Decoding the EU Artificial Intelligence Act

AI holds immense promise to expand the horizon of what is achievable and to impact the world for our benefit — but managing AI’s risks and potential known and unknown negative consequences will be critical. The AI Act is set to be finalized in 2024 and aims to ensure that AI systems are safe, respect fundamental rights, foster AI investment, improve governance, and encourage a harmonized single EU market for AI.

The AI Act's definition of AI is anticipated to be broad and include various technologies and systems. As a result, organizations are likely to be significantly impacted by the AI Act. Most of the obligations are expected to take effect in early 2026. However, prohibited AI systems will have to be phased out six months after the AI Act comes into force. The rules for governing general-purpose AI are expected to apply in early 2025.¹

The AI Act applies a risk-based approach, dividing AI systems into different risk levels: unacceptable, high, limited and minimal risk.²

High-risk AI systems are permitted but subject to the most stringent obligations. These obligations will affect not only users but also so-called ‘providers’ of AI systems. The term ‘provider’ in the AI Act covers developing bodies of AI systems, including organizations that develop AI systems for strictly internal use. It is important to know that an organization can be both a user and a provider.

Providers will likely need to ensure compliance with strict standards concerning risk management, data quality, transparency, human oversight, and robustness.

Users are responsible for operating these AI systems within the AI Act’s legal boundaries and according to the provider's specific instructions. This includes obligations on the intended purpose and use cases, data handling, human oversight and monitoring.

New provisions have been added to address the recent advancements in general-purpose AI (GPAI) models, including large generative AI models.³ These models can be used for a variety of tasks and can be integrated into a large number of AI systems, including high-risk systems, and are increasingly becoming the basis for many AI systems in the EU. To account for the wide range of tasks AI systems can accomplish and the rapid expansion of their capabilities, it was agreed that GPAI systems, and the models they are based on, may have to adhere to transparency requirements. Additionally, high-impact GPAI models, which possess advanced complexity, capabilities, and performance, will face more stringent obligations. This approach will help mitigate systemic risks that may arise due to these models' widespread use.⁴

Existing Union laws, for example, on personal data, product safety, consumer protection, social policy, and national labor law and practice, continue to apply, as well as Union sectoral legislative acts relating to product safety. Compliance with the AI Act will not relieve organizations from their pre-existing legal obligations in these areas.

Organizations should take the time to create a map of the AI systems they develop and use and categorize their risk levels as defined in the AI Act. If any of their AI systems fall into the limited, high or unacceptable risk category, they will need to assess the AI Act’s impact on their organization. It is imperative to understand this impact — and how to respond — as soon as possible.