EU AI Act Published in the EU Official Journal

July 18, 2024

Reading Time : 4 min

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

Businesses should prioritise assessing what AI they deploy or develop, take measures to ensure AI literacy (i.e., skills, knowledge and understanding to make informed use of AI and awareness of its opportunities and risks) and assess if any of the AI systems will be prohibited and cease any such use and development. Next, companies should focus on putting in place a compliance programme, in collaboration with the relevant business teams, in relation to general-purpose AI models, as well as high-risk AI, such as AI systems used in recruitment, critical digital infrastructure, evaluating creditworthiness and biometrics and low-risk AI, such as chatbots. In some cases, compliance may require significant time and effort (for example, changes to high-risk AI models as to data sets and human oversight).

Our previous alert, following the Council of the EU issuing its final approval of the AI Act on 21 May 2024, sets out the mechanics of the AI Act in further detail. At a high level, the complex and involved AI Act imposes obligations in relation to all general-purpose AI models as well as regarding high-risk AI systems and low-risk AI systems, banning certain AI systems outright. The AI Act has an extra-territorial scope and applies to providers, deployers and a wide range of other participants in the AI value chain (i.e., supply chain). It has steep non-compliance penalties, with the maximum fine reaching 7% of global turnover or 35 million euro (approx. US$37.6 million, £29.9 million), whichever is higher. As detailed in Akin Intelligence, the AI Office, a new body under the EU Commission tasked with overseeing the implementation and enforcement of the AI Act, was set up in June. Another new body, the European AI Board, comprising representatives of EU Member States and aimed at ensuring consistent and effective application of the AI Act, also held its first meeting in June.

Users and developers of AI systems, including general-purpose AI models, should consider which parts of the Act apply to their operations and set up a compliance programme in order to meet their obligations in time in accordance with the relevant deadlines, as follows:

  • 1 August 2024: The EU AI Act officially enters into force.
  • 2 February 2025: All providers and deployers of AI systems need to ensure, to their best extent, a sufficient level of AI literacy of staff dealing with the operation and use of AI systems. Certain AI practices become prohibited, including certain biometric categorisation and identification systems; AI systems used to classify people by social behaviour or known, inferred or predicted personal or personality characteristics (e., ‘social scoring’), resulting in detrimental or unfavourable treatment; and AI systems that deploy subliminal techniques beyond a person’s consciousness, or exploit individuals’ vulnerabilities, with the objective or effect of materially distorting behaviour in a manner that causes or is reasonably likely to cause significant harm.
  • 2 August 2025: The requirements for all general-purpose AI (GP AI) models become binding (with some limited exceptions), with stricter obligations for GP AI with “systemic risk”. If certain criteria are met, GP AI models are considered with “systemic risk”; there is a presumption that the criteria are met in some instances.
  • 2 August 2026: The bulk of the remaining obligations on deployers and providers of AI become binding, including for low and high-risk and high low risk AI systems. High-risk AI systems are those that fall into eight categories under the Act, such as employment and recruitment, biometrics, access to essential services (such as evaluating creditworthiness) and critical infrastructure, including digital infrastructure. Those high-risk AI systems already on the market as of 2 August 2026 must comply only if, going forward, there are significant changes in their design. Low-risk AI systems include chatbots as well as tools generating synthetic audio, image, video or text content and deep fakes.
  • 2 August 2027 (and beyond): Providers of GP AI which were already on the market as of 2 August 2025, must comply with obligations for GP AI. AI systems regulated by specific EU laws (g., vehicles, aviation, medical devices, lifts, machinery) become subject to the obligations for high-risk AI systems. By 2030, certain other AI systems, mainly in the public domain, must comply with all remaining relevant obligations.

The Global Akin AI Group is available to discuss the AI Act and its implications for you at your convenience.

The full and final text of the AI Act is available to view on the Official Journal’s website.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.