EU AI Act published today - enters into force 1st August

The EU AI Act was published in the Official Journal today and will enter into force 20 days later, on 1^st August. While it will still be some time before some of the more substantive rules apply (most of the Act will not take effect for another two years, with some rules having an even longer lead time), the rules prohibiting certain AI practices will apply from early next year (after six months). 

By way of reminder the EU AI Act:

• is cross-sectoral, applying to a wide range of AI use (subject to certain exceptions – military and R&D use being two examples);
• takes a risk-based approach. AI is either: (i) prohibited; (ii) high-risk (which is heavily regulated, albeit with some longer transition periods); (iii) has additional transparency requirements (sometimes called limited risk); or (iv) has minimal risk with very few (if any) new rules. One AI system may trigger more than one category (for example, you could have a high-risk AI system which also has additional transparency obligations);
• contains specific rules for general purpose AI (or GPAI) models and systems – these would include models like those used by ChatGPT;
• applies to different actors in the AI supply chain – from providers (developers) and deployers (users) to importers, distributors and certain manufacturers;
• has wide extra-territorial reach – it will cover many developers and users based outside the EU;
• includes some pro-innovation measures, including a requirement for sandboxes and provisions for SMEs; 
• imposes high fines – the highest being the higher of €35m or 7% of worldwide annual turnover; and
• is a Regulation – meaning it is directly effective across all Member States. Some enforcement will take place at national level and some (for example, in relation to GPAI’s) at EU level through the AI Office.

As mentioned in my previous blog and our new article, now is therefore the time to check if you are in scope. 

If you are, you should then determine what risk category your AI falls into and what role you play within the AI supply chain (e.g are you a provider or deployer). This will all determine the particular obligations you will face.  

It is also the time to check that you have appropriate AI governance in place, both for your compliance with the Act and for your AI use more generally. 

For more information on the key provisions of the Act, see our article. We have partnered with Cravath, Swaine & Moore LLP to produce an overview of the EU AI Act together with practical steps organisations can take now to comply and a comparison of the EU approach to AI regulation in the Act with the approaches taken by the UK and US.