Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.

queue Save This


EU AI Act: Next Steps for Implementation

Joe Jones

Joe Jones

Last Updated: January 2024View Infographic (PDF)

Following a marathon of negotiations, the European Parliament, Commission and Council reached a political agreement on the EU Artificial Intelligence Act 8 Dec. 2023. Representatives from EU member states voted unanimously in favor of the draft AI Act, paving the way for the final steps in the approval process. Once in force, it will likely be the world's first comprehensive regulation of AI.

While the AI Act will enter into force 20 days after its publication in the Official Journal of the EU, the act’s latest draft indicates a phased approach to the implementation and enforcement.

This resource shows some of the most important dates and milestones for the future implementation of the AI Act. It will be updated to include specific dates once the act is published in the Official Journal of the EU.

Navigate timeline:
Key dates, Further rulemaking and guidance

Key Dates

View as Infographic

Entry into force

20 days after publication in the official journal of the EU.

Entry into application

24 months after entry into force, except for some specific provisions.

• The Commission plans to launch an AI Pact, which will commit AI developers on a voluntary basis to implementing key obligations of the AI Act prior to entry into application.

★ 6 Months After

Six months after entry into force

• Prohibitions on unacceptable risk AI.

★ 12 Months After

12 months after entry into force

• Obligations on providers of general purpose AI models go into effect.

• Appointment of member state competent authorities.

• Annual Commission review of, and possible amendments to, the list of prohibited AI.

★ 18 Months After

18 months after entry into force

• Commission implementing act on post-market monitoring.

★ 24 Months After

24 months after entry into force

• Obligations on high-risk AI systems specifically listed in Annex III, which includes AI systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice.

• Member states to have implemented rules on penalties, including administrative fines.

• Member state authorities to have established at least one operational AI regulatory sandbox.

• Commission review, and possible amendment of, the list of high-risk AI systems.

★ 36 Months After

36 months after entry into force

• Obligations for high-risk AI systems that are not prescribed in Annex III but are intended to be used as a safety component of a product, or the AI is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws, for example toys, radio equipment, in vitro diagnostic medical devices, civil aviation security and agricultural vehicles.

★ By The End of 2030

• Obligations go into effect for certain AI systems that are components of the large-scale IT systems established by EU law in the areas of freedom, security and justice, such as the Schengen Information System.

Further rulemaking and guidance

View as Infographic

Further rulemaking

• The Commission can issue delegated acts on:

  • Definition of AI system.
  • Criteria and use cases for "high-risk" AI.
  • Thresholds for general purpose AI models with systemic risk.
  • Technical documentation requirements for general purpose AI.
  • Conformity assessments.
  • EU declaration of conformity.

• The Commission's power to issue delegated acts lasts for an initial and extendable period of five years.

• The AI Office is to draw up codes of practice to cover, but not necessarily limited to, obligations for providers of general purpose AI models. Codes of practice should be ready nine months after entry into force at the latest and should provide at least a three-month period before taking effect.

Guidance

• The Commission can issue guidance on:

  • High-risk AI incident reporting: by 12 months after entry into force.
  • Practical implementation of high-risk AI requirements, with list of practical examples of high-risk and non-high-risk use cases: by 18 months after entry into force.
  • Prohibited AI practices: "when deemed necessary."
  • Application of the definition of an AI system: "when deemed necessary."
  • Requirements for high-risk AI systems: "when deemed necessary."
  • Practical implementation of transparency obligations: "when deemed necessary."
  • Relationship of the AI Act and its enforcement with other EU law: "when deemed necessary."

• Commission report on its delegated powers: no later than nine months before five years after entry into force.

View as Infographic
Tags: Big Data, Infosecurity, Privacy Law, Privacy Operations Management, Privacy Research, Security Operations Management, Westin Research Center
Related Stories
Artificial Intelligence
This topic page contains a curation of the IAPP's coverage, analysis and relevant resources covering artificial intelligence....
EU Data Act: 101
This chart provides an overview of the EU Data Act. The Data Act creates new rules on who can access and use data generated in the EU across all economic sectors....
Read More queue Save This