EU AI Act in force: Regulation (EU) 2024/1689 and the operational calendar

On 12 July 2024 the OJEU publishes Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — the AI Act. The text enters into force twenty days after publication: 1 August 2024. Application, however, is staggered article by article. What matters for a CISO/DPO is the block-by-block calendar, not the “entry into force” date.

In December we covered the political agreement of 9 December 2023 — trilogue phase, no official text. This post is the follow-up: final text, exact dates, exact subjects, confirmed fines.

Reading: analysis of the text published in OJEU (consolidated version). Dates are those of Art. 113. For any binding decision, read the Regulation directly.

The four dates to put in the calendar

Art. 113 sets staggered application. Four milestones:

Three important notes on the table:

1. Entry into force ≠ applicability. A system doing social scoring today is not illegal on 2 August 2024; it is on 2 February 2025. The clock runs from OJEU publication, not entry into force.
2. GPAI models already placed on the market before 2 August 2025 have a transition period until 2 August 2027 to adapt (Art. 111). The clock is stricter for new models.
3. For high-risk systems already in use before 2 August 2026, compliance is required only if they undergo a significant change in design after that date (Art. 111.2) — with the exception of those used by public authorities, which fall under the full regime.

Classification: where the inventory starts

The AI Act keeps classifying systems into four categories, same as the December political agreement. The final text refines the edges but the structure is the same.

Unacceptable risk (Art. 5) — prohibited

Systems the Regulation prohibits outright. The final-text list:

• Subliminal or manipulative techniques causing material or psychological harm.
• Exploitation of vulnerabilities by age, disability or socio-economic situation.
• Social scoring by public or private entities leading to disproportionate detrimental treatment.
• Individual risk assessment or prediction of crime commission based solely on profiling or personality traits.
• Untargeted scraping of facial images from the internet or CCTV to build face recognition databases.
• Inference of emotions in workplaces and educational institutions (with medical or safety exception).
• Biometric categorisation based on sensitive data (ethnicity, political opinion, sexual orientation, religion).
• Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (with strict exceptions: search for victims, prevention of imminent terrorist attack, prosecution of serious crimes from Annex II, with prior judicial authorisation save in urgent cases).

Applicability: 2 February 2025. For a legal team, that is the first real date.

High-risk (Art. 6 + Annex III) — extensive obligations

Annex III lists the use cases considered high-risk. Final list:

1. Biometric identification and categorisation (not prohibited under Art. 5).
2. Management and operation of critical infrastructure (transport, water, gas, electricity, healthcare).
3. Education and vocational training (admission, evaluation, placement, detection of prohibited conduct in exams).
4. Employment and worker management (CV screening, task assignment, performance review, termination decisions).
5. Access to essential public and private services (credit, insurance, social welfare, eligibility assessment for public services, emergency medical triage, life and health insurance premium scoring).
6. Law enforcement (evidence reliability evaluation, profiling, recidivism risk assessment, deepfake detection for criminal purposes).
7. Migration, asylum and border control (irregular migration detection, visa risk, assistance to authorities in examinations).
8. Administration of justice and democratic processes (assistance to judicial authorities, systems intending to influence electoral outcomes).

The Annex III obligations (Chapter III, Section 2) for the provider:

• Documented risk management system across the life cycle (Art. 9).
• Quality, governance and bias mitigation in training, validation and testing data (Art. 10).
• Detailed technical documentation (Art. 11), retention of automatic logs (Art. 12).
• Transparent information to the deployer (Art. 13).
• Design enabling effective human oversight (Art. 14).
• Adequate levels of accuracy, robustness and cybersecurity (Art. 15).
• Conformity assessment before market placement (Art. 43), CE marking, EU declaration of conformity.
• Registration in the EU database of high-risk systems (Art. 49).

General applicability: 2 August 2026.

Limited risk (Art. 50) — transparency

Obligation to inform the user:

• Chatbots: the user must know they are interacting with an AI, unless obvious.
• Image, audio or video generation systems: content marked as AI-generated or manipulated in machine-readable format (C2PA-type standards).
• Deepfakes: labelling required, save for artistic-work or authorised public-safety exceptions.
• Biometric categorisation and emotion recognition (when not falling under Art. 5): inform the subject.

Applicability: 2 August 2026, save for law enforcement authorities in certain cases.

Minimal risk — no specific obligations

Spam filters, standard recommenders, AI in video games. The Regulation promotes voluntary codes of conduct but imposes no obligations.

GPAI: the specific regime for general-purpose models

Chapter V (Arts. 51–56) regulates general-purpose AI models — foundation models in practice.

Standard GPAI

Every GPAI model, systemic-risk or not, must:

• Keep technical documentation available to the AI Office and national authorities (Art. 53.1.a, Annex XI).
• Provide information to downstream providers integrating the model (Art. 53.1.b, Annex XII).
• Publish a summary of training dataset content (Art. 53.1.d), under harmonised format published by the AI Office.
• Have a documented EU copyright compliance policy (Art. 53.1.c) — Directive 2019/790, opt-outs of Art. 4 of the DSM Directive included.

GPAI with systemic risk

Criterion of Art. 51.2: models trained with >10^25 cumulative FLOPs, or designated systemic by the Commission via Art. 51.1.b (based on technical capabilities, number of registered users, business users, computational resources, modality, etc.).

For reference: GPT-4 is estimated at ~2·10^25 FLOPs, Llama-3.1-405B around 4·10^25, Gemini Ultra around 5·10^25. Public FLOP estimates are neither transparent nor stable; the AI Office can adjust the threshold.

Additional obligations (Art. 55):

• Model evaluations with standardised methodology, including adversarial testing.
• Analysis and mitigation of systemic risks at EU level, documented.
• Reporting of serious incidents to the AI Office and national authorities.
• Adequate cybersecurity of the model and the physical weights.

GPAI applicability: 2 August 2025.

Subjects: provider, deployer, importer, distributor

The Regulation distinguishes four roles. Obligations vary:

• Provider (Art. 16): the entity that develops the system or has it developed, and places it on the market under its name. Most of the regulatory weight lands here — declaration of conformity, documentation, registration, post-market surveillance.
• Deployer (Art. 26): the entity that uses the system under its authority (save for non-professional personal use). Obligations: use in accordance with instructions, human oversight, input data management, log retention when high-risk, fundamental rights impact assessment for public entities and for certain Annex III cases (FRIA, Art. 27).
• Importer (Art. 23): the entity introducing into the EU a system from a provider established outside. Verifies that the provider has performed the conformity assessment and that the documentation is available.
• Distributor (Art. 24): the entity selling without modification. Verifies CE marking, documentation, and reports non-conformities.

Role change: if a deployer substantially modifies a system, puts its name on it, or uses it for a purpose not foreseen that changes its classification (from limited to high-risk, for example), it becomes provider with full obligations (Art. 25). This matters for operational fine-tunes of GPAI models.

Sanctions (Art. 99)

Three tiers:

• Non-compliance with Art. 5 prohibitions: up to €35 million or 7 % of total worldwide annual turnover, whichever is higher.
• Other obligations (high-risk systems, transparency, GPAI, etc.): up to €15 million or 3 % of worldwide annual turnover.
• Supplying incorrect or misleading information to notified bodies or competent authorities: up to €7.5 million or 1 % of worldwide annual turnover.

For SMEs and startups: the lower of the two amounts or percentages applies, not the higher (Art. 99.6). It is the only material mitigation in the sanctions regime.

Higher tiers than GDPR. The political intent is dissuasive.

Classification flowchart (for a first triage)

For each AI system in the inventory, in this order:

1. Does it fall in the list of prohibited practices under Art. 5? → STOP. Withdraw before 2 February 2025.
2. Is it listed in Annex III? → it is high-risk, unless the provider documents that the system does not materially affect the outcome of decision-making (Art. 6.3 — documented exception with assessment).
3. Is it a safety component of a product regulated by Annex I legislation (toys, medical devices, vehicles, lifts, pressure equipment, etc.)? → high-risk under Annex I. Applicability 2 August 2027.
4. Is it a chatbot, content generator, deepfake, emotion recognition or biometric categorisation system? → limited risk, transparency obligations Art. 50.
5. Is it a general-purpose model trained with >10^25 FLOPs or designated by the Commission? → GPAI with systemic risk (regardless of downstream use case). Art. 55 regime.
6. Is it a general-purpose model below the threshold? → standard GPAI, Art. 53 obligations.
7. None of the above → minimal risk. No specific obligations, voluntary codes of conduct.

Step 1 is where most teams will have work over the next six months. Step 5/6 is where foundation model trainers will have it.

What to start doing now

No alarmism. Operational work for a CISO/DPO during the second half of 2024:

1. AI inventory. List every AI system in use, developed internally or acquired. For each: provider, use case, data processed, decision supported, business area using it. If the answer to “what AI do we use” today is “we don’t know”, phase 1 runs from August to December.
2. Triage against Art. 5. Run the inventory against the list of prohibited practices. Any system landing there: withdraw or rewrite before 2 February 2025. Typical cases: employee scoring with classification by personal traits, emotion recognition in call centres, remote biometric identification in workplaces open to the public.
3. Annex III classification. For systems surviving step 2, check against the 8 points of Annex III. Document the decision, especially when applying the Art. 6.3 exemption (“does not materially affect the outcome”).
4. Preliminary technical documentation. Even if the formal Annex III obligation applies in August 2026, the document set (risk management, data quality, logs, human oversight, conformity assessment) is years of work. Start now with clearly high-risk systems.
5. Role check. For each system, identify role: provider, deployer, importer, distributor. If the organisation trains its own models (even substantial fine-tunes on Llama, Mistral or similar), assess whether it falls under GPAI and, if above the threshold or designated, under systemic GPAI.
6. Coordination with AESIA. The Spanish AI Supervision Agency starts operations on 19 June 2024 in La Coruña. Map contact, subscribe to communications, anticipate the first wave of non-binding guidelines.
7. FRIA where applicable. Fundamental rights impact assessment (Art. 27): for public entities using Annex III systems and for certain deployers of Annex III points 5.b (essential private services) and 5.c (credit). Foreseeable template in 2025–2026.

Coordination with the rest of the compliance stack

The AI Act does not live alone. Coordination with existing rules:

• GDPR (Regulation 2016/679): applies to any system processing personal data. For Art. 5.f (facial scraping) and biometric categorisation, GDPR is the main body. The AI Act adds prohibition; GDPR already regulated this as special category.
• DSA (Regulation 2022/2065): digital platforms and VLOPs. Recommendation systems fall under DSA and, if they exceed thresholds or fall under Annex III, also under the AI Act.
• NIS2 (Directive 2022/2555): cybersecurity for essential and important entities. The adequate cybersecurity of Art. 15 AI Act coordinates with NIS2. Spain has not yet transposed NIS2; deadline missed on 17 October 2024.
• DORA (Regulation 2022/2554): digital operational resilience for the financial sector. Application from 17 January 2025. For financial entities using AI in credit scoring or risk management, both apply.
• Cybersecurity Act (Regulation 2019/881): cybersecurity certification. ENISA. For high-risk systems, certification schemes can contribute to the presumption of conformity under Art. 15.

Each system in the inventory will likely have more than one applicable framework. The hard part of compliance work in 2025–2026 is coordination, not the AI Act itself.

The questions still open

• Codes of practice for GPAI (Art. 56): the AI Office is coordinating them with industry. First version expected May 2025, ready for 2 August 2025 application.
• Harmonised standards: CEN-CENELEC JTC 21 is drafting standards for Annex III. Once published, they give presumption of conformity. Until then, the provider has to technically justify compliance.
• AI Office committees and AI Board still being formed. The first non-binding guidelines from the AI Office are expected throughout 2024–2025.
• Operational definition of “significant change” (Art. 111.2) for legacy systems: no official guidance yet on what counts as a change triggering the obligation to comply.

References

• Official OJEU text — Regulation (EU) 2024/1689: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• Art. 99 (Sanctions): https://artificialintelligenceact.eu/article/99/
• Art. 113 (Entry into force and application): https://artificialintelligenceact.eu/article/113/
• AESIA: https://aesia.digital.gob.es/
• EU coordinated plan on AI: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
• Previous IRONHACKERS post: EU AI Act — the 9 December political agreement and what comes next