Skip to content
— CH. 1 · THE LEGISLATIVE TIMELINE —

Artificial Intelligence Act

~6 min read · Ch. 1 of 7
7 sections
  • On the 21st of April 2021, the European Commission officially proposed the Artificial Intelligence Act. This proposal marked the beginning of a complex legislative journey that would span nearly three years. The European Council adopted its general orientation on the 6th of December 2022, allowing formal negotiations to begin with the European Parliament. After three days of marathon talks concluding on the 9th of December 2023, the EU Council and Parliament reached an agreement.

    The law passed the European Parliament in plenary session on the 13th of March 2024. Members of the European Parliament voted 523 for the text, 46 against it, and 49 abstained. The EU Council approved the final version unanimously on the 21st of May 2024. The regulation entered into force on the 1st of August 2024, twenty days after being published in the Official Journal on the 12th of July 2024.

    Provisions will come into operation gradually over the following six to thirty-six months. Bans on unacceptable risk systems take effect after six months. Codes of practice become applicable nine months later. General-purpose AI systems face a twelve-month delay before full application. Some obligations related to high-risk AI systems have a thirty-six-month implementation window.

  • The Act classifies non-exempt AI applications by their potential to cause harm using four distinct levels. Applications with unacceptable risks are banned outright unless specific exemptions apply. This category includes systems that manipulate human behavior or use real-time remote biometric identification in public spaces. Social scoring systems that rank individuals based on personal characteristics also fall under this prohibition.

    High-risk applications must comply with strict security, transparency, and quality obligations. These systems undergo conformity assessments before entering the market and throughout their life cycle. Notable examples include AI used in health, education, recruitment, critical infrastructure management, law enforcement, and justice sectors. A Fundamental Rights Impact Assessment is required for some deployments to identify potential harms before they occur.

    Limited-risk applications carry only transparency obligations. Users must be informed when interacting with an AI system to make informed choices. This category covers tools that generate or manipulate images, sound, or videos like deepfakes. Minimal-risk applications remain unregulated and include video games or spam filters. Most AI applications expected to exist will fall into this minimal risk category.

  • Added in 2023, a specific category addresses general-purpose AI foundation models capable of performing wide-ranging tasks. Systems like ChatGPT face unique transparency requirements compared to other regulated applications. If a model's weights and design are made open source, developers must publish a training data summary and a copyright policy. Closed-source models must meet broader transparency standards.

    High-impact models posing systemic risks require more than one hundred twenty-five floating-point operations to train. These powerful systems must undergo extra evaluations including adversarial testing. They also need to assess and mitigate risks such as bias and security failures. Providers must report serious incidents and ensure adequate cybersecurity measures are in place.

    A General-Purpose AI Code of Practice published on the 10th of July 2025 outlines three main chapters on transparency, copyright, and safety. Participation in the code remains voluntary for providers. The Act mandates that all general-purpose AI model publishers adopt policies complying with copyright law while providing technical documentation to downstream users.

  • The AI Office attaches to the European Commission to coordinate implementation across all Member States. This authority oversees compliance of general-purpose AI providers and can request information or open investigations when serious issues arise. The office plays a central role in managing the regulatory framework established by the Act.

    The European Artificial Intelligence Board consists of one representative from each Member State. It advises and assists both the Commission and Member States to facilitate consistent application of the regulation. Tasks include gathering technical expertise, sharing regulatory knowledge, and providing written opinions on complex matters. An Advisory Forum represents industry stakeholders, small enterprises, civil society, and academia to ensure broad opinion representation.

    A Scientific Panel of Independent Experts provides technical advice to the AI Office and national authorities. This panel enforces rules for general-purpose AI models by launching qualified alerts about possible risks. National competent authorities designated by Member States conduct market surveillance and verify proper performance of conformity assessments. These bodies work together to form a multi-level supervision system.

  • Non-compliance with prohibitions in Article 5 subjects offenders to administrative fines up to thirty-five million euros. If an offender is an undertaking, penalties reach seven percent of its total worldwide annual turnover whichever amount is higher. Other operator obligations carry sanctions of fifteen million euros or three percent of worldwide annual turnover. Providing incorrect or misleading information may result in fines of seven point five million euros or one percent of turnover.

    Small and medium-sized enterprises including start-ups face caps based on the lower of relevant percentages or fixed amounts. Providers of general-purpose AI models can receive separate fines up to fifteen million euros or three percent of turnover in specific cases listed under Article 101. The Act mandates that member states establish their own notifying bodies to conduct audits ensuring proper conformity assessments.

    Regulatory sandboxes offer controlled testing environments run by national competent authorities. Developers can trial AI systems under supervision before placing them on the market. Small and medium-sized enterprises and start-ups may receive priority access to test systems within these compliant settings. This approach supports innovation while maintaining necessary safeguards for public safety.

  • Articles 2.3 and 2.6 exempt AI systems used exclusively for military or national security purposes from the Act. Pure scientific research and development activities also remain outside the regulation's scope. These exemptions apply only when systems are developed and put into service solely for those specific purposes. If such systems later serve civilian or law enforcement uses, the Act applies immediately.

    Article 5.2 bans algorithmic video surveillance of people conducted in real time within publicly accessible spaces. Exceptions allow real-time remote biometric identification for policing aims involving a real and present threat of terrorist attack. Lawful evaluation practices carried out for specific purposes according to Union law remain permitted despite general prohibitions.

    La Quadrature du Net interprets this exemption as permitting sector-specific social scoring systems like suspicion scores used by French family payments agencies. The sectoral exclusion for security and defense sits alongside separate security frameworks raising questions about future policy interactions. Critics argue these gaps leave significant room for automated social control mechanisms to operate without full oversight.

  • Anu Bradford at Columbia argues the law provides momentum to worldwide movements regulating AI technologies despite European jurisdiction. Amnesty International states the legislation fails to take basic human rights principles into account offering limited protections to marginalized people. The organization claims the Act does not ban reckless use of draconian AI technologies exported globally.

    Tech watchdogs identify major loopholes allowing large monopolies to entrench advantages while lobbying to weaken rules. Some startups welcome clarification but fear additional regulation makes them uncompetitive against American and Chinese rivals. A broad civil society coalition coordinated by European Digital Rights published analysis concluding the law falls short on privacy and equality protections.

    Thirty-eight global creators organizations issued a joint statement reported by Le Monde criticizing implementation rules for general-purpose AI. They argued guidelines do not adequately protect intellectual property rights or ensure transparency about training data. Scholars raise concerns about democratic legitimacy and practical enforceability noting impact depends on how oversight bodies apply rules over time.

Common questions

When did the European Union officially propose the Artificial Intelligence Act?

The European Commission officially proposed the Artificial Intelligence Act on the 21st of April 2021. This proposal initiated a legislative process that lasted nearly three years before reaching an agreement.

What are the penalties for non-compliance with the Artificial Intelligence Act in the European Union?

Non-compliance with prohibitions in Article 5 subjects offenders to administrative fines up to thirty-five million euros or seven percent of total worldwide annual turnover whichever amount is higher. Other operator obligations carry sanctions of fifteen million euros or three percent of worldwide annual turnover.

Which AI applications are banned under the Artificial Intelligence Act in the European Union?

Applications classified as unacceptable risks are banned outright unless specific exemptions apply including systems that manipulate human behavior or use real-time remote biometric identification in public spaces. Social scoring systems that rank individuals based on personal characteristics also fall under this prohibition.

How does the Artificial Intelligence Act regulate general-purpose AI models like ChatGPT?

General-purpose AI foundation models face unique transparency requirements and must publish training data summaries if their weights and design are made open source. High-impact models posing systemic risks require extra evaluations including adversarial testing and must report serious incidents while ensuring adequate cybersecurity measures.

When will provisions of the Artificial Intelligence Act enter into force in the European Union?

The regulation entered into force on the 1st of August 2024 twenty days after being published in the Official Journal on the 12th of July 2024. Provisions come into operation gradually over six to thirty-six months with bans taking effect after six months and high-risk system obligations having a thirty-six-month implementation window.

All sources

55 references cited across the entry

  1. 2press releaseAI Act enters into forceEuropean Commission — 1 August 2024
  2. 3webTimeline of DevelopmentsFuture of Life Institute
  3. 6webThe Artificial Intelligence Act: A Quick ExplainerBenjamin Mueller — 2021-05-04
  4. 7journalRegulating artificial intelligence in the EU: A risky gameDimitar Lilkov — 2021
  5. 8webEU agrees landmark rules on artificial intelligenceJavier Espinoza — December 9, 2023
  6. 14webIs your AI trying to make you fall in love with it?Maximilian Henning — 2025-08-27
  7. 15journalThe Fundamental Rights Impact Assessment (FRIA) in the AI Act: Roots, legal obligations and key elements for a model templateAlessandro Mantelero — 2024
  8. 16citationBeyond Data. Human Rights, Ethical and Social Impact Assessment in AIAlessandro Mantelero — Springer-T.M.C. Asser Press — 2022
  9. 25webThe EU AI Act: National Security ImplicationsRosamund Powell — 31 July 2024
  10. 28journalExamining the EU's Artificial Intelligence ActPaul Friedl et al. — 2024-02-07
  11. 33journalDemystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approachMichael Veale et al. — 2021-08-01
  12. 34journalCybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity ActFederica Casarosa — 2022-06-01
  13. 35ssrnHow the EU Can Achieve Legally Trustworthy AI: A Response to the European Commission's Proposal for an Artificial Intelligence ActNathalie A. Smuha et al. — 2021-08-05
  14. 36journalThe European Commission's Proposal for an Artificial Intelligence Act—A Critical Assessment by Members of the Robotics and AI Law Society (RAILS)Martin Ebers et al. — December 2021
  15. 37ssrnThe EU AI Act: Between Product Safety and Fundamental RightsMarco Almada et al. — 27 October 2023
  16. 38journalGenerative AI and deepfakes: a human rights approach to tackling harmful contentFelipe Romero-Moreno — 29 March 2024
  17. 39journalDeepfake detection in generative AI: A legal framework proposal to protect human rightsFelipe Romero-Moreno — 23 June 2025
  18. 42webTimeline – Artificial intelligenceEuropean Council — 9 December 2023
  19. 44webThe EU AI Act passed — now comes the waitingEmilia David — 2023-12-14
  20. 53journalRegulating AI with Purpose Limitation for ModelsRainer Mühlhoff et al. — 2024