Matias Näveri reviews the EU AI Act, detailing its timeline, requirements, and implications for AI-powered companies. The post provides actionable insights for organizations facing impending regulatory change.

EU AI Act Timer is Ticking: Are You Prepared?

By Matias Näveri

Published: 17.09.2024

Introduction

With the formalization of the EU AI Act in March 2024—the first comprehensive legal framework for artificial intelligence—the landscape for AI solutions within Europe is set for transformation. This article by Matias Näveri examines the content and implications of the regulation, highlighting what organizations need to consider in their AI journey as the compliance timeline moves forward.

Timeline of the EU AI Act

A brief overview of milestones:

  • 2018 Dec: Coordinated Plan for AI started
  • 2021 Apr: Proposed AI Act
  • 2022 Nov: Chat-GPT launched
  • 2023 Dec: Political Agreement
  • 2024 Jan: AI innovation package for startups and SMEs
  • 2024 Mar: EU AI Act finalized
  • 2024 Aug: EU AI Act Journal published and enforced

Supporting Innovation While Mitigating Harm

The EU AI Act aims to foster innovation while addressing the risks of AI. The AI Innovation Package was launched to support startups and SMEs, accounting for 99% of businesses, with €4 billion invested until 2027. This package focuses on the rise of General Purpose AI (GPAI), encompassing solutions like Chat-GPT, Google Gemini, and DALL-E.

GPAI covers image and speech recognition, content generation, pattern detection, question answering, translations, and related areas.

Europe is advancing the concept of AI Factories: giving businesses access to supercomputing resources and launching Common European Data Spaces for model development and training.

EU as a Single Data Market

The EU is working toward a unified data market, as projected by the 2025 EU Data Act:

  • 530% increase in global data volume
  • €829 billion value of the EU data economy
  • 10.9 million data professionals in the EU
  • 65% of EU population with basic digital skills

Supporting Regulations

  • DGA (Data Governance Act): Fosters data sharing in a trusted, secure way.
  • GDPR (General Data Protection Regulation): Protects personal data.

Simplified objectives:

  • Free flow of data within the EU and across sectors
  • Strict adherence to privacy, data protection, and competition law
  • Clear, fair rules for data use and access
  • Investing in modern infrastructure and cloud capabilities
  • Sector-specific, interoperable data spaces

Why Regulate AI?

AI systems often work as opaque black boxes. Transparency issues can make it hard to determine whether outcomes (such as hiring decisions) are fair. While most AI applications pose minimal risks, others can have significant negative societal consequences, requiring specialized regulation.

“The AI Act ensures that Europeans can trust what AI has to offer.”

Four Levels of Risk under the EU AI Act

Risk Level Example & Obligation
Unacceptable Banned systems (e.g., “social scoring”)
High Risk AI for recruitment, medical applications—requires strict risk mitigation, high data quality, human oversight, and transparency
Limited/Specific Chatbots, AI-generated content—must inform users and label content
Minimal Spam filters, AI-enabled games—no direct obligations but voluntary codes encouraged

Reference: AI Act Explorer

Yes, both are regulated:

  • Copyright: Model providers must respect copyright law in training data (source).
  • Environment: High-risk AI systems must report on energy consumption and resources used throughout their lifecycle.

Compliance Timeline and Best Practices

  • Prohibition of unacceptable risks: ~February 2025 (6 months after publication)
  • Finalized Code of Practice for GPAI models: by April 2025
  • Governance and obligations for GPAI: ~August 2025 (12 months)
  • Obligations for high-risk AI systems: ~August 2027 (36 months)

Early adopters can participate in the AI Pact or internally adopt regulation-minded practices.

The Practical Path for High-Risk AI Providers

Stepwise Development Process

  1. Development: AI system is developed.
  2. Assessment: Undergo conformity assessment and comply with requirements.
  3. Registration: Register stand-alone AI systems in an EU database.
  4. Conformity Declaration: Declare compliance; AI system receives CE marking for market entry.
    • If substantial changes are made, re-assess compliance.

Roles and Responsibilities: Provider vs. Deployer

  • Provider: Ensures system safety and compliance pre-market.
  • Deployer: Ensures correct and safe application in specific contexts.
  • Entities may be both provider and deployer, depending on deployment model and contractual arrangements.

See detailed guidance: KPMG AI Act Overview and Mishcon Provider/Deployer Roles

Penalties for Non-Compliance

  • Prohibited practices/non-compliance: Up to €35 million or 7% of global annual turnover
  • Other requirements breaches: Up to €15 million or 3%
  • Incorrect/misleading information: Up to €7.5 million or 1.5%

Enforcement: The European AI Office

Established in February 2024, the European AI Office oversees enforcement and collaborates internationally on ethical AI practices. Stakeholders include:

  • The AI Board: Expert advisory group for the Commission and member states
  • The Advisory Forum: Industry, SMEs, civil society, and academic advisors
  • The Scientific Panel: Independent experts focused on GPAI system regulation implementation

In Summary

The EU AI Act is a groundbreaking step toward common regulation of AI, encompassing small startups through multinational corporations. Compliance means proactively ensuring responsible, ethical, and human-centric AI deployment. As registration and assessment procedures ramp up ahead of the 2025-2027 deadlines, now is the time for organizations to familiarize themselves with the new requirements.

For more information, visit the Zure Blog.

About the author:

Matias Näveri

Matias merges design, agile, and technology mindsets, with 17+ years in software development. He specializes in concepting, user experience, team collaboration, and integrating business thinking for better digital projects.

This post appeared first on “Zure Data & AI Blog”. Read the entire article here