EU AI Act Is Now Adopted
On May 21, 2024, the Council of the European Union (the Council) formally signed off on the latest draft of the European Union’s (EU) Artificial Intelligence Act (AI Act) (see the press release here). This marks the final seal of approval from the EU legislators. The text will officially become law once it is signed by Presidents of the European Parliament and of the Council and published in the Official Journal of the EU. This could take place within the next two to four weeks. However, the law will have phased effective dates, with the first obligations (i.e., the rules on prohibited AI systems) becoming effective at the end of this year.
Once the AI Act starts to apply, it will introduce a swathe of new obligations for companies providing, distributing, importing, and using AI systems and general-purpose AI (GPAI) models in the EU, subject to hefty fines of up to EUR 35 million or seven percent of the total worldwide annual turnover, whichever is higher.
What Will Happen Once the AI Act Enters into Force?
The requirements of the AI Act will start to apply in phases, counting from the date in which the AI Act enters into force (i.e., 20 days following publication in the EU Official Journal):
- After six months, likely before the end of 2024, certain applications of AI (e.g., AI systems that exploit individuals’ vulnerabilities, untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases) will be prohibited in the EU.
- After one year, likely in Q2 2025, requirements in relation to general-purpose AI (GPAI) models will take effect.
- After two years, likely in Q2 2026, most of the rules for high-risk AI systems and AI systems with specific transparency risk will start to apply.
- Limited rules on high-risk AI systems will apply after three years.
There will be an additional grace period for AI systems and GPAI models that are already on the market at the time the relevant requirements take effect. GPAI models that fall in this category will have an additional two years to comply (i.e., providers of GPAI models placed on the market before Q2 2025 will likely need to comply by Q2 2027).
Operators of high-risk AI systems that are offered in the EU before the relevant requirements start to apply (i.e., before Q2 2026) will only need to comply with the AI Act in the event of a significant design change (e.g., changes in the AI system’s intended purpose).
As an exception to this, if the high-risk AI system offered in the EU is intended to be used by public authorities, the providers and deployers will need to comply with the rules within six years of the entry into force of the AI Act (i.e., around Q2 2030), regardless of whether there has been a significant design change or not.
For more information about the scope and requirements in the AI Act, please see our FAQ on 10 Things You Should Know About the EU AI Act.
What Should Companies Be Doing Now?
Companies should start conducting initial assessments to determine whether they are subject to the AI Act. Companies that may fall within scope of the AI Act should begin thinking about complying with the requirements in the AI Act, such as by drafting an AI governance policy and assigning roles and responsibilities internally.
Now is also a good time to prepare for the new obligations for GPAI model providers, which will start to apply in Q2 2025. In particular, providers will need to publish a summary of the content used for training their GPAI model. Providers should monitor the activities of the new EU AI Office, which will issue a template that will guide the disclosures that providers will need to make.
The European Commission has launched an AI Pact to assist companies with their implementation of the AI Act measures. The activities are organized around creating a network to encourage participants to exchange best practices and practical information, and also to specifically support providers and deployers of AI to comply with the relevant requirements.
For more information, or if you have any questions regarding the AI Act, please contact Laura De Boel, Cédric Burton, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s privacy and cybersecurity practice.
Wilson Sonsini’s AI Working Group assists clients with AI-related matters. Please contact Laura De Boel, Maneesha Mithal, Manja Sachet, or Scott McKinney for more information.
Rossana Fol, Roberto Yunquera Sehwani, Marie Catherine Ducharme, and Hattie Watson contributed to the preparation of this client alert.