The European Union (EU) made history by publishing the Artificial Intelligence Act (AI Act) in the EU’s Official Journal. Following extensive debate, this pioneering legislation is set to take effect on August 1, 2024, with the majority of its provisions coming into force by August 2027. The AI Act represents a significant regulatory advancement, establishing a comprehensive framework for AI governance and imposing new compliance obligations on a broad spectrum of businesses. However, with key definitions and concepts remaining somewhat ambiguous, guidance from regulators will be crucial for understanding the full scope of the Act.
Extraterritorial Reach
The AI Act is notable for its extraterritorial reach. It will apply to:
1. Providers of AI systems or general-purpose AI (GPAI) models that are based outside the EU but place their products on the EU market or "put them into service" in the EU.
2. Deployers with a place of establishment within the EU.
3. Both providers and deployers if the "output" of the AI system is "used in the EU."
Risk-Based Application
The AI Act employs a four-tier risk-based classification system, imposing varying obligations based on the level of risk associated with an AI system. These categories include:
1. Minimal Risk AI: Includes applications such as video games or spam filters, with no restrictions under the AI Act. Approximately 80% of AI systems currently used in the EU fall into this category.
2. Limited Risk AI: Examples include chatbots. These systems face specific transparency obligations, such as informing users when they are interacting with AI and ensuring AI-generated content is identifiable.
3. High-Risk AI: This category covers AI systems involved in sensitive areas like biometric identification, critical infrastructure management, education, employment, law enforcement, migration, and justice. Providers of high-risk AI systems must adhere to rigorous compliance obligations, including:
- Establishing risk management systems and maintaining data quality.
- Implementing conformity management systems and technical documentation.
- Ensuring transparency and accuracy, with long-term documentation requirements.
- Certain high-risk AI systems must also pass conformity assessments and maintain robust cybersecurity measures.
4. Unacceptable Risk AI: The AI Act prohibits applications deemed to pose significant threats to fundamental rights and democracy. This includes AI systems that are manipulative, exploit personal vulnerabilities, or involve sensitive biometric categorization. Specific prohibitions include:
- AI systems for emotion recognition in workplaces and educational institutions.
- Untargeted scraping of facial images for recognition.
- Social credit scoring based on personal behavior or characteristics.
General Purpose AI Models
General-purpose AI models, such as large generative AI systems, are not classified as AI systems under the Act but are still subject to several obligations:
- Conducting fundamental rights impact and conformity assessments.
- Implementing continuous risk and quality management.
- Informing individuals when interacting with AI and ensuring AI content is detectable.
Enforcement and Compliance
The enforcement of the AI Act will primarily be handled by EU member state authorities, coordinated by the newly established European Artificial Intelligence Board (EAIB). The EAIB will oversee compliance, issue codes of conduct, and coordinate with national enforcement bodies. Providers and deployers of high-risk AI must comply with various obligations, including staff training, operational duties, control measures, and documentation requirements. Non-compliance can result in significant fines, up to 7% of global annual revenues or €35 million (approximately $38 million), whichever is greater.
The AI Act represents a groundbreaking step in global AI regulation, introducing a structured approach to managing AI risks and ensuring compliance across various sectors. As the sector evolves rapidly, the full implications of the Act will unfold over time, with ongoing guidance from regulators expected to clarify the scope of obligations and responsibilities for businesses operating within the EU.
Reach out to our regulation experts on chemical and product regulatory compliances