Countdown to compliance as EU AI Act set to enter into force

One of the most significant pieces of legislation to be adopted by the outgoing EU mandate, the Artificial Intelligence Act (AI Act) was finally published in the Official Journal on 12 July 2024. It is due to come into force on 1 August 2024 and will become applicable in a phased manner from between six and 36 months thereafter, with most provisions applying after 24 months.

As the world’s most comprehensive legislative framework for AI developers, deployers and importers. the new Regulation seeks to guarantee that AI systems placed on the European Union internal market are secure, uphold current laws regarding fundamental rights and adhere to EU values.

Key Obligations

Taking the form of a Regulation, the AI Act is directly applicable on the EU’s 27 Member States. The Act takes what the EU institutions have described as a “risk-based approach”:

• Prohibited AI practices: includes AI practices violating fundamental rights such as social scoring, exploiting people's vulnerabilities, using subliminal techniques, real-time biometric identification in public spaces (with limited exceptions), certain forms of individual predictive policing, emotion recognition in workplaces and schools, in addition to untargeted scraping of internet or CCTV footage for facial images to build databases.
  
• High Risk AI systems: include AI systems used in biometrics, critical infrastructure, education, employment, self-employment, essential private/public services, law enforcement, migration, asylum, border control, justice administration and democratic processes. AI systems which are safety components of devices or are devices covered by EU product safety legislation are also considered high-risk. Requirements for these systems include pre-market conformity assessment, risk management, data governance, technical documentation provision, record keeping, transparency and human oversight. High-risk AI systems deployed by public authorities or related entities must be registered in a public EU database.
  
• Transparency obligations for certain AI systems: providers of AI systems intended to interact directly with natural persons or which generate synthetic audio, image, video or text content will be subject to transparency obligations. Deployers of emotion recognition or biometric categorisation systems and deployers of AI systems that generate or manipulate image, audio or video content constituting a deep fake are also subject to their own transparency obligations.
  
• General Purpose AI (GPAI) systems and models: risk categorisation is based on model capability rather than application. Two risk categories exist: GPAI models entailing systemic risk and all other GPAI models. Providers of systemic risk GPAI models have more compliance requirements. 
  
  • GPAI Models: providers must maintain technical documentation and share information with potential users about the capabilities and limitations of the model. They must also draw up and make publicly available a ‘sufficiently detailed summary’ about the content used for training of the model. A code of practice will be drawn up by the AI Office. 
    
  • GPAI Models with Systemic Risks: regarded as having systemic risk if they have high impact capabilities or are designated as such by the European Commission. A model is presumed to have high impact capabilities if the compute used for training measures 10^25 or more Floating Point Operations Per Second (FLOPs). Providers of these models have additional obligations like model evaluations, systemic risk mitigation, incident reporting and ensuring cybersecurity protection. A code of practice is also recommended.

Timeline and enforcement structure

Provisions regarding prohibitions will apply already six months…