The AI Act is Live: What’s Next?

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
on
August 16, 2024

1. The AI Act is Here!

The EU Artificial Intelligence Act (AI Act) officially took effect on August 1, with a phased rollout. On the same day, the EU AI Office launched the AI Pact, urging early voluntary compliance. The AI Pact is optional. It offers collaboration with the Commission and support to meet the requirements and obligations of the AI Act. To enrol your company in the AI Pact initiative, please click here.

What’s Next?

The AI Act will be fully in effect by August 2, 2026. So what key milestones should you be aware of:

February 2, 2025: Ban on AI systems with unacceptable risk goes into effect.

August 2, 2025:

  • Compliance obligations for general-purpose AI providers.
  • Appointment of national regulatory authorities.
  • Annual review of prohibited AI systems.

February 2, 2026: Introduction of post-market monitoring requirements.

August 2, 2026:

  • Rules for high-risk AI systems in critical sectors (e.g., biometrics, infrastructure, education, law enforcement).
  • Implementation of penalties and regulatory sandboxes.
  • Review and possible amendment of the high-risk AI list.

August 2, 2027: Compliance for high-risk AI systems used as safety components or requiring third-party assessments.

By the end of 2030: Compliance for AI systems in large-scale EU IT infrastructures, such as the Schengen Information System.

Does the AI Act apply to me?

The AI Act applies to all operators in the AI value chain, including:

  • Providers
  • Deployers
  • Importers
  • Distributors
  • Product manufacturers
  • Authorised representatives

It also covers individuals in the EU affected by AI systems, from the perspective of having and exercising rights under the law.

When evaluating your organisation’s role under the AI Act, keep in mind:

  • An operator can have multiple roles (e.g., provider and deployer) and must meet all related obligations.
  • Multiple entities can share the same role (e.g., two providers for one AI system).
  • Roles are determined by actual activities, not just contractual terms.

AI Act Exemptions:

The AI Act will apply to both public and private entities within and outside the EU, provided the AI system is marketed in the Union or affects individuals within the EU. However, there are certain exemptions to the regulation:

  • Free and Open-Source AI: Exempt to foster innovation, with exceptions for high-risk and prohibited systems, and certain transparency requirements.
  • Scientific Research: AI systems used solely for scientific research and development are not covered.
  • Military and Security: AI systems for military, defence, or national security purposes are excluded.
  • Personal Use: Individuals using AI systems for personal, non-professional activities are not regulated.

Why it matters?

Like the GDPR, the AI Act has a broad reach and it affects operators inside and outside the EU. There are significant fines for non-compliance. As it’s likely to become the global standard for AI regulation, understanding its requirements early is crucial for all organisations.

2. Free data flows to Japan

As of July 1 2024, the EU-Japan data transfer agreement is officially in effect. This agreement designates Japan as a “safe” country for data transfers, meaning that businesses can now transfer personal data between the EU and Japan without needing additional safeguards.

This development aims to simplify and enhance trade relations. For more details, click here.

3. Increased Focus on Children’s Online Privacy

There is a growing global emphasis on protecting children’s online safety:

  • UK: The Information Commissioner’s Office (ICO) has issued warnings to social media platforms about insufficient privacy safeguards for children. This includes concerns over default privacy settings, geolocation, and age verification practices.
  • EU: The European Commission is working on comprehensive guidelines for children’s online safety as part of the Digital Services Act. These guidelines are expected to be finalised in early 2025.
  • US: The Kids Online Safety and Privacy Act (COPPA 2.0) has successfully passed the Senate, with a focus on enhancing privacy protections for children and improving safety on digital platforms. At the same time, the US Department of Justice has filed a lawsuit against TikTok, alleging violations of the existing COPPA regulations.

These initiatives mark a significant step towards creating a safer online environment for children. It’s about time!

Join our in-house legal & privacy community

Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.
Openli community
Apply to join

Privacy Newsletter

Sign up for a regular dose of news and updates from the legal landscape.