EU AI Act: deadline for prohibited AI systems is fast approaching
31 January 2025

31 January 2025
Sunday 2 February marks a significant step in the ongoing story of AI regulation when the first key provisions take effect. From this date, marketing or using AI systems which are seen as posing an unacceptable risk will be prohibited in the EU. Prohibited systems include those which use subliminal, manipulative, deceptive or exploitative techniques; systems for "social scoring"; anything which profiles individuals to predict their risk of committing a crime; systems which create or expand facial recognition databases; and systems which infer emotions in work or education settings. Biometric categorisation systems which categorise natural persons to deduce or infer certain personal characteristics are also banned – although limited exceptions apply to biometric identification for law enforcement purposes. Breaching this ban may lead to a fine up to the higher of EUR 35,000,000 and 7% of global annual turnover.
In addition to prohibitions on unacceptable risk systems, Sunday 2 February marks the deadline for organisations using AI systems of any kind to ensure they are meeting the Act’s AI literacy requirements. This mandates that organisations have taken steps to ensure the adequate training and upskilling of individuals and teams that are operating AI systems. If they haven’t already, businesses should ensure that AI training and learning programmes have been adequately designed and rolled out to those using AI, with effective monitoring in place to confirm its completion. For organisations that have recently rolled out generative AI-backed platforms, this is likely to have a far reaching scope.
Currently, despite industry comment, many open questions remain about the interpretation of the AI Act. Although the Commission has promised guidelines to help providers with compliance by early 2025, and has consulted on the topic, nothing has yet been published, and of course no case law exists on this novel topic. Meanwhile, compliance must be seen as a continuing task. Pre-2 February, businesses should review any existing inventory of their AI systems and their current AI use policy to identify any last-minute compliance gaps and stop the use of any prohibited systems. They should also ensure they have a plan in place for ongoing AI literacy of staff.
As the rest of the AI Act comes into effect in stages, the regulatory framework in Europe will change significantly. This comes at a time when other jurisdictions, in particular the US (and to a lesser extent the UK) are signalling a move away from regulation, which may well accelerate in response to competition from elsewhere. The extent of the resulting divergence remains to be seen.
Businesses should therefore use this deadline as a prompt to start working through a plan for compliance. With approximately 18 months until the more substantive deadline for the rest of the Act, businesses need to start commencing at a minimum their discovery and cataloguing exercises to identify potential AI systems and use cases. This exercise will likely take significant amount of time given the challenges that will need to be faced into, for example many organisations have been procuring and/or building AI systems for a number of years, are unlikely to have central registers and are going to need to engage extensively with third parties.
This publication is a joint publication from Ashurst LLP and Ashurst Risk Advisory LLP, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group . Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.
This material is current as at 31 January 2025 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.