphasize stronger moderation of harmful content and disinformation — a central challenge for generative AI systems.

• Annual external audits conducted by independent entities.
• Regular, detailed reporting on systemic risks and risk mitigation efforts.
• Greater transparency around data handling and privacy controls.
• Deeper disclosure of internal processes related to how the service operates and makes decisions.

Institutional questions accompany these regulatory moves. Some observers view the DSA’s application to a private conversational AI as an expansion beyond the law’s original remit, which centered on user-generated content on public platforms. Extending those rules to chat-based models could redefine how the EU treats AI systems, potentially establishing a blueprint for global standards.

OpenAI has begun aligning its European data practices with privacy norms by routing European and Swiss data through an Ireland-based entity, leveraging GDPR’s centralized supervisory model. To satisfy the “main establishment” criteria under GDPR, the company must show that the Irish entity holds substantial control over data-related decisions, enabling meaningful privacy oversight of its U.S. parent.

The EU faces a structural challenge: the DSA predates widespread adoption of large language models, and its definitions don’t map neatly onto AI chat systems. This creates a risk that regulators will struggle to keep pace as these technologies become more integrated into daily life. A final decision on how ChatGPT should be treated under the DSA is anticipated in the coming months, according to a senior Commission official.

Beyond ChatGPT, the bloc’s approach could influence how other AI models are governed, signaling a broader shift toward tighter oversight for major language models. The regulatory landscape is evolving, and developers will need to adapt to new expectations around accountability, transparency, and risk management as AI technologies continue to mature.