Search for:
Cybersecurity, Data and Tech

European Union: AI Act provisions applicable from February 2025

By and 3 Mins Read

In brief

The AI Act introduces a comprehensive legal framework for companies dealing with AI systems in the EU. From 2 February 2025, companies subject to the regulation must take steps to ensure AI literacy and ensure that no prohibited AI practices are used. Non-compliance could lead to substantial fines.
 

The applicability of Chapter I and Chapter II of the AI Act

EU Regulation 2024/1689 (“AI Act“) establishes a uniform legal framework for the development, the placing on the market, the putting into service, and the use of artificial intelligence systems (“AI systems“) within the Union. The AI Act entered into force on 1 August 2024, with its rules becoming applicable at a later date. In particular, the first two chapters of the AI Act will become applicable on 2 February 2025, for which companies must make the necessary preparations. Below is a brief summary of the provisions contained within these chapters:

  1. Chapter I – AI Literacy
    Chapter I includes general provisions, outlining the scope of the AI Act and providing definitions. Article 4 of the AI Act imposes a practical obligation on companies that provide or deploy AI systems, to ensure mandatory AI literacy within the companies.
    AI literacy means skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.
    To meet the AI literacy requirements, companies that provide and deploy AI systems must take measures to ensure a sufficient level of AI literacy of their staff and also other persons dealing with the operation and use of AI systems on their behalf. This in practice, means promptly organizing training and education for everyone involved in the AI provision, use and deployment chain within the company.
  2. Chapter II – Prohibited AI practices
    The chapter on prohibited AI practices also becomes applicable on 2 February 2025. Practices listed in this chapter are prohibited from 2 February 2025. Examples of such practices include:
  • AI systems that deploy subliminal techniques beyond a person’s consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting behavior;
  • AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons with the objective, or the effect, of materially distorting the behaviour of that person(s);
  • AI systems that infer emotions in workplaces or educational settings; and
  • AI systems that create or expand facial recognition databases from internet images or CCTV footage.

Non-compliance with rules on prohibited AI practices could lead to administrative fines up to EUR 35,000,000 or 7% of the company’s global annual turnover. Other sanctions, including sanctions for non-compliance with AI literacy can be established by the member states.

Click here to access our previous alert on AI Act timelines.

Categories:
Tags:
Author

Csaba Vári is the head of the IPTech Practice Group in Budapest.
With more than 20 years of experience Csaba represents Hungarian and multinational companies in many business sectors (e.g., automotive, manufacturing, bank, insurance, trade, pharma, real estate, IT) on a broad range of business law, including data privacy and cybersecurity issues, compliance investigations, whistleblowing, and different areas of digitization related matters, such as online marketplaces, connected cars, electronic signatures, social media and applications, as well as online payment services and crypto assets, NFTs.
Csaba has particularly broad experience in the field of data protection; he provides legal advice to our clients in connection with the EU General Data Protection Regulation (GDPR) and relevant Hungarian laws and provides complex assessments of companies' data processing activities and assists our clients in introduction of GDPR compliant data processes and policies.
Csaba also assists clients in connection with Data Subject Access Rights related matters, Intra Group Data Transfer Agreements, transfers of personal data to third countries, and assessments of legal basis for data processes (e.g., legitimate interest balancing tests, data privacy impact assessments).
Csaba assists his clients in addressing legal issues in connection with processing of consumer and employee data, and data privacy aspects of online applications.
His area of expertise includes advising on operation of surveillance systems, and preparation and operation of whistleblowing schemes. Csaba advises clients in connection with the transposition of the Whistleblowing Directive into Hungarian law.
Csaba has particular experience in the area of cyber investigations and cyber incident management.
He represents clients before the National Authority for Data Protection and Freedom of Information (Hungarian DPA) in connection with data breach reporting and registering Data Protection Officers.
Csaba regularly publishes articles and holds presentations and continued legal education courses in connection with legal aspects of data protection and digitization, as well as the Whistleblowing Directive and its Hungarian transposition laws.
Csaba is a member of the Budapest Bar since 2003 and a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP).

Author

Anna Howe is an Associate in Baker McKenzie, Budapest office.

Related Posts