AI Act Implementation: Timelines & Next steps

28 Feb, 2024

In this article we provide an outline of the key dates relevant to the implementation of the AI Act. We also list some secondary legislation that the Commission might add to supplement the AI Act, and some guidelines it may publish to support compliance efforts.

Compliance deadlines

This timeline was correct at the time of writing, but is now out of date – for an up-to-date timeline see this page.

By 6 months after entry into force:

By 9 months after entry into force:

  • Codes of practice for General Purpose AI (GPAI) must be finalised. (Article 113)

By 12 months after entry into force:

  • GPAI rules apply. (Article 113)
  • Appointment of Member State competent authorities. (Article 70)
  • Annual Commission review and possible amendments on prohibitions. (Article 112)

By 18 months after entry into force:

  • Commission issues implementing acts creating a template for high risk AI providers’ post-market monitoring plan. (Article 6)

By 24 months after entry into force:

  • Obligations on high-risk AI systems specifically listed in Annex III, which includes AI systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice now apply. (Article 111)
  • Member states to have implemented rules on penalties, including administrative fines. (Article 57)
  • Member state authorities to have established at least one operational AI regulatory sandbox. (Article 57)
  • Commission review, and possible amendment of, the list of high-risk AI systems. (Article 112)

By 36 months after entry into force:

  • Obligations on Annex I high risk AI systems apply. (Article 113)
  • Obligations for high-risk AI systems that are not prescribed in Annex III but are intended to be used as a safety component of a product, or the AI is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws, for example toys, radio equipment, in vitro diagnostic medical devices, civil aviation security and agricultural vehicles. (Article 113)

By the end of 2030:

  • Obligations go into effect for certain AI systems that are components of the large-scale IT systems established by EU law in the areas of freedom, security and justice, such as the Schengen Information System. (Article 111)

Secondary legislation

The Commission can introduce delegated acts on:

  • Definition of AI system. (Article 96)
  • Criteria that exempt AI systems from high risk rules. (Article 6)
  • High risk AI use cases. (Article 7)
  • Thresholds classifying General Purpose AI models as systemic. (Article 51)
  • Technical documentation requirements for high risk AI systems and GPAI. (Article 11)
  • Conformity assessments. (Article 43)
  • EU declaration of conformity. (Article 47)

The Commission’s power to issue delegated acts lasts for an initial and extendable period of five years. (Article 97)

The AI Office is to draw up codes of practice to cover, but not necessarily limited to, obligations for providers of general purpose AI models. Codes of practice should be ready nine months after entry into force at the latest and should provide at least a three-month period before taking effect. (Article 97)

The Commission can introduce implementing acts on:

  • Approving codes of practice for GPAI and generative AI watermarking. (Article 56)
  • Establishing the scientific panel of independent experts. (Article 68)
  • Conditions for AI Office evaluations of GPAI compliance. (Article 92)
  • Operational rules for AI regulatory sandboxes. (Article 57)
  • Information in real world testing plans. (Article 60)
  • Common specifications (where standards do not cover rules). (Article 41)

Commission guidelines

The Commission can provide guidance on:

  • By 12 months after entry into force: High risk AI serious incident reporting. (Article 73)
  • By 18 months after entry into force: Practical guidance on determining if an AI system is high risk, with list of practical examples of high-risk and non-high risk use cases. (Article 6)
  • With no specific timeline, the Commission will provide guidelines on: (Article 96)
    • The application of the definition of an AI system.
    • High risk AI provider requirements.
    • Prohibitions.
    • Substantial modifications.
    • Transparency disclosures to end-users.
    • Detailed information on the relationship between the AI Act and other EU laws.

The Commission is to report on its delegated powers no later than nine months and before five years after entry into force. (Article 112)

This post was published on 28 Feb, 2024

Related articles

The AI Act: Responsibilities of the European Commission (AI Office)

If you are unsure who is implementing and enforcing the new digital law and what the specific time frames are, you might find this post—and our post on the responsibilities of the EU Member States—very helpful. The tables below provide a comprehensive list of all...

The AI Act: Responsibilities of the EU Member States

If you are unsure who is implementing and enforcing the EU AI Act and what the specific time frames are, you might find this post—and our post on the responsibilities of the European Commission (AI Office)—very helpful. The tables below provide you with a...

An introduction to Codes of Practice for the AI Act

Updated: 21 August 2024. This blog post will be updated as new information becomes available. As AI Act implementation gets underway, it is important to understand the different mechanisms of enforcement included in the regulation. This summary, detailing the Code of...

Why work at the EU AI Office?

It’s probably not for everyone, but there are a lot of great reasons to consider, including the potential to have an impact on AI governance worldwide, leveraging the first-mover advantage, and more.