In Brief

The long-awaited EU AI Act was published in the Official Journal of the European Union today, 12 July 2024. The Act regulates activities across the AI lifecycle, as covered in more detail in our previous post, and the countdown for implementation has now started for companies developing or deploying AI technologies, with the Act entering into force 20 days after its publication on 1 August 2024. The Act as a whole is generally applicable two years after this date, on 2 August 2026 — however, companies should be aware now of a number of provisions with different implementation deadlines, reflecting the risk-based categorisation of AI systems.  

Timeline of provisions

  • 1 August 2024: AI Act enters into force.
  • 2 February 2025: Ban on ‘prohibited systems’ takes effect. These include use of subliminal techniques, systems that exploit vulnerable groups, biometric categorisation, social scoring, individual predictive policing, facial recognition systems using untargeted scraping, emotion recognition systems in workplaces and educational institutions, and ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, with, in some use cases, qualifying thresholds for the system to be prohibited and certain limited exceptions.
  • 2 May 2025: AI Office to facilitate the development of codes of practice covering obligations on providers of general-purpose AI (GPAI) models, with member state and industry participation. A general-purpose AI model is defined under the Act as a model “trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are released on the market”. If these codes of practice cannot be finalized by 2 August 2025, or if the AI Office does not consider them adequate, common rules for the implementation of obligations of providers of GPAI will be adopted.
  • 2 August 2025:
    • GPAI governance obligations become applicable. While the obligations imposed on GPAI are generally less onerous than for high risk systems, they are subject to requirements in relation to technical documentation, having a policy to comply with copyright law, and making available a “sufficiently detailed” summary of the content of the training dataset. GPAI systems deemed to present “systemic risk” are subject to additional requirements.
    • Provisions on notifying authorities become applicable, and member states must have appointed competent authorities and implemented rules on penalties and administrative fines.
  • 2 February 2026: European Commission, in consultation with the European Artificial Intelligence Board, to develop guidelines on the practical implementation of the Act  along with a comprehensive list of practical examples of use cases of AI systems that are high-risk and not high-risk.
  • 2 August 2026:
    • AI Act becomes generally applicable. Specifically, obligations on high-risk AI systems listed in Annex III (including AI systems in biometrics, critical infrastructure, education, employment, access to essential public and defined private services, law enforcement, immigration and administration of justice) come into effect. These include pre-market conformity assessments, quality and risk management systems and post-marketing monitoring.
    • Member states are required to have implemented at least one regulatory sandbox on AI at national level.
  • 2 August 2027: Obligations on high-risk systems apply to products already required to undergo third-party conformity assessments. Includes products such as toys, radio equipment, in-vitro medical devices and agricultural vehicles. GPAI systems placed on the market before 2 August 2025 become subject to AI Act provisions.
  • 31 December 2030: AI systems which are components of the large-scale IT systems listed in Annex X that have been placed on the market or put into service before 2 August 2027 must be brought into compliance with the AI Act.

Next Steps

Our previous post provides specific recommendations for how to meet these obligations.

Baker McKenzie has a team of dedicated experts who can help you with all aspects of EU AI Act compliance, Responsible AI governance and related policies and processes.

Author

Ben works with clients on matters involving the cross-over space of media, IP and technology. His practice has a particular focus on artificial intelligence, data protection, copyright and technology disputes. He has a particular expertise in intermediary liability issues.

Author

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author

Karen Battersby is Director of Knowledge for Industries and Clients and works in Baker McKenzie's London office.

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Cristina Duch is a partner in the Intellectual Property Practice Group in Barcelona and leader of the EMEA Brand Enforcement & Disputes Practice Group of the Firm. She has significant experience in a wide range of intellectual property matters, with particular emphasis on trademarks, designs, unfair competition and advertisement. She is a member of the Spanish Institute of Chartered Industrial Property Agents.

Author

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author

Kathy Harford is the Lead Knowledge Lawyer for Baker McKenzie’s global IP, Data & Technology practice.

Author

Sue is a Partner in our Technology practice in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets.

Author

José María Méndez es socio responsable del área de Propiedad Intelectual y Tecnologías de la Información y Comunicaciones de Baker & McKenzie Madrid. Anteriormente, fue socio del área de Propiedad Intelectual en un despacho internacional, así como secretario general adjunto de Sogecable y director de la asesoría jurídica del área de cinematografía y televisión. Participa con frecuencia en actividades sin ánimo de lucro de organizaciones como Caritas Diocesanas y Aldeas Infantiles. Asimismo, imparte clases en el Máster de Propiedad Intelectual de la Universidad Carlos III.

Author

Prof. Dr. Michael Schmidl is co-head of the German Information Technology Group and is based in Baker McKenzie's Munich office. He is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Michael also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Author

Eva-Maria Strobel is a partner in Baker McKenzie's Zurich office. She is a member in the Firm's global IPTech Practice Group, chairs the EMEA IPTech Practice Group and heads the Swiss IPTech team. focuses on the development of intellectual property strategies to procure, protect and commercialize her domestic and multinational client's intangible assets and to grow the return on investment.

Author

Florian Tannen is a partner in the Munich office of Baker McKenzie. He advises on all areas of contentious and non-contentious information technology law, including internet, computer/software and data privacy law.