Its scope would encompass all types of AI in a broad range of sectors (exceptions include AI systems used solely for military, national security, research, and non-professional purpose[4]). As a piece of product regulation, it would not confer rights on individuals, but would regulate the providers of AI systems, and entities using AI in a professional context.[5]
The AI Act was revised following the rise in popularity of
generative AI systems such as
ChatGPT, whose general-purpose capabilities present different stakes and did not fit the defined framework.[6] More restrictive regulations are planned for powerful generative AI systems with systemic impact.[7]
The proposed EU Artificial Intelligence Act aims to classify and regulate AI applications based on their risk to cause harm. This classification includes four categories of risk ("unacceptable", "high", "limited" and "minimal"), plus one additional category for general-purpose AI. Applications deemed to represent unacceptable risks are banned. High-risk ones must comply to security, transparency and quality obligations and undergo conformity assessments. Limited-risk AI applications only have transparency obligations, and those representing minimal risks are not regulated. For general-purpose AI, transparency requirements are imposed, with additional and thorough evaluations when representing particularly high risks.[7][8]
The Act further proposes the introduction of a European Artificial Intelligence Board to promote national cooperation and ensure compliance with the regulation.[9]
The AI Act is expected to have a large impact on the economy. Like the European Union's
General Data Protection Regulation, it can apply
extraterritorially to providers from outside the EU, if they have products within the EU.[5]
Risk categories
There are different risk categories depending on the type of application, and one specifically dedicated to general-purpose generative AI :
Unacceptable risk: AI applications that fall under this category are banned. This includes AI applications that manipulate human behaviour, those that use real-time remote
biometric identification (including
facial recognition) in public spaces, and those used for social scoring (ranking people based on their personal characteristics, socio-economic status or behaviour).[8]
High-risk: the AI applications that pose significant threats to health, safety, or the fundamental rights of persons. Notably, AI systems used in health, education, recruitment, critical infrastructure management, law enforcement or justice. They are subject to quality, transparency, human oversight and safety obligations, and in some cases a Fundamental Rights Impact Assessment[10] is require. They must be evaluated before they are placed on the market, as well as during their life cycle. The list of high-risk applications can be expanded without requiring to modify the AI Act itself.[5]
General-purpose AI ("GPAI"): this category was added in 2023, and includes in particular
foundation models like ChatGPT. They are subject to transparency requirements. High-impact general-purpose AI systems which could pose systemic risks (notably those trained using a computation capability of more than 1025FLOPS[11]) must also undergo a thorough evaluation process.[8]
Limited risk: these systems are subject to transparency obligations aimed at informing users that they are interacting with an artificial intelligence system and allowing them to exercise their choices. This category includes, for example, AI applications that make it possible to generate or manipulate images, sound or videos (like
deepfakes).[8] In this category, free and open-source models whose parameters are publicly available are not regulated, with some exceptions.[11][12]
Minimal risk: this includes for example AI systems used for video games or spam filters. Most AI applications are expected to be in this category.[13] They are not regulated, and Member States are prevented from further regulating them via
maximum harmonisation. Existing national laws related to the design or use of such systems are disapplied. However, a voluntary code of conduct is suggested.[14]
Institutional Governance
The finalized draft of the AI Act, as per the European Parliament Legislative Resolution of 13 March 2024, includes the establishment of various new institutions in Article 64 and the following articles. These institutions are tasked with implementing and enforcing the AI Act. The approach is characterized by a multidimensional combination of centralized and decentralized, as well as public and private enforcement aspects, due to the interaction of various institutions and actors at both EU and national levels.
The following new institutions will be established:[15][16]
AI Office: Attached to the European Commission, this authority will coordinate the implementation of the AI Act in all Member States and oversee the compliance of GPAI providers.
European Artificial Intelligence Board: Composed of one representative from each Member State, the Board will advise and assist the Commission and Member States to facilitate the consistent and effective application of the AI Act. Its tasks include gathering and sharing technical and regulatory expertise, providing recommendations, written opinions, and other advice.
Advisory Forum: Established to advise and provide technical expertise to the Board and the Commission, this forum will represent a balanced selection of stakeholders, including industry, start-ups, small and medium-sized enterprises, civil society, and academia, ensuring that a broad spectrum of opinions is represented during the implementation and application process.
Scientific Panel of Independent Experts: This panel will provide technical advice and input to the AI Office and national authorities, enforce rules for GPAI models (notably by launching qualified alerts of possible risks to the AI Office), and ensure that the rules and implementations of the AI Act correspond to the latest scientific findings.
While the establishment of new institutions is planned at the EU level, Member States will have to designate "national competent authorities".[17] These authorities will be responsible for ensuring the application and implementation of the AI Act, and for conducting "market surveillance".[18] They will verify that AI systems comply with the regulations, notably by checking the proper performance of conformity assessments and by appointing third-parties to carry out external conformity assessments.
Enforcement
The Act regulates the entry to the
EU internal market. To this extent it uses the New Legislative Framework, which can be traced back to the New Approach which dates back to 1985. How this works is as follows: The EU legislator creates the AI-act, this Act contains the most important provisions that all AI-systems that want access to the EU internal market will have to comply with. These requirements are called 'essential requirements'. Under the New Legislative Framework, these essential requirements are passed on to European Standardisation Organisations who draw up technical standards that further specify the essential requirements.[19]
As mentioned above, the Act requires that member states set up their own notifying bodies. Conformity assessments should take place in order to check whether AI-systems indeed conform to the standards as set out in the AI-Act.[20] This conformity assessment is either done by self-assessment, which means that the provider of the AI-system checks for conformity themselves, or this is done through third party conformity assessment which means that the notifying body will carry out the assessment.[21] Notifying bodies do retain the possibility to carry out audits to check whether conformity assessment is carried out properly.[22]
Under the current proposal it seems to be the case that many high-risk AI-systems do not require third party conformity assessment which is critiqued by some.[22][23][24][25] These critiques are based on the fact that high-risk AI-systems should be assessed by an independent third party to fully secure its safety. Concerns have also been raised by legal scholars surrounding the issue of whether deepfakes used to spread political misinformation or create non-consensual intimate imagery should be considered high-risk AI systems, potentially leading to stricter regulation.[26]
Timeline
In February 2020, the European Commission published "White Paper on Artificial Intelligence – A European approach to excellence and trust".[27] In October 2020, debates between EU leaders took place. On 21 April 2021, the AI Act was officially proposed. On 6 December 2022, the
European Council adopted the general orientation, allowing negotiations to begin with the European Parliament. On 9 December 2023, after three days of "marathon" talks, the Council and Parliament concluded an agreement.[28]
The law was passed by an overwhelming majority on 13 March 2024. It should come into force 20 days after being published in the
Official Journal,[29] expectedly at the end of the legislature in May.[30] After coming into force, there will be a delay before it becomes applicable, which depends on the type of application. This delay is 6 months for bans on "unacceptable risk" AI systems, 9 months for codes of practice, 12 months for general-purpose AI systems, 36 months for some obligations related to "high-risk" AI systems, and 24 months for everything else.[31][29]
^"Artificial Intelligence Act". European Parliament. 13 March 2024. Article 3 - definitions. Excerpt: "‘national competent authority’ means the national supervisory authority, the notifying authority and the market surveillance authority;"
^Veale, Michael; Borgesius, Frederik Zuiderveen (1 August 2021). "Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach". Computer Law Review International. 22 (4): 97–112.
arXiv:2107.03721.
doi:
10.9785/cri-2021-220402.
ISSN2194-4164.
S2CID235765823.
^
abCasarosa, Federica (1 June 2022). "Cybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity Act". International Cybersecurity Law Review. 3 (1): 115–130.
doi:
10.1365/s43439-021-00043-6.
ISSN2662-9739.
S2CID258697805.