EU AI Act: the 9 December political agreement and what comes next

On 9 December, after 38 hours of continuous trilogue, the Council and the European Parliament announce political agreement on the AI Act. It’s the political close — not the final approval, not OJEU publication, not the start of application. But it’s the moment the terms stop moving: what gets published in 2024 will be substantially what was agreed this 9 December, with technical drafting on top.

For a team shipping AI in a product, this post isn’t legal reading — it’s operational. When does each obligation kick in, on which subject, with what penalty?

Reading: analysis of the agreed text (not the final OJEU). Exact dates and thresholds may shift ±10 % in the final text. For binding decisions, wait for OJEU.

Act structure by four system categories

The AI Act classifies AI systems into four risk levels and applies progressive obligations:

1. Unacceptable risk — prohibited (Art. 5)

Directly prohibited systems:

• Cognitive manipulation causing physical or psychological harm (subliminal techniques).
• Exploitation of vulnerabilities of specific groups (age, disability, economic situation).
• Social scoring by governments.
• Real-time remote biometric identification in public spaces by law enforcement (with limited exceptions).
• Biometric categorisation based on sensitive data (ethnicity, political, religious, sexual orientation).
• Predictive policing based solely on profiling.
• Emotion recognition in workplaces and education.
• Untargeted scraping of facial images from the internet or CCTV to build databases.

Application: 6 months after OJEU publication, i.e. roughly January 2025.

2. High-risk — extensive obligations (Annex III)

Systems considered high-risk by their application sector:

• Safety components in products covered by EU legislation (toys, medical devices, vehicles…).
• Biometric identification and categorisation (not prohibited under Art. 5).
• Critical infrastructure (transport, water, energy, etc.).
• Education and vocational training (admissions, evaluation, place assignment).
• Employment and HR (CV filtering, performance reviews, termination decisions).
• Essential public and private services (credit, insurance, social welfare).
• Law enforcement (risk of crime commission, identification, evidence evaluation).
• Migration and border control (detection, asylum, visas).
• Administration of justice and democratic processes.

Obligations for high-risk systems:

• Documented risk management system.
• High-quality training datasets, with bias mitigation.
• Automatic logging during operation.
• Transparency and information to the user.
• Effective human oversight.
• Guaranteed accuracy, robustness, cybersecurity.
• Conformity assessment before market placement.
• Registration in the EU database of high-risk systems.

Application: 24 months after OJEU for most, 36 months for some categories (safety components in products covered by other directives). Realistic calendar: 2026–2027.

3. Limited risk — transparency (Art. 52)

Transparency obligation — the user must know they are interacting with an AI system. Applies to:

• Chatbots (unless obvious by context).
• Image, audio or video generation systems (labelled deepfakes, except artistic or public safety exceptions).
• Biometric categorisation and emotion recognition (even if low-risk).

4. Minimal risk — no specific obligations

The vast majority of AI applications (spam filters, recommenders, video games). Voluntary codes of conduct.

Specific general-purpose AI (GPAI) regime

The part that was most debated and will have most operational impact for OpenAI / Anthropic / Google / Meta and for big deployers training their own models:

GPAI without systemic risk

Basic obligations:

• Technical documentation delivered to the EU AI Office.
• Available information for downstream providers integrating the model.
• Public summary of training dataset content.
• Documented EU copyright compliance policy.

GPAI with systemic risk

The threshold proposed in the 9 December agreement: models trained with >10^25 cumulative FLOPs. (For reference: GPT-4 is estimated at ~2·10^25 FLOPs; Llama-2 sits well below). The threshold may shift during the year.

Additional obligations for systemic GPAI:

• Documented model evaluations and adversarial testing (including red-teaming).
• Tracking and reporting of serious incidents.
• Ensure adequate cybersecurity of the model and its weights.
• Report energy consumption of training.
• Cooperate with the AI Office on evaluations and audits.

GPAI obligations application: 12 months after OJEU. Realistic calendar: mid-2025.

Penalties

The agreement sets fine levels per non-compliance category:

• Prohibited systems: up to €35M or 7 % of global turnover, whichever higher.
• Other obligations (high-risk, transparency, GPAI): up to €15M or 3 %.
• Supplying incorrect information to authorities: up to €7.5M or 1.5 %.

Higher tiers than GDPR. The political intention is clear: penalties are dissuasive so non-compliance isn’t simply operating cost.

What a CISO / DPO should start doing now

No obligations apply tomorrow. What does need to start:

1. AI inventory. Which AI systems does the organisation use? Who provides them? What for? If the answer is “we don’t know exactly” — phase 1 is the next six months.
2. Preliminary classification. For each system: prohibited, high-risk, limited, minimal? Is it a component of AI in a product covered by another directive? Classification isn’t trivial and will eventually need legal.
3. Identify role in the chain. Are you a provider (train/distribute the model)? A deployer (use it in product)? Obligations differ substantially.
4. GPAI provider check. If your organisation trains foundation models (even substantial fine-tunes), assess whether you fall under GPAI and, eventually, systemic GPAI.
5. Coordination with national authority. In Spain, AESIA (Agencia Española de Supervisión de la IA) has been designated. Map who will audit you before they audit you.

Open questions in December 2023

• Final technical text: post-agreement drafting may introduce changes. Exact figures (FLOPs thresholds, fines, calendars) may move.
• Foundation model vs general-purpose AI definition. The text uses GPAI; foundation models sit inside but the boundary with narrower systems isn’t sharp.
• Coordination with other regulations: GDPR (privacy), DSA (digital platforms), Cybersecurity Act, NIS2. There’s clear overlap and no official coordination guidance yet.
• Extra-territorial application: the Act applies to any system affecting people in the EU, not only to EU-established companies. How enforcement against Microsoft / OpenAI / Anthropic plays out is the most important practical question.

How we’ll cover the AI Act in IRONHACKERS during 2024

• Monthly watch posts: tracking the calendar (final technical text, OJEU publication, national transpositions).
• Dedicated posts when there is concrete operational obligation that applies (likely Q3 2024 for GPAI, Q1 2025 for Art. 5).
• Cross-references with the rest of the regulation stack (NIS2 transposition Spain was October 2024; DORA January 2025) — to understand the full stack.

References

• Council of the EU, Press release on AI Act provisional agreement (9 Dec 2023): https://www.consilium.europa.eu/en/press/press-releases/2023/12/09/artificial-intelligence-act-council-and-parliament-strike-a-deal-on-the-first-rules-for-ai-in-the-world/
• European Parliament, AI Act legislative train: https://www.europarl.europa.eu/legislative-train/theme-a-europe-fit-for-the-digital-age/file-regulation-on-artificial-intelligence
• Gibson Dunn, EU AI Act provisional agreement: https://www.gibsondunn.com/eu-agrees-on-a-path-forward-for-the-ai-act/
• IAPP, Contentious areas in the EU AI Act trilogues: https://iapp.org/news/a/contentious-areas-in-the-eu-ai-act-trilogues
• AESIA: https://www.aesia.gob.es/