The European Union Artificial Intelligence Act (EU AI Act) came into effect on 1 August 2024, representing a significant milestone as the first comprehensive legislation globally to regulate AI systems through a risk-based framework.
Starting Sunday, 2 February, key provisions of the EU AI Act will be implemented. This includes a ban on AI systems deemed to pose ‘unacceptable risks’ and a deadline for compliance with AI literacy requirements. From this date, the use or marketing of such AI systems will be forbidden in the EU, with penalties reaching up to EUR 35,000,000 or 7% of global annual turnover for non-compliance.
The Act prohibits several specific activities, including:
– Harmful subliminal, manipulative and deceptive techniques
– Exploitation of vulnerabilities
– Unacceptable social scoring
– Individual crime risk assessment and prediction (with certain exceptions)
– Untargeted scraping of internet or CCTV material for developing facial recognition databases
– Emotion recognition in workplace and educational settings (with exceptions)
– Biometric categorization to deduce sensitive categories (with exceptions)
– Real-time remote biometric identification in public spaces for law enforcement (with exceptions)
Fiona Ghosh, partner at Ashurst, commented on the broader implications: “As the remaining provisions of the AI Act come into effect in stages, the regulatory landscape in Europe will undergo significant transformation, particularly as other jurisdictions, especially the U.S. (and to some extent the U.K.), appear to be shifting away from regulation, potentially accelerating this trend in response to international competition. The degree of resulting divergence remains uncertain.”
Importantly, the EU AI Act will be applicable to providers and deployers regardless of their geographical location. This means that U.S.-based companies with operations in the EU will still fall under its scope, despite the absence of equivalent federal AI legislation in the U.S.
“The AI Act will have a truly global application. It governs not only those organizations based in the EU that utilize AI but also those providing, importing, or distributing AI within the EU market. For example, a company using AI for recruitment in the EU—even from outside the region—will be subject to these new regulations,” explained Marcus Evans, partner at Norton Rose Fulbright.
Sunday, 2 February 2025, will also serve as the deadline for both the prohibition of unacceptable risk and meeting the EU AI Act’s literacy requirements. These requirements aim to ensure that organizations take necessary steps to train and upskill their teams working with AI systems.
Matt Worsfold, risk advisory partner at Ashurst, emphasized the urgency for businesses: “This deadline should act as a catalyst for organizations to formulate a compliance strategy. With roughly 18 months until the more substantial compliance deadlines, businesses must begin identifying their AI systems and use cases. This process could take considerable time, as many organizations have been acquiring or developing AI systems for years and often lack centralized records, necessitating extensive engagement with third parties.”