Effective from August 2, the EU AI Act applies to GPAI providers

The European Union has taken a significant step towards regulating artificial intelligence (AI) with the publication of the EU AI Act in the EU's Official Journal on July 12, 2024. The Act, which took effect on August 1, 2024, aims to ensure the ethical and safe development and deployment of AI.

The EU AI Act adopts a risk-based approach, categorizing AI systems based on potential risks and impacts. High-risk AI systems, those that present a significant threat to health, safety, or fundamental rights, are subject to stringent regulations. GPAI models placed on the market after August 2, 2025, must be fully compliant with the EU AI Act by August 2, 2026.

Notified Bodies, as stipulated in Chapter III, Section 4 of the EU AI Act, will be involved in conformity assessments for high-risk GPAI models. The European Commission has planned to publish supplementary guidelines with the AI Code of Practice before August 2, 2025, to clarify which companies qualify as providers of general-purpose models and general-purpose AI models with systemic risk.

The Act outlines requirements for technical documentation, training data summaries, and transparency measures for GPAI models, as detailed in Chapter V. Providers of GPAI models that pose systemic risk are required to conduct model evaluations, report incidents, implement risk mitigation strategies and cybersecurity safeguards, disclose energy usage, and carry out post-market monitoring.

Non-compliance with prohibited AI practices, such as manipulating human behaviour, social scoring, facial recognition data scraping, and real-time biometric identification in public spaces, can result in fines of up to €35,000,000 or 7% of total worldwide annual turnover. Other breaches of regulatory obligations, like those related to transparency, risk management, or deployment responsibilities, can lead to fines of up to €15,000,000 or 3% of turnover.

Article 78 of the EU AI Act ensures data requests by authorities to GPAI model providers are legally justified, securely handled, and subject to confidentiality protections. Supplying misleading or incomplete information to authorities can result in fines of up to €7,500,000 or 1% of turnover.

The European Data Protection Supervisor (EDPS) acts as a notified body and market surveillance authority for EU institutions, while individual Member States designate their own notifying authorities responsible for assessing, designating, and monitoring conformity assessment bodies as notified bodies under the EU AI Act. Additionally, the newly created EU AI Office will play a central role in overseeing the AI Act's implementation and enforcement across member states.

The Act also includes a two-year voluntary framework for tech companies to implement and adhere to the AI Act, known as the AI Code of Practice, which was published by the European Commission. A group representing Apple, Google, Meta, and other companies requested a two-year postponement of the Act's implementation, which was ultimately rejected by the EU.

AI systems that are components of specific large-scale EU IT systems and were placed on the market before August 2, 2027, must be brought into compliance by December 31, 2030. Certain AI systems deemed to pose unacceptable risk, such as those used for social scoring or real-time biometric surveillance in public, were banned on February 2, 2025.

Providers of GPAI models must maintain comprehensive technical documentation, training data summaries, copyright compliance policies, guidance for downstream deployers, and transparency measures regarding capabilities, limitations, and intended use. GPAI models placed on the market before August 2, 2025, must be brought into full compliance by August 2, 2027.

The EU AI Act is a significant step towards ensuring the ethical and safe development and deployment of AI in the European Union. It provides a clear framework for companies to follow and ensures that AI systems do not pose a threat to the health, safety, or fundamental rights of individuals.