The EU AI Act: What you need to know

Who does the AI Act apply to?

The EU AI Act applies to businesses who create or use AI systems. It also affects those who sell, distribute or import AI systems. It applies to entities within the EU and also developers, deployers, importers and distributors of AI systems outside the EU if their systems’ output occurs within the EU.

The AI Act adopts a risk-based approach and classifies AI systems into risk categories based on their potential use, as well as the potential impact on individuals and society.

Certain obligations are also expected for providers of general-purpose AI models, including large GenAI models such as ChatGPT and Bing Chat.

Providers of free and open-source models are exempt from most of these obligations. However, this exemption does not cover obligations for providers of general-purpose AI models with systemic risks. For example, if you use a Gen AI model as part of a process that could ultimately lead to outputs that were deemed high-risk, the use case would be treated as high-risk.

Obligations do not apply to research, development and prototyping activities preceding release on the market—for example, developing use cases that have not entered into production. It also does not apply to AI systems that are exclusively for military, defence or national security purposes regardless of the type of entity carrying out those activities.

What are the risk categories?

To introduce a proportionate and effective set of binding rules for AI systems, a risk-based approach has been defined by the European Commission. There are four risk categories:

• Unacceptable risk
• High risk
• Limited risk
• Minimal risk

These are determined by the intended purpose of the AI system, the commensurate risk of harm to the fundamental rights of people, the severity of possible harm and the probability of occurrence. Specific transparency requirements and systemic risks are specifically called out in the Act. Potential uses that fall under each of the four risk categories are outlined below.

Unacceptable risk

• Social scoring for public and private purposes.
• Exploitation of vulnerabilities of persons and the use of subliminal techniques.
• Real-time remote biometric identification in publicly accessible spaces by law enforcement, subject to narrow exceptions.
• Biometric categorisation of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation. Filtering of datasets based on biometric data in the area of law enforcement will still be possible.
• Individual predictive policing.
• Emotion recognition in the workplace and education institutions unless for medical or safety reasons (i.e. monitoring the fatigue levels of a pilot).
• Untargeted scraping of the internet or CCTV for facial images to build or expand databases.

High risk

• Essential private and public services (e.g. financial institutions using credit scoring models that could deny citizens the opportunity to obtain a loan).
• Employment, management of workers and access to self-employment (e.g. CV-sorting software for recruitment procedures).
• Critical infrastructures (e.g. transport) that could put the life and health of citizens at risk.
• Educational or vocational training that may determine access to education and the professional course of someone’s life (e.g. the scoring of exams).
• Safety components of products (e.g. AI applications in robot-assisted surgery).
• Law enforcement that may interfere with people’s fundamental rights (e.g. evaluation of the reliability of evidence).
• Systems intended to be used to make or substantially influence decisions on the eligibility of natural persons for health and life insurance..
• Migration, asylum and border control management (e.g. verification of authenticity of travel documents)..
• Administration of justice and democratic processes (e.g. applying the law to a concrete set of facts).

Limited risk

Compliance obligations are lighter, focusing on transparency. Users must be informed when dealing with an AI system unless the outputs are obviously generated by AI at face value. Examples of uses are as follows:

• The user should be aware that they are interacting with a chatbot.
• Use of deep-fakes that can easily be determined as a deep-fake.

Minimal risk

AI systems not falling into the three categories mentioned above are not subject to compliance under the EU AI Act. The primary focus for technology providers will be the high-risk and limited risk categories. All other AI systems can be developed and used subject to existing legislation without any additional legal obligations. An example of a minimal risk is:

• Use of AI within video games.

Other risks that must be considered include:

• Specific transparency risk: Specific transparency requirements are imposed for certain AI systems—for example, where there is a clear risk of manipulation (such as with the use of chatbots). Users should be aware that they are interacting with a chatbot.
• Systemic risks: Systemic risks that could arise from general-purpose AI models, including large GenAI models. These can be used for a variety of tasks and are becoming the basis for many AI systems in the EU. Some of these models could carry systemic risks if they are highly capable or widely used. For example, powerful models could cause serious accidents or be misused for far-reaching cyberattacks. Many individuals could be affected if a model propagates harmful biases across many applications.

What are the obligations for providers of high-risk AI systems?

Before placing a high-risk AI system on the EU market or otherwise putting it into service, providers must subject it to a conformity assessment. This will allow them to demonstrate that their system complies with the mandatory requirements for trustworthy AI (e.g. data quality, documentation and traceability, transparency, human oversight, accuracy, cybersecurity and robustness). This assessment has to be repeated if the system or its purpose are substantially modified.

Providers of high-risk AI systems will also have to implement sufficient AI governance, particularly around quality control and risk management of the AI system, to ensure compliance with the new requirements and minimise risks for users and affected persons—even after a product is placed on the market.

High-risk AI systems that are deployed by public authorities or entities acting on their behalf will have to be registered in a public EU database.

When will the AI Act be fully applicable?

Following its adoption by the European Parliament and European Council, the EU AI Act will come into force 20 days after its publication in the Official Journal. It will become fully applicable 24 months after entry into force, with a staggered approach as follows:

• Six months: prohibited systems will need to be phased out no later than six months after the legislation comes into force.
• 12 months: obligations for general-purpose AI governance will apply.
• 24 months: all rules of the AI Act apply, including obligations for high-risk systems defined in Annex III in the Act (list of high-risk use cases).
• 36 months: obligations for high-risk systems defined in Annex II (list of EU harmonisation legislation) apply.

What are the penalties for infringement?

Penalties for non-compliance are severe and will be enforced by the designated AI authority within a given EU member state.

The Act sets out thresholds as follows:

• Up to €35m or 7% of the total worldwide annual turnover of the preceding financial year (whichever is higher) for infringements on prohibited practices or non-compliance related to requirements on data.
• Up to €15m or 3% of the total worldwide annual turnover of the preceding financial year for non-compliance with any of the other requirements or obligations of the regulation, including infringement of the rules on general-purpose AI models.
• Up to €7.5m or 1.5% of the total worldwide annual turnover of the preceding financial year for the supply of incorrect, incomplete or misleading information to notified bodies and competent national authorities in reply to a request.
• For each category of infringement, the threshold will be the lower of the two amounts for SMEs and the higher of the two for other companies.

To harmonise national rules and practices in setting administrative fines, the Commission will draw up guidelines with advice from the EU AI Board.

We are here to help 

The EU AI Act is a comprehensive and intricate piece of legislation. Our Trust in AI team is ready to guide you in adopting AI practices that align with the EU AI Act. Whether it’s compiling your AI exposure register or implementing robust AI governance, we can help you effectively manage the risks associated with AI. In doing so, you can fully embrace the benefits AI brings. Reach out to our multidisciplinary team of experts to see how we can help.