EU AI Act Published in the EU Official Journal

July 18, 2024

Reading Time : 4 min

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

Businesses should prioritise assessing what AI they deploy or develop, take measures to ensure AI literacy (i.e., skills, knowledge and understanding to make informed use of AI and awareness of its opportunities and risks) and assess if any of the AI systems will be prohibited and cease any such use and development. Next, companies should focus on putting in place a compliance programme, in collaboration with the relevant business teams, in relation to general-purpose AI models, as well as high-risk AI, such as AI systems used in recruitment, critical digital infrastructure, evaluating creditworthiness and biometrics and low-risk AI, such as chatbots. In some cases, compliance may require significant time and effort (for example, changes to high-risk AI models as to data sets and human oversight).

Our previous alert, following the Council of the EU issuing its final approval of the AI Act on 21 May 2024, sets out the mechanics of the AI Act in further detail. At a high level, the complex and involved AI Act imposes obligations in relation to all general-purpose AI models as well as regarding high-risk AI systems and low-risk AI systems, banning certain AI systems outright. The AI Act has an extra-territorial scope and applies to providers, deployers and a wide range of other participants in the AI value chain (i.e., supply chain). It has steep non-compliance penalties, with the maximum fine reaching 7% of global turnover or 35 million euro (approx. US$37.6 million, £29.9 million), whichever is higher. As detailed in Akin Intelligence, the AI Office, a new body under the EU Commission tasked with overseeing the implementation and enforcement of the AI Act, was set up in June. Another new body, the European AI Board, comprising representatives of EU Member States and aimed at ensuring consistent and effective application of the AI Act, also held its first meeting in June.

Users and developers of AI systems, including general-purpose AI models, should consider which parts of the Act apply to their operations and set up a compliance programme in order to meet their obligations in time in accordance with the relevant deadlines, as follows:

  • 1 August 2024: The EU AI Act officially enters into force.
  • 2 February 2025: All providers and deployers of AI systems need to ensure, to their best extent, a sufficient level of AI literacy of staff dealing with the operation and use of AI systems. Certain AI practices become prohibited, including certain biometric categorisation and identification systems; AI systems used to classify people by social behaviour or known, inferred or predicted personal or personality characteristics (e., ‘social scoring’), resulting in detrimental or unfavourable treatment; and AI systems that deploy subliminal techniques beyond a person’s consciousness, or exploit individuals’ vulnerabilities, with the objective or effect of materially distorting behaviour in a manner that causes or is reasonably likely to cause significant harm.
  • 2 August 2025: The requirements for all general-purpose AI (GP AI) models become binding (with some limited exceptions), with stricter obligations for GP AI with “systemic risk”. If certain criteria are met, GP AI models are considered with “systemic risk”; there is a presumption that the criteria are met in some instances.
  • 2 August 2026: The bulk of the remaining obligations on deployers and providers of AI become binding, including for low and high-risk and high low risk AI systems. High-risk AI systems are those that fall into eight categories under the Act, such as employment and recruitment, biometrics, access to essential services (such as evaluating creditworthiness) and critical infrastructure, including digital infrastructure. Those high-risk AI systems already on the market as of 2 August 2026 must comply only if, going forward, there are significant changes in their design. Low-risk AI systems include chatbots as well as tools generating synthetic audio, image, video or text content and deep fakes.
  • 2 August 2027 (and beyond): Providers of GP AI which were already on the market as of 2 August 2025, must comply with obligations for GP AI. AI systems regulated by specific EU laws (g., vehicles, aviation, medical devices, lifts, machinery) become subject to the obligations for high-risk AI systems. By 2030, certain other AI systems, mainly in the public domain, must comply with all remaining relevant obligations.

The Global Akin AI Group is available to discuss the AI Act and its implications for you at your convenience.

The full and final text of the AI Act is available to view on the Official Journal’s website.

Share This Insight

Previous Entries

Data Dive

September 11,2025

The Department of Defense (DoD) recently published in the Federal Register its long-awaited final rule (the Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) to formally implement the Cybersecurity Maturity Model Certification (CMMC) program. The Rule, effective November 10, 2025, will move CMMC from a policy framework into binding contractual obligations for most defense contractors.

...

Read More

Data Dive

September 3, 2025

AI policy for the health and life sciences sector has continued to take shape. Building on recent activity, on July 23, 2025, the White House released its highly-anticipated AI Action Plan, setting forth the Trump Administration’s recommended policy actions to accelerate AI innovation and build American AI infrastructure. This Plan recommends policies that would promote AI adoption, the creation of “AI-ready” scientific datasets and the establishment of real-world AI evaluation systems by and for the health care and life sciences industries.

...

Read More

Data Dive

July 29, 2025

The U.S. Court of Appeals for the Sixth Circuit has upheld a 2024 Federal Communications Commission (FCC) Order that significantly broadens telecommunications carriers’ breach notification obligations. This decision, issued on August 14, 2025, in Ohio Telecom Association v. FCC, mandates that carriers disclose breaches of any customer personally identifiable information (PII), not just customer proprietary network information (CPNI), and applies to both inadvertent and intentional breaches.2

...

Read More

Data Dive

March 3, 2025

On January 16, 2025, the Federal Trade Commission (FTC) issued a Final Rule updating the Children’s Online Privacy Protection (COPPA) Rule, significantly expanding compliance obligations for online services that collect, use, or disclose personal information from children under 13.1 The amendments impose new restrictions on targeted advertising, add data security requirements, refine parental consent mechanisms, and introduce additional compliance measures.

...

Read More

Data Dive

February 21, 2025

On January 8, 2025, the DOJ published a final rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

January 22, 2025

On January 17, 2025, days before the inauguration, former President Joe Biden issued an executive order titled Strengthening and Promoting Innovation in the Nation's Cybersecurity (EO 14144). Building on previous efforts, including Executive Order 14028, this directive seeks to bolster cybersecurity across federal systems, supply chains and critical infrastructure from adversarial nations, particularly from the People’s Republic of China (PRC).

...

Read More

Data Dive

January 10, 2025

UPDATE: The California Privacy Protection Agency (CPPA) has extended the deadline for submitting public comments from January 14 to February 19, 2025, in response to the recent California wildfires. This extension aims to afford stakeholders additional time to provide comprehensive and detailed feedback, considering the significant challenges posed by the wildfires.

...

Read More

Data Dive

November 25, 2024

Treasury has issued a Final Rule to implement President Biden’s 2023 EO targeting U.S. investments in Chinese companies engaged in certain activities related to semiconductors, quantum computing or AI.

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.