EU AI Act Enters Into Force – But Not Everything Is Effective Yet

August 1, 2024 marks another milestone in EU privacy and cybersecurity regulation as the day that the EU AI Act first becomes effective. However, like the General Data Protection Regulation (GDPR) before it, the EU AI Act provides for a transition period and many provisions will not become effective for some time, with the last set of obligations scheduled to go into effect in 2030.

The earliest milestone for businesses to be mindful of is the prohibition on unacceptably risky AI, which goes into effect February 2, 2025 – just 6 months from now. Businesses that are subject to the EU AI Act must discontinue any use of AI deemed an unacceptable risk.

The next key date is a year away. On August 2, 2025, providers of general purpose AI models must comply with their obligations under the EU AI Act. Some of these obligations include developing detailed technical documentation of the AI model, documentation that enables downstream users to understand the AI model's capabilities and limitations, and public-facing documentation about the training data. They must also have adequate cybersecurity protection for the model (which has a whole new set of risks compared to other SaaS products, including prompt stuffing and similar "front door" attacks), conduct model evaluations, and assess and mitigate potential risks.

The EU AI Office is supposed to draft "codes of practice" regarding obligations for providers of general purpose AI models before May 2, 2025 and provide at least 3 months before taking effect. However, developers of these models may need to expend significant resources to create this documentation and assess risks and should begin efforts sooner rather than later, while still remaining nimble to adjust for any such codes of practice.