The EU AI Act: Compliance Timeline for Existing AI Systems and General Purpose AI Models

5 minute read | July.12.2024

This insight is part of our EU AI Act Series. Click here to view additional updates.

What’s Happening?

The European AI Act has been formally adopted and the countdown to the start of enforcement has begun. The AI Act sets out general principles regarding when its provisions become effective. Still, there are some nuances, particularly relating to pre-existing high risk AI systems and general purpose AI models (GPAIM).

This update sets out the key timeframes that operators of AI systems and GPAIM providers should keep in mind when assessing the impact of the AI Act on their operations, including about existing AI systems and models.

Key Dates: General Position

August 1, 2024: The AI Act enters into force after its publication in the Official Journal of the European Union (the “EIF Date” -- see Article 113 of the AI Act).
August 1, 2026: Many of the law’s obligations kick in on this date (the “Application Date”) including those relating to high risk AI systems (Chapter III of the AI Act).

Key Dates: In More Detail

Exceptions to the General Position set out above:

February 2025: Six months from the EIF Date, the AI Act’s General Provisions take effect (e.g., scope, definitions – Chapter I). So do rules regarding prohibited AI systems (Chapter II, Article 5).
May 2025: Codes of Practice called for under the AI Act should be ready (nine months from EIF Date).
August 2025: 12 months from EIF Date, the following obligations take effect:
- Provisions relating to GPAIMs (Chapter V, Articles 50-56). Note: Article 101 (Penalties), which relates to fines for GPAIMs, will not take effect on this date.
- The designation by Member States of their notifying bodies and the notification procedure (Chapter III, Section 4, Articles 28 – 39).
- Governance (e.g., oversight, implementation) at the European and Member State level (Chapter VII, Articles 64 – 70).
- Penalties (Chapter XII, Articles 99 & 100).
- Obligation of confidentiality applicable to all legal and natural persons involved in the application of the AI Act (Article 78).
- These provisions are subject to further specific exceptions as described.
August 2027: Provisions take effect relating to high risk AI systems covered by Article 6(1) of the AI Act. Namely, AI systems that are safety components of, or are themselves covered by the product safely legislation listed in Annex I.

Pre-Existing High Risk AI Systems and GPAIMs

European legislators want to avoid market disruption and provide legal certainty to operators of AI systems and GPAIM providers. The AI Act therefore grants an exemption from the AI Act or additional time to comply for operators of certain AI systems and GPAIMs on the market by a given date.

How these different rules and timeframes interact will pose governance challenges for companies. Nonetheless, the deadlines – which do not concern prohibited AI systems – are as follows:

High risk AI systems: Operators (this includes providers, deployers, importers and distributors) of high risk AI systems that have been placed on the market or put into service by August 2026 (the Application Date) only have to comply with the AI Act if the systems are subject to “significant changes in their designs” after that date.
- Recital 177 elaborates on this provision and refers to “significant changes in [the system’s] design or intended purpose.” It states that “the concept of significant change should be understood as equivalent in substance to the notion of substantial modification, which is used with regard only to high risk AI systems pursuant to this Regulation.”
- This would seem to be something of a ‘get out of jail free’ card for certain high risk AI systems. However, operators should approach this provision with caution, given that it is conditioned on the absence of significant changes to those high risk AI systems after the Application Date – and the meaning of this “significant change” will require further clarification.
- If an AI system is substantially modified following the Application Date, the provider will have to comply with the provisions of the AI Act from the date the modified system is placed on the market or put into service – there will not be a further two-year compliance grace period.
- Operators, especially providers, will need to be vigilant regarding their product road maps and carefully evaluate the potential legal consequences of planned changes to AI systems before implementing these.
- Deployers, importers and distributors will also need to ensure they are kept informed of such changes and that their contracts account for resulting impacts.
High risk AI systems intended to be used by public authorities: Providers and deployers of such systems shall take the necessary steps to comply with the AI Act by August 2030, six years after the AI Act entered into force.
- Although this requirement is set out in the article dealing with pre-existing AI systems, the draft does not mention the pre-existing requirement for this timeframe, but rather states that the deadline applies “in any case.”
- Whether an AI system needs to be exclusively intended for use by public authorities for this provision to apply is not yet clear.
GPAIMs: Providers of a GPAIM placed on the market before August 2, 2025, have until August 2, 2027, to comply with their obligations under the Act.
- For instance, if a GPAIM is placed on the market on January 1, 2025, which is within 12 months from when the AI Act entered into force, the provider has until August 2, 2027, to comply with the AI Act in relation to that GPAIM (less than 36 months).
- However, if a provider plans to place a GPAIM on the market on August 3, 2025, the provider must place the GPAIM on the market in compliance with the relevant provisions of the AI Act.
- The deadlines mean product development, legal and compliance teams should plan carefully and closely coordinate.
Large-scale IT systems: AI systems that are components of large-scale IT systems established by the legislation listed in Annex X of the AI Act that have been placed on the market or put into service before August 2027 must be brought into compliance with the AI Act by December 31, 2030. Annex X identifies certain IT systems relating to the Schengen Information System.

If you have questions about the EU AI Act, reach out to the authors (Julia Apostle and Rami Kawkabani) or other members of Orrick’s AI team.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Rami Kawkabani Senior Associate, Technology & Innovation, Technology Transactions

Paris

See my bio

D:+33 1 5353 8157
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Rami Kawkabani Senior Associate

Paris

Rami advises clients in drafting and negotiating their contractual terms and in the context of strategic transactions covering significant and complex technological issues including in terms of liability and intellectual property.

He also regularly advises clients on compliance with tech and data European and French regulations (Digital Services Act, RGPD, Data Act, LCEN) and in the context of their commercial practices towards consumers.

Rami has spent time in-house with major tech companies, and is able to quickly understand his client’s requirements and priorities.