By Martin U. Wissmath and Cameron A. Axford

1.1.  First EU AI Act Provisions Come into Effect February 2025

The European Union (EU) Regulation (EU) 2024/1689, known as the AI Act, is now in force, marking the world’s first comprehensive legislation aimed at regulating artificial intelligence (AI) systems. The European Parliament passed the AI Act on March 13, 2024, as reported in the March 2024 Charity & NFP Law Update, and it was signed on June 13, 2024. The AI Act complements existing laws like the General Data Protection Regulation (GDPR), and establishes obligations for AI providers and deployers to address risks not fully covered by existing frameworks. Officially in force as of August 1, 2024, its implementation will occur in stages, with the most significant provisions applying between 2025 and 2027.

The first provisions of the AI Act come into effect On February 2, 2025. Much like the GDPR, it will apply not only to those in the EU, but organizations around the globe who do commercial and non-commercial activities with those in the EU. It is therefore essential that Canadian charities and not-for-profits understand their obligations.

The AI Act provides clear definitions and introduces a risk-based regulatory framework to manage AI-related risks, categorized into four levels: unacceptable, high, limited and minimal risk.

Providers (developers or manufacturers) face stricter responsibilities, such as meeting data quality and transparency standards, while deployers (users of AI systems) must ensure proper implementation and compliance.

The AI Act’s provisions will be phased in over time:

• August 1, 2024: The Act takes effect but imposes no immediate requirements.
• February 2, 2025: Prohibitions on unacceptable-risk AI systems begin. For context, unacceptable risk AI systems include those that present significant health/safety risks to individuals or their civil/privacy rights, including systems which facilitate social credit/social scoring systems or invasive biometric systems like real-time facial recognition.
• August 2, 2025: Rules for general-purpose AI, governance, confidentiality, penalties, and “notified bodies” (designated independent organizations that assess compliance with legislation) come into force.
• August 2, 2026: Most remaining provisions apply, including those for high-risk systems, which are those with safety or fundamental rights implications, such as AI in critical infrastructure, education, worker management, or medical devices, and systems regulated by other EU product safety laws.
• August 2, 2027: Final provisions become effective.

The AI Act applies to providers, deployers, importers, distributors, and manufacturers linked to the EU market. It also has extraterritorial reach, covering non-EU companies if their AI outputs are used within the EU. Canadian companies offering AI systems to EU users must assess whether their systems fall into the prohibited, high-risk, or general-purpose AI categories and comply accordingly. Notably, free and open-source AI systems are generally excluded unless classified as high-risk or prohibited. The AI Act also does not apply to research and development prior to market entry, nor to AI systems “specifically developed and put into service for the sole purpose of scientific research and development.”

The AI Act addresses many challenges posed by AI but acknowledges the need for ongoing regulatory development. Although existing EU directives cover employee protections, stakeholders argue for updates to address AI-specific risks more explicitly. As industries continue to adopt AI technologies, calls for either new laws or adjustments to existing regulations grow. This evolving landscape increases the complexity of legal compliance, requiring organizations to stay informed and proactive in meeting their international obligations.

​Read the January 2025 Charity & NFP Law Update