The EU AI Act is Official

Judge's gavel in foreground with EU flag in background

Introduction

It is finally official. The European Union (EU) Artificial Intelligence (AI) Act was published in the Official Journal of the European Union on July 12, 2024, as “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised [sic] rules on artificial intelligence” (the “Act”). As of today, 1 August 2024, the Act is officially part of EU law.

This marks a major milestone in the implementation of the EU’s transformative path toward digital regulation. While the Act will generally apply starting on 2 August 2026, the exact milestones are numerous, intricate, and complex, with some provisions applying as early as this February 2025.

See our previous summary of the Act here.

General Implementation

Today, 1 August 2024, marks the start of the preparation period for organizations to comply with the Act. The Act will be implemented in four (4) phases over the next three (3) years.

2 February 2025 - Prohibited AI 

Prohibitions on certain AI practices deemed to pose an unacceptable risk by the EU will take effect.

2 August 2025 - General-Purpose AI Systems (GPAI)

Select requirements for providers of GPAIs will be enforced. This impacts sophisticated large language models (LLMs) and foundation models that are entering the market.

2 August 2026 - General Application Date

All remaining provisions of the Act will apply, including obligations related to high-risk AI systems listed in Annex III, such as those used in biometrics, education, employment, insurance, financial services, and critical infrastructure.

2 August 2027 - High-Risk AI System Requirements for Product and Safety Components

Obligations will be enforced for high-risk AI systems that are products or safety components governed by existing EU harmonization legislation, like medical devices and machinery.
For most organizations not involved in developing GPAIs, 2 February 2025 and 2 August 2026 are the key dates to focus on. This provides about two years to ensure full compliance with AI regulations. For certain AI systems and GPAI models already on the market, the compliance deadlines are more lenient.

Two people in front of an AI wall of wizardry

Key Requirements

The Act introduces a comprehensive cross-sector framework for developing, deploying, and distributing AI systems. The extent to which an organization within the territorial scope of the Act is subject to its requirements depends largely on (1) the nature and purpose of the AI system and (2) the organization’s role in the supply chain.

Not all AI systems are comprehensively regulated under the Act. Instead, the primary focus is on imposing obligations on companies involved in the development, deployment, and distribution of “high-risk” AI systems. These high-risk systems are designated for specific purposes explicitly listed in the regulation and are considered by the EU to pose significant risks.

Beyond prohibitions on certain AI practices, the Act includes a separate framework for providers of GPAIs. These providers are generally responsible for developing upstream AI models that can be configured and deployed for various purposes. Additionally, there are limited transparency and AI literacy requirements for many providers and deployers of AI systems, regardless of whether the system is classified as “high-risk.”

Accountability

In line with other EU digital regulations, the potential penalties for violating the Act are rather substantial. Organizations may face fines up to €35 million or 7% of their annual worldwide turnover, whichever is higher, for the most serious offenses. Each EU country will establish specific sanctioning regimes for high-risk systems, leading to some expected variations.

EU authorities with explicit competence under the regulation will have significant additional powers, including access to source code, documentation, and training datasets. They can evaluate AI systems, mandate rectifications, and, if necessary, recall or remove systems from the EU market.

Woman working with an AI chat bot

Next Steps for Businesses

Organizations covered by the Act, including those that foresee a similar compliance obligation in other global jurisdictions, should prioritize the following four (4) steps:

1. Conduct an Inventory. 

Document all AI systems the organization develops, deploys, and distributes.

2. Assess the Act’s Applicability

Evaluate the Act's impact on the organization (as a provider, deployer, or distributor/importer) and identify likely obligations.

3. Perform a Gap Analysis

Compare current governance, risk, and compliance (GRC) measures with those required under the Act and list recommended remediations.

4. Implement a Compliance Program

Develop a program based on the AI inventory, applicability assessment, and gap analysis to ensure appropriate measures are in place by the relevant implementation dates under the Act.

Young IT engineer working with management on an AI problem

Compliance Dates in Detail

2024

August 1, 2024

  • Entry into force of the AI Act (pursuant to Art. 113). The Act becomes part of the EU legal order. The Act’s provisions are not yet fully applicable.

November 2, 2024

  • EU Member States must have identified the public authorities or bodies that supervise or enforce obligations under EU law protecting fundamental rights, including the right to nondiscrimination, in relation to the use of high-risk AI systems referred to in Annex III of the Act (Art. 77(2)).

2025

February 2, 2025

  • Chapters I and II of the Act begin to apply (Art. 113(a)). These include the general provisions (e.g., geographic scope, definitions) and the provisions on prohibited AI practices. As such, evaluating activities that might be considered “prohibited practices” under Article 5 of the AI Act should begin immediately.

  • The general obligation to ensure a sufficient level of AI literacy of staff under Article 4 of the Act will also apply from this date.

May 2, 2025

  • Codes of practice for the implementation of GPAI models and related obligations must be ready (Art. 56(9)). These codes should support providers in achieving compliance with their duties relating to GPAI models.

August 2, 2025

  • Chapter III, Section 4 (Notifying authorities and notified bodies), Chapter V (GPAI models), Chapter VII (Governance) and Chapter XII (Penalties) will apply (except for Article 101, which deals with fines for providers of GPAI models).

  • Chapter III, Section 4 concerns notifying authorities and notified bodies, which are essential for the establishment of conformity assessment bodies.

  • Chapter V contains the provisions related to GPAI models that were introduced late in the legislative process; for example, the mandatory notification procedure for the provider (Art. 52 (1)), documentation requirements (Art. 53) and the appointment of an authorized representative (Art. 54). Article 55 provides additional responsibilities for the evaluation and mitigation of systemic risk and cyber and infrastructure security.

  • Chapter VII establishes a governance structure on the EU level, including the AI Office, the European Artificial Intelligence Board, the advisory forum and the scientific panel. On the Member State level, competent authorities must be appointed by this date (Art. 70(2)).

  • Concurrently, the European Commission must finalize its guidance to facilitate compliance with the reporting obligations in case of serious incidents (Art. 73(7)).

  • Chapter XII concerns penalties. This includes Article 99(3), which specifies the fines for noncompliance with prohibited AI practices referred to in Article 5. 

2026

February 2, 2026

  • The European Commission will issue implementing acts to create a template for high-risk AI providers' post-market monitoring plans, serving as the foundation for the monitoring system established by Article 72. 

  • Additionally, by this date, the Commission must provide guidelines for the practical implementation of Article 6, which pertains to the classification of an AI system as high risk (Art. 6(5)).

August 2, 2026

  • The date of applicability for all provisions of the Act.

  • Obligations for high-risk AI systems will apply from this date, including risk and quality management systems, diligent data governance, technical documentation, recordkeeping, and transparency and information obligations.

  • Chapter IV addresses operators of AI systems directly interacting with humans, generative AI systems, and emotion recognition or biometric categorization systems, introducing disclosure and information responsibilities.

  • Finally, EU Member States must have implemented rules on penalties and other enforcement measures and notified the European Commission about them (Art. 99).

  • At least one AI regulatory sandbox must be operational at a national level (Art. 57(1)).

2027

August 2, 2027

  • This is the ultimate compliance deadline for AI systems covered by existing harmonization legislation (Art. 113(c)) and for providers of GPAI models that have been placed on the market up to 12 months after 1 August 2024.

Young IT engineer at desk writing code

Conclusion

The official adoption of the EU AI Act signifies a pivotal moment in the regulation of artificial intelligence within the European Union. This comprehensive framework sets a clear roadmap for compliance, with phased implementation timelines and specific requirements for different types of AI systems. Organizations must now prioritize understanding and preparing for these new obligations to ensure compliance and mitigate risks. The penalties for non-compliance are significant, highlighting the importance of proactive measures. As we move towards the full application of the Act, businesses must adapt and align their AI strategies with these stringent regulatory standards.

If you want more information about how to mature your data protection, privacy, and AI governance, risk, and compliance programs, please reach out for a free consultation. 1GDPA assists organizations that need professional advice on securing and leveraging their data in a responsible and legally compliant manner. 

Sources

  • The AI Act has finally arrived: Hogan Lovells

  • European Union AI Act Published in the Official Journal—Critical Milestones on the Road to Full Applicability: Wilmer Hale

Previous
Previous

AI: A New Frontier with Amplified Risks

Next
Next

Hacked Phone & SIM: How To Recover and How to Minimize Risk