After three years of legislative work, the EU Artificial Intelligence Act (‘AI Act’) was finally published in the Official Journal on July 12, 2024, becoming the world’s first comprehensive artificial intelligence (AI) regulation.
With this post, we begin a series covering the AI Act, where we will explore specific aspects and delve deeper into the most interesting topics. To put these discussions into perspective, let’s start with some basics, covering six key questions.
While substantive changes have been made to the regulation during the legislative process, the general goal has remained the same: to maximise Europe’s potential to compete globally, fostering investment in AI and innovation, while making sure that AI technologies work for people and are a force of good in society. Hence, the AI Act aims to manage and mitigate those risks that AI may present to society if left unchecked, such as risks to the health, safety and fundamental rights and freedoms of natural persons, as well as risks to public interests (e.g., public health, protection of critical infrastructure, environmental impact etc.). The ambition is to manage these risks appropriately, focusing on robust and trustworthy AI, without creating an unnecessary burden that might unnecessarily stifle innovation.
Notably, the AI Act does not cover AI liability issues, which will be addressed in the planned AI Liability Directive. Thus, the AI Act does not cover rules of liability for damages caused by an output of an AI system. Also, the AI Act does not provide answers to questions related to potential copyright infringements, such as using copyrighted works for AI training or outputs that closely resemble the original works of authors.
The AI Act can be seen as a type of product regulation, which will apply to artificial intelligence systems and general-purpose AI models in all sectors and domains. This said, the regulation does not treat all the AI systems in the same way. The rules mainly focus on certain AI systems that are incorporated in a product or are themselves a product that is already regulated under other EU product rules, as well as on AI systems that are not subject to existing product regulation, but are stand-alone systems that present a high level of risk. For stand-alone systems, the high risk is linked to specific use cases or application domains, such as biometric identification and categorisation, emotion recognition, critical infrastructure, education and vocational training, employment, access to public services, law enforcement, migration, border control and justice to name a few.
For what concerns AI systems that are that are incorporated in a product or are themselves a product that is already regulated under other EU product rules, there are two sets of relevant legislation. For some products, covered in Annex I, section A, the AI Act will complement the existing rules on specific products that may constitute or incorporate AI, such as medical devices or machines, which are already covered by the Medical Device Regulation or the Machinery Directive respectively. In those cases, products must comply with AI Act in addition to those rules.
For certain other products, namely those covered by Section B of Annex I, the AI Act does not apply directly, but the AI Act’s requirements for high-risk AI systems will be indirectly added when the European Commission adopts delegated acts under those sectoral laws. Examples include cars and other types of motor vehicles using AI as safety components.
More specifically, the AI Act covers:
Harmonised rules for the placing on the market, the putting into service, and the use of AI systems in the Union;
Prohibitions of certain AI practices;
Specific requirements for high-risk AI systems and obligations for operators of such systems;
Harmonised transparency rules for certain AI systems;
Harmonised rules for the placing on the market of general-purpose AI models;
Rules on market monitoring, market surveillance, governance and enforcement;
Measures to support innovation, with a particular focus on SMEs, including start-ups.
The AI Act will apply to AI systems put on the EU market. This means that also providers located outside of EU will have to comply with its rules, if they want to make their AI products available in the EU.
There are however some exceptions. For example, AI Act does not apply to:
AI systems exclusively for military, defence or national security purposes;
AI systems released under free and open-source licences, unless they are placed on the market or put into service as high-risk AI systems, if they fall in the scope of prohibited AI Practices or of specific transparency obligations for providers and deployers of certain AI systems;
Users who are natural persons using AI systems for their purely personal non-professional activity;
AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development.
Note that many low-risk AI systems are not subject to any specific rules under the AI Act at all. Therefore, understanding the qualification of any AI project is essential to know whether it is subject to the new act or not.
Under the AI Act, an ‘AI system’ is a machine-based system that:
Is designed to operate with varying levels of autonomy and that;
May exhibit adaptiveness after deployment, and that;
For explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
Key characteristic of AI systems is their capability to infer. Hence, the term does not cover systems that are based on the rules defined solely by natural persons to automatically execute operations.
Nonetheless, the AI Act’s definition of AI systems, modelled on the OECD’s conceptualization of AI, remains very broad, meaning that many organizations are likely using AI systems, sometimes perhaps without realizing this. Many well-known and established software suites contain AI features that match this definition, and may therefore attach obligations under the AI Act for their users.
The requirements under AI Act are mostly directed at so called ‘operators’. This is a diverse group of stakeholders, which participate in developing and being in a supply chain of AI. They include:
Deployers | Use an AI system under their authority. The main exception here is where the AI system is used in the course of a personal non-professional activity. |
Providers | Develop an AI system or a general-purpose AI model and place it on the market under own name (for the first time). |
Importers | Are entities located or established in the Union that place an AI system on the market that bears the name or trademark of a natural or legal person established in a third country. |
Distributors | Are parties in the supply chain, other than the provider or the importer, that make an AI system available in the EU. |
Product manufacturers | Place an AI system on the market or put it into service together with their (main) product and under their own name or trademark. |
Authorized representatives | Have a written mandate from a provider of an AI system or a general-purpose AI model. |
Most companies experimenting with AI in the course of their normal non-AI related core activities will qualify as deployers. They’ll merely use an existing system for their own business interests. However, the AI Act imposes obligations on deployers as well, namely when they use a high-risk AI system, or when they use an AI system that has the potential to mislead or otherwise negatively impact the persons it interacts with, for example deepfakes, emotion recognition systems.
More advanced stakeholders may develop their own AI systems (from scratch or based on existing models) and be qualified as a provider.
In addition, any party, including deployers, may be requalified or considered as a provider if they:
Put their name or trademark on an high-risk AI system that has already been placed on the market or put into service for the first time;
Make a substantial modification to an high-risk AI system that has already been placed on the market or put into service in a way that remains high risk;
Modify the intended purpose of an AI system, including a general purpose AI system, which has not been classified as high risk and has already been placed on the market or put into service in such a manner that the AI system becomes an high-risk AI system.
The AI applies so-called ‘risk based approach’, applying different levels of regulation, depending on the assigned level of inherent risk that the AI systems poses to health, safety and fundamental rights. It can be depicted as shown below.
Source: https://www.cnil.fr/en/entry-force-european-ai-regulation-first-questions-and-answers-cnil
Type | Examples | Main requirements |
---|---|---|
Prohibited AI systems: Unacceptable risk as it violates EU fundamental rights and values. | Examples are AI systems that:
| Deployment of such AI systems in the EU is forbidden. |
High-risk AI systems: High risk as it impacts health, safety or fundamental rights. |
| Various requirements including as regards risk management, the quality and relevance of data sets used, technical documentation and record-keeping, transparency and the provision of information to deployers, human oversight, and robustness, accuracy and cybersecurity. Type of requirements vary between different operators. |
Sui generis risk AI systems: Risk of deception. |
| Mostly transparency requirements to avoid risk of deception. |
Other AI systems: |
| Not regulated by AI Act, but consumer protection and product safety rules apply. |
Additionally, the AI Act also regulates general-purpose AI (GPAI) models. Those are models that have a wide range of possible uses (for example, large language models such as GPT-4, etc.). They are subject to a tiered approach depending on whether it is a GPAI model with systemic risk on the EU level because of its capabilities and potential impact or a ‘normal’ GPAI model.
The AI Act was published in the EU’s Official Journal on 12 July 2024 and will enter into force 20 days after publication, meaning 1 August 2024. As a general rule, the AI Act shall apply from 2 August 2026. However, some notable exceptions apply:
Date | Rules |
---|---|
2 February 2025 | Bans concerning prohibited AI systems will take effect. |
2 August 2025 | Requirements concerning general-purpose AI will apply. |
2 August 2027 | Requirements applicable to AI systems which are safety components of products, or products themselves covered by the Union harmonisation legislation (listed in Annex I) enter into force. Please note that the requirements for stand-alone high-risk use cases or application domains listed in Annex III will apply one year earlier (subject to general AI Act application rule). |
For high-risk AI systems that have been placed on the market or put into service before 2 August 2026, the AI Act will apply only if, from that date, those systems are subject to ‘significant changes in their design’. Regardless of any changes, all high-risk AI systems intended for use by public authorities must fully comply with the new regulation by 2 August 2030 at the latest.
This means that in principle, existing systems have some additional time before the AI Act applies, which also means that users (deployers) have to think in first instance only about new systems they take into operation or systems that have been significantly altered after 2 August 2026.
There is however an important sidenote to be made here. The notion of ‘significant change in the design’, covers any change to an AI system that was not foreseen or planned in the initial compliance work (and so-called conformity assessment) under the AI Act, and that affects the compliance of the system or results in a modification of the intended purpose. In particular, a change that ‘affects’ compliance seems to be a relatively low bar. Adding new functionalities through an update after 2 August 2026 for example, extending the initial capabilities of the system, may not necessarily feel like a significant design change from the user perspective. Still, may be enough to trigger new and additional compliance concerns if they were not already planned and accounted for in the original compliance work. If this threshold is met, both provider and deployer obligations will immediately apply to this existing system.
Lastly, the AI Act is not a self-contained piece of legislature. On the contrary, it contains numerous delegations addressed to the European Commission, the European Artificial Intelligence Board and the AI Office for implementing acts, guidelines, recommendations or standardized templates, among others.
Follow us for more information about AI Act and to read the upcoming episodes, where we will focus on specific AI Act compliance topics.