18. October 2024 By Christian Hammer
It's official – the EU AI Act is here. Who should act now?
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167 /2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/9 0/EU, (EU) 2016/797 and (EU) 2020/1828 (Regulation on Artificial Intelligence) (hereinafter referred to as the ‘AI Act’ for the sake of simplicity) was published in the Official Journal of the European Union on 12 July 2024. All member states were informed of the content, regardless of media coverage. The regulation thus came into force 20 days later. Due to the different subjects covered by the AI Act, different periods for final application also apply. The transitional periods begin with the entry into force, see Article 113.
In the following, the relevant dates for government agencies are mentioned first, and then the deadlines for providers, operators and large-scale systems of AI systems are explained. Finally, generally applicable rules and deadlines are highlighted.
State authorities are required
However, before the first data subjects can invoke the AI Act, a number of conditions must be met. These procedures are also subject to deadlines as described in the AI Act. Article 77 (2) stipulates that all EU member states must designate authorities or bodies to protect fundamental rights in their respective member states by 2 November 2024.
The European Commission has until 2 May 2025 to adopt codes of conduct for the entire Union, taking into account international approaches to the proper application of the Regulation, as stated in Article 56(9) and Recital 179.
02/08/2025 is a very important date. On that date, all EU Member States will have to report to the Commission on the state of implementation by the national authorities for the first time and will have to repeat this every two years from that date (see Article 70(6)). This report is also linked to the publication of the bodies responsible for market surveillance and notification (Article 70(2)). In this context, the specified sanction and penalty provisions were also published (see again Recital 179). The review and, if necessary, amendment of the cases covered by the prohibited practices ( see Art. 112 (1)) by the Commission also takes place for the first time (and annually thereafter) on the anniversary of the entry into force. Finally, a provision is made for the eventuality that the Code of Practice has not been finalised by that date (Article 56(9)).
The European Commission has until 2 February 2026 to present guidelines for the practical implementation of high-risk applications and to ensure compliance with these guidelines after the products have been placed on the market (see Article 6(5), Article 72(3)).
On 2 August 2026, the Member States must demonstrate at least one functional AI sandbox in accordance with Article 57(1).
In 2027, there are no further deadlines for the public sector, and the first half of the year is also quiet in this regard. However, like 2025, 2 August 2028 is also an important date. The Commission will turn its attention to the AI Office and review its functioning (see Article 112(5)). The effectiveness of the voluntary codes of conduct will also be reviewed (Article 112(7) and Recital 174). In addition, a review will be carried out for the first time (and then every four years) to determine whether any changes are needed to the subject area headings in Annex III (i.e. which industries or use cases generally fall into the high-risk area), the list of AI systems requiring additional transparency measures set out in Article 50, and the overall supervisory and governance system (see Article 112(2) and Recital 174). Article 112(6) and recital 174 also provide that the Commission should report on the results of standardisation, in particular with regard to the energy-efficient development of AI models.
For the first time (and then every four years) on 2 August 2029, the Commission may report on the AI Act in a small group to the European Parliament and the Council and present its assessment (see Article 112(3) and Recital 174). Two years later, on 2 August 2031, there will be a new, updated evaluation, but in this case not only by the Council and Parliament, but also by the European Economic and Social Committee (Article 112(13)).
This description does not include the deadlines for powers or delegations of powers.
Table 1: Deadlines for various government agencies
Deadlines also apply to providers of AI systems
Before we look at the deadlines below, the question arises as to who is considered a provider. The AI Act defines a provider as any entity that develops, commissions the design of, or markets under its own name a general-purpose AI (GPAI) system or model, whether or not for consideration. So while our customers tend to take on the role of deployer, our technology partners, for example, are likely to often operate in the role of provider. The role of provider is most heavily regulated by the AI Act; the English translations in brackets are provided for ease of reference.
As with government entities, 2 August 2025 is a noteworthy date for providers. All GPAI models that have been placed on the market or put into operation before that date must comply with the AI Act by 2 August 2027 (Article 111(3)).
Providers, but also emergency services, who play a special role in the AI Act due to their use cases, are obliged to implement all requirements and obligations of the regulation by 2 August 2030 (Article 111(2)).
Table 2: Deadlines for providers
Operators and large-scale IT systems also have a lot to fulfil
At this point, too, the two terms should first be defined. The term operator includes providers, product manufacturers, distributors, authorised representatives, importers or dealers of AI systems or AI models. It is therefore an umbrella term that encompasses all the other roles provided for in the Regulation and, in addition, product manufacturers. Large-scale IT systems are explicitly named in Annex X of the Regulation, such as Eurodac or the Visa Information System.
Operators of high-risk AI systems (with the exception of those mentioned in Art. 111 (1)), which were put into operation before 2 August 2026, are covered by the regulation, but only if significant changes are made from that date (Art. 111 (2)).
Large-scale IT systems (see Annex X) that were put into operation before 2 August 2027 must be compliant with the AI Act by 31 December 2030 (Article 111(1)).
Table 3: Deadlines for operators
General deadlines also exist
for the regulation itself, with different dates applying for certain components in terms of when their validity begins.
The AI systems or models that pose the greatest risk are affected first: for the prohibited practices (see chapters 1 and 2), the measures of the AI Act are to be applied from 2 February 2025 (see Article 113(a) and Recital 179).
From 2 August 2025, some rules will come into force that are currently still in preparation (see also the obligations of the member states). These include the establishment or existence of the designated bodies (see Chapter III, Section 4), all rules relating to governance, including the bodies at Union and national level (Chapter VII), the rules on confidentiality (Article 78) and on sanctions (Articles 99 and 100). Most importantly, however, the provisions set out in Article V concerning the IPA models will also take full effect at this point in time (see Article 113(b)).
The majority of the AI Act will apply from 02.08.2026. This means all remaining provisions that are not defined in Article 6(1) (AI as a safety component of a product or listed in Annex I). However, these excluded parts will come into force a year later, on 2 August 2027, so that from that point on all parts of the AI Act will apply in full (both Article 113).
Table 4: Periods of validity of the AI Act
Conclusion
In view of the very different parties affected, it quickly becomes clear, in my view, that the simple question ‘When does what apply in the AI Act now?’ at least requires the additions ‘For whom?’ and ‘For what?’.
However, I believe that the many preparatory tasks that still need to be completed at the state and union level are much more crucial. And let's not fool ourselves: designating a reporting office is one thing, but knowing what information this office expects about one's own AI system is another. And the different national sanctions and fines are likely to make it difficult for many companies to assess the risks and weigh up the costs and benefits of implementing measures.
Last but not least, the uncertainty of the future legal interpretation of the numerous, not overlap-free definitions of the AI Act remains, which will make a penny-to-penny assessment impossible. But similar to the introduction of the GDPR, only much more so with the AI Act because the regulations and requirements are much higher, now is the time to prepare despite the unclear situation.
Would you like to learn more about exciting topics from the adesso world? Then take a look at our previously published blog posts.
GenAI
From idea to implementation
GenAI will change the way we do business just as the internet and mobile business have. Companies of all sizes and in all sectors are laying the foundations for the effective use of this technology in their business today.
One of the key challenges is integrating GenAI applications into their own processes and existing IT landscape. Find out how to do this and how we can support you on our website.
Category: |
|
Tags: |
GenAI artificial intelligence Regulations |