On 12 July 2024, the long-awaited Artificial Intelligence Act (AI Act) was published in the Official Journal of the European Union (OJEU), meaning that 20 days from this date it will enter into force and will apply from 2 August 2026, bringing certainty regarding the timeline for its applicability, which is staged over two years.

The AI Act is the first comprehensive regulatory framework for AI, as it includes rules related to ethical AI use and enhanced consumer protection, and it supports innovation and market access. We can anticipate that almost every single organization developing, deploying or using AI systems will need to comply with the AI Act, regardless of their location.

In a new blog post series, our Cooley team will look at how, from a practical perspective, organizations can prepare for the AI Act before it becomes applicable, and also will unpack some of the most pressing matters surrounding it – such as its scope, transparency requirements, role of human oversight and interplay with the General Data Protection Regulation (GDPR), amongst other issues.

Before diving into the blog post series and the impacts the AI Act will have on businesses, you should note that one of the core features of the AI Act is its extra-territorial effect. As an example, the AI Act applies to providers of AI systems that place or put into service AI systems on the EU market, irrespective of where they are established or located. The AI Act also applies to providers or deployers of AI systems established or located outside the EU where the output of the system is used in the EU.

It also is worth highlighting that the AI Act classifies AI systems into different categories based on the level of risk they pose (unacceptable, high, limited and minimal), consolidating the EU’s risk-based approach for regulating AI – the higher the risk that an AI system poses to health, safety, fundamental rights, the environment, democracy and the rule of law, the stricter the rules.

Moreover, the AI Act bans AI systems considered to be a threat to the health, safety and fundamental rights of individuals, the environment, democracy and the rule of law. Some examples include:

  • Biometric categorization systems that use sensitive characteristics (e.g., political, religious and philosophical beliefs, sexual orientation, and race).
  • Untargeted scraping of facial images from the internet or closed-circuit television footage to create facial recognition databases.
  • Social scoring based on social behavior or personal characteristics.

Alongside transparency requirements when employing AI systems, the AI Act also introduces guardrails for general-purpose AI (GPAI). Under these rules, GPAI models will be subject to additional binding obligations related to managing risks and monitoring serious incidents, as well as performing model evaluation.

As far as penalties are concerned, similar to the GDPR, noncompliance with the AI Act can lead to significant fines, ranging from 7.5 million euros or 1.5% of global turnover (whichever is higher) to 35 million euros or 7% of global turnover (whichever is higher), depending on the infringement.

Timeline

The publication of the AI Act in the OJEU triggers the official start of the AI Act’s timeline, the key dates of which are set out below so that you can start preparing for the AI Act to become applicable.

The AI Act enters into force on the 20th day following its publication in the OJEU and will apply from 2 August 2026. However, as shown above, certain provisions will become applicable at a different date, namely:

  • Chapters I (General provisions) and II (Prohibited practices) shall apply from 2 February 2025.
  • Chapter III, Section 4 (High risk systems, notifying authorities and notified bodies), Chapter V (General-purpose AI models), Chapter VII (Governance) and Chapter XII (Penalties) shall apply from 2 August 2025, with the exception of Article 101 (Fines for providers of general-purpose AI models).
  • Article 6(1) (Classification rules for high-risk AI systems) and the corresponding obligations in the AI Act will apply from 2 August 2027.

At Cooley, we will continue to unpack the most relevant aspects of the AI Act over the coming months. If there is a specific topic you would like to see covered in our blog post series, or if you would like to discuss what the AI Act means for your organization, do not hesitate to reach out to the Cooley team.

Stay tuned for more!

Authors

Patrick Van Eecke

Travis LeBlanc

Enrique Capdevila

Yasmin Roland

Bart Regenhardt

David Knobel

Posted by Cooley