In Brief
The long-awaited EU AI Act was published in the Official Journal of the European Union today, 12 July 2024. The Act regulates activities across the AI lifecycle, as covered in more detail in our previous post, and the countdown for implementation has now started for companies developing or deploying AI technologies, with the Act entering into force 20 days after its publication on 1 August 2024. The Act as a whole is generally applicable two years after this date, on 2 August 2026 — however, companies should be aware now of a number of provisions with different implementation deadlines, reflecting the risk-based categorisation of AI systems.
Timeline of provisions
- 1 August 2024: AI Act enters into force.
- 2 February 2025: Ban on ‘prohibited systems’ takes effect. These include use of subliminal techniques, systems that exploit vulnerable groups, biometric categorisation, social scoring, individual predictive policing, facial recognition systems using untargeted scraping, emotion recognition systems in workplaces and educational institutions, and ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, with, in some use cases, qualifying thresholds for the system to be prohibited and certain limited exceptions.
- 2 May 2025: AI Office to facilitate the development of codes of practice covering obligations on providers of general-purpose AI (GPAI) models, with member state and industry participation. A general-purpose AI model is defined under the Act as a model “trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are released on the market”. If these codes of practice cannot be finalized by 2 August 2025, or if the AI Office does not consider them adequate, common rules for the implementation of obligations of providers of GPAI will be adopted.
- 2 August 2025:
- GPAI governance obligations become applicable. While the obligations imposed on GPAI are generally less onerous than for high risk systems, they are subject to requirements in relation to technical documentation, having a policy to comply with copyright law, and making available a “sufficiently detailed” summary of the content of the training dataset. GPAI systems deemed to present “systemic risk” are subject to additional requirements.
- Provisions on notifying authorities become applicable, and member states must have appointed competent authorities and implemented rules on penalties and administrative fines.
- 2 February 2026: European Commission, in consultation with the European Artificial Intelligence Board, to develop guidelines on the practical implementation of the Act along with a comprehensive list of practical examples of use cases of AI systems that are high-risk and not high-risk.
- 2 August 2026:
- AI Act becomes generally applicable. Specifically, obligations on high-risk AI systems listed in Annex III (including AI systems in biometrics, critical infrastructure, education, employment, access to essential public and defined private services, law enforcement, immigration and administration of justice) come into effect. These include pre-market conformity assessments, quality and risk management systems and post-marketing monitoring.
- Member states are required to have implemented at least one regulatory sandbox on AI at national level.
- 2 August 2027: Obligations on high-risk systems apply to products already required to undergo third-party conformity assessments. Includes products such as toys, radio equipment, in-vitro medical devices and agricultural vehicles. GPAI systems placed on the market before 2 August 2025 become subject to AI Act provisions.
- 31 December 2030: AI systems which are components of the large-scale IT systems listed in Annex X that have been placed on the market or put into service before 2 August 2027 must be brought into compliance with the AI Act.
Next Steps
Our previous post provides specific recommendations for how to meet these obligations.
Baker McKenzie has a team of dedicated experts who can help you with all aspects of EU AI Act compliance, Responsible AI governance and related policies and processes.