AI Act Implementation: Timelines & Next steps

28 Feb, 2024

In this article we provide an outline of the key dates relevant to the implementation of the AI Act. We also list some secondary legislation that the Commission might add to supplement the AI Act, and some guidelines it may publish to support compliance efforts.

Compliance deadlines

This timeline was correct at the time of writing, but is now out of date – for an up-to-date timeline see this page.

By 6 months after entry into force:

By 9 months after entry into force:

  • Codes of practice for General Purpose AI (GPAI) must be finalised. (Article 113)

By 12 months after entry into force:

  • GPAI rules apply. (Article 113)
  • Appointment of Member State competent authorities. (Article 70)
  • Annual Commission review and possible amendments on prohibitions. (Article 112)

By 18 months after entry into force:

  • Commission issues implementing acts creating a template for high risk AI providers’ post-market monitoring plan. (Article 6)

By 24 months after entry into force:

  • Obligations on high-risk AI systems specifically listed in Annex III, which includes AI systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice now apply. (Article 111)
  • Member states to have implemented rules on penalties, including administrative fines. (Article 57)
  • Member state authorities to have established at least one operational AI regulatory sandbox. (Article 57)
  • Commission review, and possible amendment of, the list of high-risk AI systems. (Article 112)

By 36 months after entry into force:

  • Obligations on Annex I high risk AI systems apply. (Article 113)
  • Obligations for high-risk AI systems that are not prescribed in Annex III but are intended to be used as a safety component of a product, or the AI is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws, for example toys, radio equipment, in vitro diagnostic medical devices, civil aviation security and agricultural vehicles. (Article 113)

By the end of 2030:

  • Obligations go into effect for certain AI systems that are components of the large-scale IT systems established by EU law in the areas of freedom, security and justice, such as the Schengen Information System. (Article 111)

Secondary legislation

The Commission can introduce delegated acts on:

  • Definition of AI system. (Article 96)
  • Criteria that exempt AI systems from high risk rules. (Article 6)
  • High risk AI use cases. (Article 7)
  • Thresholds classifying General Purpose AI models as systemic. (Article 51)
  • Technical documentation requirements for high risk AI systems and GPAI. (Article 11)
  • Conformity assessments. (Article 43)
  • EU declaration of conformity. (Article 47)

The Commission’s power to issue delegated acts lasts for an initial and extendable period of five years. (Article 97)

The AI Office is to draw up codes of practice to cover, but not necessarily limited to, obligations for providers of general purpose AI models. Codes of practice should be ready nine months after entry into force at the latest and should provide at least a three-month period before taking effect. (Article 97)

The Commission can introduce implementing acts on:

  • Approving codes of practice for GPAI and generative AI watermarking. (Article 56)
  • Establishing the scientific panel of independent experts. (Article 68)
  • Conditions for AI Office evaluations of GPAI compliance. (Article 92)
  • Operational rules for AI regulatory sandboxes. (Article 57)
  • Information in real world testing plans. (Article 60)
  • Common specifications (where standards do not cover rules). (Article 41)

Commission guidelines

The Commission can provide guidance on:

  • By 12 months after entry into force: High risk AI serious incident reporting. (Article 73)
  • By 18 months after entry into force: Practical guidance on determining if an AI system is high risk, with list of practical examples of high-risk and non-high risk use cases. (Article 6)
  • With no specific timeline, the Commission will provide guidelines on: (Article 96)
    • The application of the definition of an AI system.
    • High risk AI provider requirements.
    • Prohibitions.
    • Substantial modifications.
    • Transparency disclosures to end-users.
    • Detailed information on the relationship between the AI Act and other EU laws.

The Commission is to report on its delegated powers no later than nine months and before five years after entry into force. (Article 112)

This post was published on 28 Feb, 2024

Related articles

An introduction to Codes of Practice for the AI Act

As AI Act implementation gets underway, it is important to lift the veil on different mechanisms of enforcement included in the regulation. This summary, detailing the Codes of Practice for General Purpose AI model providers, was put together by Jimmy Farrell, EU AI...

Why work at the EU AI Office?

It’s probably not for everyone, but there are a lot of great reasons to consider, including the potential to have an impact on AI governance worldwide, leveraging the first-mover advantage, and more.

The AI Office is hiring

The European Commission is recruiting contract agents who are AI technology specialists to govern the most cutting-edge AI models.  Deadline to apply is 12:00 CET on 27 March (application form).  Role This is an opportunity to work in a team within the...

The AI Office: What is it, and how does it work?

In this overview, we offer a summary of the key elements of the AI Office relevant for those interested in AI governance. We’ve highlighted the responsibilities of the AI Office, its role within the European Commission, its relationship with the AI Board, its national...