First rules of AI Act are now applicable. What’s next?

First rules of AI Act are now applicable. What’s next?

by Marta Popa, Deputy Managing Partner Voicu & Asociații

Synopsis: Although the Regulation (EU) 2024/1689 (AI Act) has entered into force as of August 1^st, 2024, none of the AI Act’s requirements applied until February 02, 2025, as they were planned to apply gradually over time. On February 02, 2025, the first rules of the AI Act became applicable, as presented in more details below. And, in the context of the European AI Office finalizing the consultation started on November 13, 2024 on critical aspects of the AI Act, including the definition of AI systems and prohibited practices, draft Guidelines^[1] on these areas have been published.

The first measures of the AI Act took effect on February, 02, 2025

The first phase of the AI Act began on February 02, 2025, just a few days before the 2025 Paris AI Summit, with the ban on certain uses of AI deemed unacceptable by the AI Act (article 5) and the AI literacy (article 4) obligations becoming applicable; the definition of an AI system (article 3) also entered into application on the same date.

It should be noted that the legal concepts in relation to the AI system definition and the prohibitions were already set out in the AI Act and the above-mentioned consultation was meant to seek additional practical examples from stakeholders to feed into the guidelines and provide further clarity on practical aspects and use cases. Such clarity is essential for providers and deployers of AI systems, since the prohibitions are directly applicable as from February 02, 2025. The draft Guidelines will assist national competent authorities, providers and deployers in complying with and enforcing the AI Act uniformly.

AI literacy requirements. Raising awareness

One of the earliest obligations under AI Act is the requirement to implement AI literacy measures, which become enforceable from February 02, 2025 and applies to providers (i.e., an entity that develops the AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge) and deployers (i.e., an entity that uses an AI system under its authority except where the AI system is used in the course of a personal non-professional activity) of AI systems regardless of the risks and capabilities of the relevant AI system.

Such entities have the obligation to take measures to ensure, to the largest extent possible, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf. Under the AI Act, AI literacy is the skill, knowledge and understanding required to facilitate the informed deployment of AI systems and to gain awareness about the opportunities and risks of AI and possible harm it can cause.

As the AI Act does not provide specific guidelines on the scope or content of training, compliance with the AI literacy obligations can be confusing.

While the AI Act’s obligations on AI literacy are already in force, its provisions on penalties for non-compliance will only apply six months later, on August 02, 2025. From that date, it will be up to each EU member state’s respective national competent authorities to impose enforcement measures and sanctions to ensure compliance with the AI Act. At the moment, there are no specific sanctions under the AI Act for breaches of AI literacy obligations; however, failure to fulfill the obligation during the interim period (until August 02, 2025) remains contrary to the law. One can be reasonably expect that the performance or non-performance of such obligations will be factored in by the competent authorities when deciding an appropriate sanction to a provider of deployer for other breaches of the AI Act.

Further guidance on AI literacy, as and when it is published, should be sought by organisations.

To prepare for AI literacy obligations compliance, concerned companies should consider building their approach to the issue within a context specific strategy, as there is no one-size-fits-all approach. Specific factors such as the role they play and the obligations they have under the AI Act or the type of risk presented by their AI systems may be considered to tailor their AI literacy measures.

Guidelines on the definition of an AI system established by the AI Act

The Draft Guidelines on definition of AI systems have been published on February 06, 2025 and provide the methodology for distinguishing AI systems from simpler traditional software systems or programming approaches in the attempt to help businesses implementing the AI Act to define systems that are outside the scope of the AI Act.

As to the definition of AI systems, the Draft Guidelines contain the following concluding remarks:

1. The definition of an AI system encompasses a wide spectrum of systems. The determination of whether a software system is an AI system should be based on the specific architecture and functionality of a given system and should take into consideration the seven elements of the definition laid down in Article 3(1) AI Act, as follows:
   „(1) a machine-based system; (2) that is designed to operate with varying levels of autonomy; (3) that may exhibit adaptiveness after deployment; (4) and that, for explicit or implicit objectives; (5) infers, from the input it receives, how to generate outputs (6) such as predictions, content, recommendations, or decisions (7) that can influence physical or virtual environments.”
2. No mechanic/automatic determination or exhaustive lists of systems that either fall within or outside the definition of an AI system are possible, due to diverse nature of the AI systems.
3. Only certain AI systems are subject to regulatory obligations and oversight under the AI Act. The AI Act’s risk-based approach means that only those systems giving rise to the most significant risks to fundamental rights and freedoms will be subject to its prohibitions laid down in Article 5 AI Act, its regulatory regime for high-risk AI systems covered by Article 6 AI Act and its transparency requirements for a limited number of pre-defined AI systems laid down in Article 50 AI Act. The vast majority of systems, even if they qualify as AI systems within the meaning of Article 3(1) AI Act, will not be subject to any regulatory requirements under the AI Act.
4. The AI Act also applies to general-purpose AI models, which are regulated in Chapter V of the AI Act. The analysis on the differences between AI systems and general-purpose AI models is outside the scope of the Guidelines.

Guidelines on prohibited artificial intelligence practices established by the AI Act

The Draft Guidelines on prohibited practices provide an overview of AI practices that are deemed unacceptable due to their potential risks to European values and fundamental rights.

The AI Act prohibited from the beginning specific AI applications such as:

• social rating systems;
• predictive policing AI for individual profiling;
• unauthorized facial recognition databases; and
• workplace or school emotion recognition (except for medical or safety reasons).

Also banned are the exploitation of people’s vulnerabilities, manipulation or subliminal techniques. Real-time facial recognition in public spaces and biometric categorisation for identifying personal characteristics are also banned, with some law enforcement exemptions.

As with the AI literacy, failure to observe the prohibition on certain AI practices during the interim period (until August 2, 2025) remains contrary to the law. Enforcement will be handled by the new AI Office and national authorities. Violations can result in fines: up €35 million or 7% of global annual turnover (whichever is higher) for violations related to prohibited practices (as they are considered to constitute the most severe infringement). Other sanctions may occur: removal from the market of the non-compliant AI system, civil liability for damages, reputational damage.

Source: C_2025_884_1_EN_annexe_acte_autonome_cp_part1_v4_112367

NOTE: The Draf Guidelines are meant to explain the legal concepts and provide practical use cases, based on stakeholders^[2] input. They are not legally binding nor do they establish a presumption of conformity and will be updated as necessary. Only CJEU can provide authoritative interpretations. Nevertheless, the guidelines offer significant practical support for businesses implementing the EU AI Act.

ANYTHING TO DO NOW?

Although the full applicability of the AI Act is not immediate, the concerned entities should promptly start preparation for compliance. They should make an assessment of their processes to identify if they are concerned by the obligations under the AI Act and build a strategy for compliance of their (or their third party-vendors) AI systems with the AI Act, such strategy to also hold them harmless in the relationships not only with the competent state bodies but with their contractual partners, consumers, employees, which may raise civil claims on various legal grounds for damages incurred pursuant lack of compliance with such obligations.

HOW CAN WE BE OF HELP? Voicu & Asociații can support you in the audit process and can make recommendations for optimizing specific compliance procedures and processes. The project team works in a multidisciplinary formula to holistically address projects for support towards compliance with the AI Regulation, a formula that includes lawyers specialized in Digital & Tech law as well as cybersecurity specialists.

^[1] The Guidelines will be formally adopted by the Commission at a later date, when all language versions are available. It is only from that moment that these Guidelines will be applicable.

^[2] e.g., providers and deployers of AI systems, civil society organisations, academia, public authorities, business associations, etc