Look, after years of haggling, folks thought the EU AI Act was basically done-deal once it hit the Official Journal back in July. Tech giants exhaled, startups penciled in compliance calendars, and Brussels patted itself on the back for taming AI.
But here’s the twist — and it’s a doozy. The real grind starts now for the European Commission, aka the shiny new AI Office. They’ve got 130 responsibilities staring them down, from drafting 39 bits of secondary legislation to enforcing rules across the bloc. Deadlines? Kicking off February 2025 for bans on rogue AI, ramping to full enforcement by August 2026. Change things? Absolutely. This isn’t some victory lap; it’s a bureaucratic marathon where Europe’s AI dreams could trip on red tape.
I’ve seen this movie before. Remember GDPR? Commission promised the world, drowned in delegated acts, and two years post-rollout, we’re still patching holes while Big Tech lawyers feast on ambiguities. Same script here.
In total, I have identified 130 responsibilities for the Commission: Table A: 39 tasks… Table B: 39 pieces of secondary legislation…
That’s Kai Zenner laying it bare — crossposted from his deep dive, but reformatted for sanity. Guy spent weeks parsing the Act and the AI Office Decision. His tables? Gold for SMEs and watchdogs too broke to track it themselves.
Can the AI Office Even Build Itself in Time?
Start with governance. By February 2024 — wait, that’s already past — they needed to kick off staffing the AI Office. Nah, slipped a bit, but whatever. Real pressure hits August 2026 for full Act applicability. Meanwhile, 39 setup tasks: codes of practice, benchmarks, guidelines. Some due nine months in, others 12. Delegated acts on high-risk classifications? Discretionary, but don’t kid yourself — lobbyists are lining up.
And enforcement? 34 categories start February 2025. Market surveillance, investigations, fines up to 7% global turnover. Public authorities get grace till 2030 on legacy high-risk systems, but GPAI models placed pre-August 2025 gotta comply by 2027. Legacy stuff lingers — Annex X IT systems till 2030. Smart carve-outs, or sneaky delays?
Short para: It’s a lot.
Now, dig deeper. Table B’s the killer: 8 delegated acts (think GPAI transparency rules), 9 implementing acts (technical standards), 9 guidelines (on everything from systemic risk to codes of conduct). Plus templates, benchmarks, even a standardization request to CEN/CENELEC. Deadlines scatter — some 12 months post-entry (August 2025), others six for prohibitions. Commission discretion on many means… who knows. They’ll prioritize what suits the narrative.
But cynicism check: Who’s making money? Not SMEs scrambling for compliance checklists. Consultants, lawyers, notified bodies (ramping Chapter III by August 2025). Big Tech? They’ll fund the codes of practice, shape ‘em their way. Historical parallel — GDPR’s Article 29 WP became a lobby playground before EDPS took over. AI Office? Same risk. My bold prediction: By 2027, we’ll see ‘interim measures’ as deadlines slip, handing US hyperscalers a head start while Europe fiddles.
Transition periods muddle it further. Act enters force August 1, 2024 — check. Applies August 2, 2026. But prohibitions (bans on social scoring, manipulative AI)? February 2025, six months in. GPAI rules (think your favorite LLM)? August 2025, 12 months. High-risk Annex I stuff? 36 months, August 2027.
Legacy mercy rules: High-risk AI already out? Comply on ‘significant changes,’ or by 2030 if public sector. GPAI pre-2025? 2027 deadline. Assumes post-2026 placements for strict timelines — got it.
Why Deadlines Feel Like Pipe Dreams
Panel chatter pegged 70 acts; Zenner’s at 39 secondary plus more. Slow AI Office buildup — bureaucratic hiring freezes, inter-service squabbles — spells doom. Ex-post evals run 2025-2031, 18 tasks checking if the Act’s working. By then, AI’s morphed into AGI territory, rendering it moot.
Corporate hype? Commission talks ‘world’s first comprehensive AI law’ like it’s live already. Spin. Enforcement’s national too — member states handle most boots-on-ground, per Zenner’s companion post. But Commission’s the quarterback: harmonized rules, EU database, joint probes.
Wander a sec: Imagine you’re a Berlin startup with GPAI. August 2025, you need those guidelines or you’re blind. Miss ‘em? Fines loom, but so does competitive freeze-out.
Dense para time. Enforcement categories? Testing infra setup by 2025, AI-on-AI oversight, incident reporting portals, cross-border case coordination — 34 flavors, phased in. Fines structured: up to €35M or 7% for prohibitions, tiered down for others. Confidentiality shields (Article 78) kicks 2025, penalties same year. But who polices the police? AI Office reports to Commission president, advisory committee watches. Layers on layers.
Punchy: Europe’s betting big on rules-first AI.
Unique spin — unlike GDPR’s data focus, AI Act’s risk-based tiers (unacceptable, high, limited, minimal) demand constant Commission tweaking. Systemic risk GPAI? Compute thresholds, eval summaries — all Commission turf. Prediction: First big miss on a delegated act (say, multimodal model rules) triggers 2026 lawsuits, forcing interim national patches. Big Tech cheers from afar.
What Happens if They Miss Deadlines?
Chaos, mostly. No secondary acts? High-risk conformity assessments stall — notified bodies wait on Chapter III rules. GPAI transparency? Guesswork till guidelines drop. Watchdogs like civil society (shoutout Zenner’s list) can now ping: ‘Hey, Table B item 7 due yet?’ Accountability nudge.
For devs: Codes of practice voluntary but gold standard. Miss ‘em, and audits bite harder. SMEs? Prioritize prohibitions first — February 2025 no-go on emotion recognition at work, untargeted scraping.
Cynical close: Commission’s plate’s overflowing because politicians wanted ‘regulation theater.’ Real enforcement? Years out. Meanwhile, who’s winning? The ones writing the codes — hello, OpenAI, Google.
**
🧬 Related Insights
Frequently Asked Questions**
What are the European Commission’s main responsibilities under the AI Act?
130 total: governance setup, 39 secondary laws (delegated/implementing acts, guidelines), enforcement, and evaluations through 2031. Key deadlines cluster 2025-2026.
When does the EU AI Act fully apply?
Enters force August 1, 2024; full applicability August 2, 2026. Prohibitions February 2025, GPAI August 2025.
What is the AI Office and what does it do?
Commission’s enforcement arm: drafts rules, runs EU-level surveillance, coordinates member states, handles systemic risks.
