AI Act

The AI Act aims to provide AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).

The AI Act is part of a wider package of policy measures to support the development of trustworthy AI, which also includes the AI Innovation Package and the Coordinated Plan on AI. Together, these measures will guarantee the safety and fundamental rights of people and businesses when it comes to AI. They will also strengthen uptake, investment and innovation in AI across the EU.

The AI Act is the first-ever comprehensive legal framework on AI worldwide. The aim of the new rules is to foster trustworthy AI in Europe and beyond, by ensuring that AI systems respect fundamental rights, safety, and ethical principles and by addressing risks of very powerful and impactful AI models.

Why do we need rules on AI?

The AI Act ensures that Europeans can trust what AI has to offer. While most AI systems pose limited to no risk and can contribute to solving many societal challenges, certain AI systems create risks that we must address to avoid undesirable outcomes.

For example, it is often not possible to find out why an AI system has made a decision or prediction and taken a particular action. So, it may become difficult to assess whether someone has been unfairly disadvantaged, such as in a hiring decision or in an application for a public benefit scheme.

Although existing legislation provides some protection, it is insufficient to address the specific challenges AI systems may bring.

The proposed rules will:

• address risks specifically created by AI applications;
• prohibit AI practices that pose unacceptable risks;
• determine a list of high-risk applications;
• set clear requirements for AI systems for high-risk applications;
• define specific obligations deployers and providers of high-risk AI applications;
• require a conformity assessment before a given AI system is put into service or placed on the market;
• put enforcement in place after a given AI system is placed into the market;
• establish a governance structure at European and national level.

A risk-based approach

The Regulatory Framework defines 4 levels of risk for AI systems:

All AI systems considered a clear threat to the safety, livelihoods and rights of people will be banned, from social scoring by governments to toys using voice assistance that encourages dangerous behaviour.

High risk

AI systems identified as high-risk include AI technology used in:

• critical infrastructures (e.g. transport), that could put the life and health of citizens at risk;
• educational or vocational training, that may determine the access to education and professional course of someone’s life (e.g. scoring of exams);
• safety components of products (e.g. AI application in robot-assisted surgery);
• employment, management of workers and access to self-employment (e.g. CV-sorting software for recruitment procedures);
• essential private and public services (e.g. credit scoring denying citizens opportunity to obtain a loan);
• law enforcement that may interfere with people’s fundamental rights (e.g. evaluation of the reliability of evidence);
• migration, asylum and border control management (e.g. automated examination of visa applications);
• administration of justice and democratic processes (e.g. AI solutions to search for court rulings).

High-risk AI systems will be subject to strict obligations before they can be put on the market:

• adequate risk assessment and mitigation systems;
• high quality of the datasets feeding the system to minimise risks and discriminatory outcomes;
• logging of activity to ensure traceability of results;
• detailed documentation providing all information necessary on the system and its purpose for authorities to assess its compliance;
• clear and adequate information to the deployer;
• appropriate human oversight measures to minimise risk;
• high level of robustness, security and accuracy.

All remote biometric identification systems are considered high-risk and subject to strict requirements. The use of remote biometric identification in publicly accessible spaces for law enforcement purposes is, in principle, prohibited.

Narrow exceptions are strictly defined and regulated, such as when necessary to search for a missing child, to prevent a specific and imminent terrorist threat or to detect, locate, identify or prosecute a perpetrator or suspect of a serious criminal offence.

Those usages is subject to authorisation by a judicial or other independent body and to appropriate limits in time, geographic reach and the data bases searched.

Limited risk

Limited risk refers to the risks associated with lack of transparency in AI usage. The AI Act introduces specific transparency obligations to ensure that humans are informed when necessary, fostering trust. For instance, when using AI systems such as chatbots, humans should be made aware that they are interacting with a machine so they can take an informed decision to continue or step back. Providers will also have to ensure that AI-generated content is identifiable. Besides, AI-generated text published with the purpose to inform the public on matters of public interest must be labelled as artificially generated. This also applies to audio and video content constituting deep fakes.

Minimal or no risk

The AI Act allows the free use of minimal-risk AI. This includes applications such as AI-enabled video games or spam filters. The vast majority of AI systems currently used in the EU fall into this category.

How does it all work in practice for providers of high-risk AI systems?

Once an AI system is on the market, authorities are in charge of market surveillance, deployers ensure human oversight and monitoring, and providers have a post-market monitoring system in place. Providers and deployers will also report serious incidents and malfunctioning.

A solution for the trustworthy use of large AI models

More and more, general-purpose AI models are becoming components of AI systems. These models can perform and adapt countless different tasks.

While general-purpose AI models can enable better and more powerful AI solutions, it is difficult to oversee all capabilities.

There, the AI Act introduces transparency obligations for all general-purpose AI models to enable a better understanding of these models and additional risk management obligations for very capable and impactful models. These additional obligations include self-assessment and mitigation of systemic risks, reporting of serious incidents, conducting test and model evaluations, as well as cybersecurity requirements.

Future-proof legislation

As AI is a fast-evolving technology, the proposal has a future-proof approach, allowing rules to adapt to technological change. AI applications should remain trustworthy even after they have been placed on the market. This requires ongoing quality and risk management by providers.

Enforcement and implementation

The European AI Office, established in February 2024 within the Commission, oversees the AI Act’s enforcement and implementation with the member states. It aims to create an environment where AI technologies respect human dignity, rights, and trust. It also fosters collaboration, innovation, and research in AI among various stakeholders. Moreover, it engages in international dialogue and cooperation on AI issues, acknowledging the need for global alignment on AI governance. Through these efforts, the European AI Office strives to position Europe as a leader in the ethical and sustainable development of AI technologies.

Next steps

In December 2023, the European Parliament and the Council of the EU reached a political agreement on the AI Act. The text is in the process of being formally adopted and translated. The AI Act will enter into force 20 days after its publication in the Official Journal, and will be fully applicable 2 years later, with some exceptions: prohibitions will take effect after six months, the governance rules and the obligations for general-purpose AI models become applicable after 12 months and the rules for AI systems - embedded into regulated products - will apply after 36 months. To facilitate the transition to the new regulatory framework, the Commission has launched the AI Pact, a voluntary initiative that seeks to support the future implementation and invites AI developers from Europe and beyond to comply with the key obligations of the AI Act ahead of time.