mai 21 2024

EU AI Act Adopted


Today, on May 21, 2024, the last missing approval for the EU AI Act was given by the European Council. The text of the law is final and will be published in the coming days. Here we summarize key points as well as note potential impacts on businesses.

Staggered timeline of application

  • Provisions on banned AI systems will start applying within 6 months of publication of the text – very likely still this year;
  • Provisions on general purpose AI systems (GPAI) will start applying 1 year after adoption;
  • The bulk of the obligations will start applying 2 years after adoption, with some of these obligations applying 3 years after adoption (particularly those relating to high-risk AI systems that are safety components in products regulated in EU product safety legislation).

Potential impact of the EU AI Act on US companies

  • US and global companies that use AI anywhere could be subject to the EU AI Act if the output of the system is used in the EU.
  • For example, if a US company uses an AI tool to filter CVs for a job vacancy in the EU, that means that the output will be used in the EU, and the EU AI Act will apply.
  • Another example is a high-risk AI system developed in the US and integrated into a product (e.g., in a connected vehicle) that is then sold in the EU.

Different set of obligations apply depending on the scenario

  • For each AI system being developed or used, companies will need to assess several aspects in order to determine their obligations, if any, arising from the EU AI Act:
      • What their role is with regard to the AI system (as a provider, deployer, importer or distributor)
      • The type of AI, in particular, whether the system is general purpose AI or not
      • For general purpose AI, whether there is systemic risk
      • For other AI systems, what the level of risk is (unacceptable, high risk, limited risk, low risk, or no risk)
  • For example, providers of high-risk AI systems will have to conduct conformity assessments and comply with extensive compliance obligations (e.g., relating to cybersecurity, privacy, data governance, risk and quality management, and technical documentation).
      • In contrast, deployers of limited-risk systems like chatbots only have to comply with transparency obligations under the EU AI Act.

Impact on technology transactions like the purchasing of AI, white-labeling, and outsourcing

  • The EU AI Act will likely help businesses purchasing AI because it will clearly stipulate which obligations fall on providers of those systems (which will be the most extensive obligations).
  • Terms and conditions of providers of AI systems will need to be amended to reflect that, and technical documentation will need to be provided by the provider of the system, and attached to the contract, so that the deployer of the system can follow any applicable instructions.
  • In addition, the provider will want the contract to clarify those obligations that fall on the deployer of the system (e.g., data governance obligations if the deployer is the one in control of the data that is input into the system). So the purchasing of AI systems will likely undergo some contractual changes with the adoption of the EU AI Act.
  • Additional interesting questions relate to the allocation of obligations between providers (e.g., if an AI system is sold by a company other than the developer, under its trademark) or between deployers (e.g., in outsourcing, if a vendor of a company uses AI, and both are likely to be considered deployers). Another question is whether liability for a violation of the EU AI Act can fall on the contractual party in these scenarios. We will address these and other questions in upcoming presentations and publications.


For help complying with the EU AI law, contact one of the authors or your regular Mayer Brown contact. We have been advising clients leveraging our system to assess their highest AI risks—a method that considers their specific business models—and helping them establish robust AI governance.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.