Mark Your Calendar

 

The EU AI Act entered into force on 1 August, 2024 and this week on 2 August, 2025 a number of important provisions kicked in. Going forward August is generally an important time to note in your calendar. We have been talking about the EU AI Act for what feels like forever. A few weeks ago it looked like it might all get delayed and there was no sign of the long awaited codes of practice. They have since been released. Some of the GPAI models (think Open AI) said they’d comply with these voluntary codes. Others not so much (yes, Meta). Here are a few high level points to note and dates to remember about the most comprehensive piece of legislation AI to date.

 

The Aims

Broadly speaking, the Act aims to:

 

• Ensure safety and fundamental rights are respected when systems are developed, deployed and used in the EU market by prohibiting AI practices deemed unacceptable and placing strict compliance requirements for high-risk AI systems.

 

• Promote innovation and investment in AI in the EU by providing legal certainty and extra support for SMEs and start-ups with the establishment of regulatory sandboxes and promoting the development of codes of practice. 

 

• Build public trust in AI, so that it can be a positive addition to society when circulated in accordance with ethical standards.  

 

• Create a single EU market for AI, through harmonisation of rules across Member States in order to reduce fragmentation of the internal market so that AI systems can circulate freely with uniform compliance requirements.

 

Regulation vs. Directive

The EU AI Act is a regulation, not a directive, and forms part of the ‘acquis communitaire’.  Basically, it’s part of the accumulated body of EU law, which includes everything that EU Member States are required to comply with. It is constantly evolving. But the ‘aquis’ intends to create legal certainty and cohesion in the EU and agreement to it is a prerequisite of being a Member State. Regulations are secondary legislation. They do not form part of the EU’s foundational legal framework and are directly applicable in all member states upon entering into force. Unlike directives, they do not need to be ‘transposed’ through national legislation and member states don’t have the same freedom and discretion to implement them as they do with directives. 

 

Staggered Implementation

The EU AI Act came into force a year ago but the full and complete compliance date is still two years away. This period (known as the ‘vacatio legis’) gives regulated entities time to understand the new framework, create and publish procedures and guidelines to promote effective functioning of the new law, and prepare for the enforcement of the mandatory compliance requirements. Perhaps more importantly it also gives companies time to carry out staff training, system updates, modification of company practices and to obtain legal advice. 

 

Tick Tock

1 August, 2024 – The EU AI Act came into force. There were no immediately applicable obligations or prohibitions.

 

2 February, 2025 – Provisions for prohibition of inappropriate AI practices and AI literacy obligations became applicable. (Chapter 1; Chapter 2)

 

2 August, 2025 – Governance rules and obligations for providers of General-Purpose AI (GPAI) models become applicable. Think Open AI, Grok, and Claude. Member States are required to appoint national competent authorities. Provision of penalties for non-compliance: Chapter XII, Articles 99 and 100. (Notified bodies – Chapter III Section 4; GPIA models – Chapter V; Governance – Chapter VII; Confidentiality – Article 78; Penalties Article 99 and 100)

 

2 August, 2026 – The AI Act is fully applicable except Article 6(1). (Note: penalties for GPIA models become applicable).

 

2 August, 2027 – Article 6(1) applies and corresponding obligations in regulation, i.e., the extended transition period for high-risk systems embedded into regulated products ends.

 

The Importance of 1 & 2 of August

These dates are critical to keep in mind if you are operating in the world of AI. At first look it might not feel hugely relevant for every company, but it is worth taking note of what kicked in this weekend. First, the rules relating to the GPAI models came into force – GPAI models placed on the market before 2 August, 2025 must comply with the AI Act by 2 August, 2027. Second, you can therefore expect those companies impacted to have considered their governance structures and compliance programs. Third, those changes may in turn be passed down to users of their tools and therefore the terms which govern such use might shift. Finally, make a note of the 2 August, 2026 deadline where those who use or develop high risk systems are incentivised to put their products on the EU market before that date (and not to make any changes) to minimise enforcement. Enforcement will kick in after 2 August, 2027 and will only apply to systems put out there after 2 August, 2026.

 

What does Non-compliance mean?

The EU AI Act’s non-compliance penalties are clearly outlined within the Act in Chapter XII – Articles 99, 100 and 101. They are intended to have teeth and encourage compliance. It will be interesting to see over time the level of fines applied. OpenAI has already been fined Euros 15M in Italy for non-compliance with the data protection rules there. The fine came after an investigation determined that OpenAI trained ChatGPT “without having an adequate legal basis and violated the principle of transparency and the related information obligations towards users”. This might give us some sense of the numbers that might be involved for breaches of the AI Act. 

 

Article 99 – Covers penalties for most breaches by companies through a tiered fine system covering maximum fines for: prohibited practices, obligations related to operators or notified bodies, and the supply of incorrect, incomplete or misleading information. The penalties are structured with specified fine amounts or fines proportional to a percentage of a company’s total annual turnover (for the preceding financial year). Unless you are an SME or a startup where the lower amount applies. Member States do have some discretion in setting thresholds and other measures of enforcement. The penalties are considered to have teeth and show a commitment to strict enforcement. In some cases, they surpass the penalties for other pre-existing important EU regulations such as the GDPR. 

 

Article 100 – Covers administrative fines on EU union institutions, bodies, offices and agencies. The penalties differ depending on whether an organisation is in breach of a prohibited practice or another obligation. The European Data Protection Supervisor (EDPS), is the authority imposing the fines under Article 100. The funds collected from fines go to the general Union budget and there is a mechanism to ensure that the fines do not affect the effective operation of the entity that has been fined so there is no undue disruption of public services.

 

Article 101 – Covers providers of General-Purpose AI Models (GPAI).. Again the maximum fine for non compliance can be a percentage of annual turnover. Non compliance can take the form of: infringing the Act’s provisions, failing to comply with a request for information, failing to comply with requested measures, or failing to give the Commission access to the model itself. Interestingly, the CJEU can review the Commission’s decisions on fines.