AI Act Implementation: Timelines & Next steps

28 Feb, 2024

In this article we provide an outline of the key dates relevant to the implementation of the AI Act. We also list some secondary legislation that the Commission might add to supplement the AI Act, and some guidelines it may publish to support compliance efforts.

The International Association of Privacy Professionals has produced an infographic of this information.

Compliance deadlines

By 6 months after entry into force:
  • Prohibitions on unacceptable risk AI. (Article 85)
By 9 months after entry into force:
  • Codes of practice for General Purpose AI (GPAI) must be finalised. (Article 85)
By 12 months after entry into force:
  • GPAI rules apply. (Article 85)
  • Appointment of Member State competent authorities. (Article 59)
  • Annual Commission review and possible amendments on prohibitions. (Article 84)
By 18 months after entry into force:
  • Commission issues implementing acts creating a template for high risk AI providers’ post-market monitoring plan. (Article 6)
By 24 months after entry into force:
  • Obligations on high-risk AI systems specifically listed in Annex III, which includes AI systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice now apply. (Article 83)
  • Member states to have implemented rules on penalties, including administrative fines. (Article 53)
  • Member state authorities to have established at least one operational AI regulatory sandbox. (Article 53)
  • Commission review, and possible amendment of, the list of high-risk AI systems. (Article 84)
By 36 months after entry into force:
  • Obligations on Annex II high risk AI systems apply. (Article 85)
  • Obligations for high-risk AI systems that are not prescribed in Annex III but are intended to be used as a safety component of a product, or the AI is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws, for example toys, radio equipment, in vitro diagnostic medical devices, civil aviation security and agricultural vehicles. (Article 85)
By the end of 2030:
  • Obligations go into effect for certain AI systems that are components of the large-scale IT systems established by EU law in the areas of freedom, security and justice, such as the Schengen Information System. (Article 83)

Secondary legislation

The Commission can introduce delegated acts on:
  • Definition of AI system. (Article 82a)
  • Criteria that exempt AI systems from high risk rules. (Article 6)
  • High risk AI use cases. (Article 7)
  • Thresholds classifying General Purpose AI models as systemic. (Article 52a)
  • Technical documentation requirements for high risk AI systems and GPAI. (Article 11)
  • Conformity assessments. (Article 43)
  • EU declaration of conformity. (Article 48)

The Commission’s power to issue delegated acts lasts for an initial and extendable period of five years. (Article 73)

The AI Office is to draw up codes of practice to cover, but not necessarily limited to, obligations for providers of general purpose AI models. Codes of practice should be ready nine months after entry into force at the latest and should provide at least a three-month period before taking effect. (Article 73)

The Commission can introduce implementing acts on:
  • Approving codes of practice for GPAI and generative AI watermarking. (Article 52e)
  • Establishing the scientific panel of independent experts. (Article 58b)
  • Conditions for AI Office evaluations of GPAI compliance. (Article 68j)
  • Operational rules for AI regulatory sandboxes. (Article 53)
  • Information in real world testing plans. (Article 54a)
  • Common specifications (where standards do not cover rules). (Article 41)

Commission guidelines

The Commission can provide guidance on:
  • By 12 months after entry into force: High risk AI serious incident reporting. (Article 62)
  • By 18 months after entry into force: Practical guidance on determining if an AI system is high risk, with list of practical examples of high-risk and non-high risk use cases. (Article 6)
  • With no specific timeline, the Commission will provide guidelines on: (Article 82a)
    • The application of the definition of an AI system.
    • High risk AI provider requirements.
    • Prohibitions.
    • Substantial modifications.
    • Transparency disclosures to end-users.
    • Detailed information on the relationship between the AI Act and other EU laws.

The Commission is to report on its delegated powers no later than nine months and before five years after entry into force. (Article 84)

This post was published on 28 Feb, 2024

Related articles

The AI Office is hiring

The European Commission is recruiting contract agents who are AI technology specialists to govern the most cutting-edge AI models.  Deadline to apply is 12:00 CET on 27 March (application form).  Role This is an opportunity to work in a team within the...

The AI Office: What is it, and how does it work?

In this overview, we offer a summary of the key elements of the AI Office relevant for those interested in AI governance. We’ve highlighted the responsibilities of the AI Office, its role within the European Commission, its relationship with the AI Board, its national...