The European Union’s risk-based rulebook for artificial intelligence — aka the EU AI Act — has been years in the making. But expect to hear a lot more about the regulation in the coming months (and years) as key compliance deadlines kick in. Meanwhile, read on for an overview of the law and its aims.
So what is the EU trying to achieve? Dial back the clock to April 2021, when the Commission published the original proposal and lawmakers were framing it as a law to bolster the bloc’s ability to innovate in AI by fostering trust among citizens. The framework would ensure AI technologies remained “human-centered” while also giving businesses clear rules to work their machine learning magic, the EU suggested.
Increasing adoption of automation across industry and society certainly has the potential to supercharge productivity in various domains. But it also poses risks of fast-scaling harms if outputs are poor and/or where AI intersects with individual rights and fails to respect them.
The bloc’s goal for the AI Act is therefore to drive uptake of AI and grow a local AI ecosystem by setting conditions that are intended to shrink the risks that things could go horribly wrong. Lawmakers think that having guardrails in place will boost citizens’ trust in and uptake of AI.
This ecosystem-fostering-through-trust idea was fairly uncontroversial back in the early part of the decade, when the law was being discussed and drafted. Objections were raised in some quarters, though, that it was simply too early to be regulating AI and that European innovation and competitiveness could suffer.
Few would likely say it’s too early now, of course, given how the technology has exploded into mainstream consciousness thanks to the boom in generative AI tools. But there are still objections that the law sandbags the prospects of homegrown AI entrepreneurs, despite the inclusion of support measures like regulatory sandboxes.
Even so, the big debate for many lawmakers is now around how to regulate AI, and with the AI Act the EU has set its course. The next years are all about the bloc executing on the plan.
What does the AI Act require?
Most uses of AI are not regulated under the AI Act at all, as they fall out of scope of the risk-based rules. (It’s also worth noting that military uses of AI are entirely out of scope as national security is a member-state, rather than EU-level, legal competence.)
For in-scope uses of AI, the Act’s risk-based approach sets up a hierarchy where a handful of potential use cases (e.g., “harmful subliminal, manipulative and deceptive techniques” or “unacceptable social scoring”) are framed as carrying “unacceptable risk” and are therefore banned. However, the list of banned uses is replete with exceptions, meaning even the law’s small number of prohibitions carry plenty of caveats.
For example, a ban on law enforcement using real-time remote biometric identification in publicly accessible spaces is not the blanket ban some parliamentarians and many civil society groups had pushed for, with exceptions allowing its use for certain crimes.
The next tier down from unacceptable risk/banned use is “high-risk” use cases — such as AI apps used for critical infrastructure; law enforcement; education and vocational training; healthcare; and more — where app makers must conduct conformity assessments prior to market deployment, and on an ongoing basis (such as when they make substantial updates to models).
This means the developer must be able to demonstrate that they are meeting the law’s requirements in areas such as data quality, documentation and traceability, transparency, human oversight, accuracy, cybersecurity, and robustness. They must put in place quality and risk-management systems so they can demonstrate compliance if an enforcement authority comes knocking to do an audit.
High-risk systems that are deployed by public bodies must also be registered in a public EU database.
There is also a third, “medium-risk” category, which applies transparency obligations to AI systems, such as chatbots or other tools that can be used to produce synthetic media. Here the concern is they could be used to manipulate people, so this type of tech requires that users are informed they are interacting with or viewing content produced by AI.
All other uses of AI are automatically considered low/minimal risk and aren’t regulated. This means that, for example, stuff like using AI to sort and recommend social media content or target advertising doesn’t have any obligations under these rules. But the bloc encourages all AI developers to voluntarily follow best practices for boosting user trust.
This set of tiered risk-based rules make up the bulk of the AI Act. But there are also some dedicated requirements for the multifaceted models that underpin generative AI technologies — which the AI Act refers to as “general purpose AI” models (or GPAIs).
This subset of AI technologies, which the industry sometimes calls “foundational models,” typically sits upstream of many apps that implement artificial intelligence. Developers are tapping into APIs from the GPAIs to deploy these models’ capabilities into their own software, often fine-tuned for a specific use case to add value. All of which is to say that GPAIs have quickly gained a powerful position in the market, with the potential to influence AI outcomes at a large scale.
GenAI has entered the chat …
The rise of GenAI reshaped more than just the conversation around the EU’s AI Act; it led to changes to the rulebook itself as the bloc’s lengthy legislative process coincided with the hype around GenAI tools like ChatGPT. Lawmakers in the European parliament seized their chance to respond.
MEPs proposed adding additional rules for GPAIs — that is, the models that underlie GenAI tools. These, in turn, sharpened tech industry attention on what the EU was doing with the law, leading to some fierce lobbying for a carve-out for GPAIs.
French AI firm Mistral was one of the loudest voices, arguing that rules on model makers would hold back Europe’s ability to compete against AI giants from the U.S. and China. OpenAI’s Sam Altman also chipped in, suggesting, in a side remark to journalists that it might pull its tech out of Europe if laws proved too onerous, before hurriedly falling back to traditional flesh-pressing (lobbying) of regional powerbrokers after the EU called him out on this clumsy threat.
Altman getting a crash course in European diplomacy has been one of the more visible side effects of the AI Act.
The upshot of all this noise was a white-knuckle ride to get the legislative process wrapped. It took months and a marathon final negotiating session between the European parliament, Council, and Commission to push the file over the line last year. The political agreement was clinched in December 2023, paving the way for adoption of the final text in May 2024.
The EU has trumpeted the AI Act as a “global first.” But being first in this cutting-edge tech context means there’s still a lot of detail to be worked out, such as setting the specific standards in which the law will apply and producing detailed compliance guidance (Codes of Practice) in order for the oversight and ecosystem-building regime the Act envisages to function.
So, as far as assessing its success, the law remains a work in progress — and will be for a long time.
For GPAIs, the AI Act continues the risk-based approach, with (only) lighter requirements for most of these models.
For commercial GPAIs, this means transparency rules (including technical documentation requirements and disclosures around the use of copyrighted material used to train models). These provisions are intended to help downstream developers with their own AI Act compliance.
There’s also a second tier — for the most powerful (and potentially risky) GPAIs — where the Act dials up obligations on model makers by requiring proactive risk assessment and risk mitigation for GPAIs with “systemic risk.”
Here the EU is concerned about very powerful AI models that might pose risks to human life, for example, or even risks that tech makers lose control over continued development of self-improving AIs.
Lawmakers elected to rely on compute threshold for model training as a classifier for this systemic risk tier. GPAIs will fall into this bracket based on the cumulative amount of compute used for their training being measured in floating point operations (FLOPs) of greater than 1025.
So far no models are thought to be in scope, but of course that could change as GenAI continues to develop.
There is also some leeway for AI safety experts involved in oversight of the AI Act to flag concerns about systemic risks that may arise elsewhere. (For more on the governance structure the bloc has devised for the AI Act — including the various roles of the AI Office — see our earlier report.)
Mistral et al.’s lobbying did result in a watering down of the rules for GPAIs, with lighter requirements on open source providers for example (lucky Mistral!). R&D also got a carve out, meaning GPAIs that have not yet been commercialized fall out of scope of the Act entirely, without even transparency requirements applying.
A long march toward compliance
The AI Act officially entered into force across the EU on August 1, 2024. That date essentially fired a starting gun as deadlines for complying with different components are set to hit at different intervals from early next year until around the middle of 2027.
Some of the main compliance deadlines are six months in from entry into force, when rules on prohibited use cases kick in; nine months in when Codes of Practice start to apply; 12 months in for transparency and governance requirements; 24 months for other AI requirements, including obligations for some high-risk systems; and 36 months for other high-risk systems.
Part of the reason for this staggered approach to legal provisions is about giving companies enough time to get their operations in order. But even more than that, it’s clear that time is needed for regulators to work out what compliance looks like in this cutting-edge context.
At the time of writing, the bloc is busy formulating guidance for various aspects of the law ahead of these deadlines, such as Codes of Practice for makers of GPAIs. The EU is also consulting on the law’s definition of “AI systems” (i.e., which software will be in scope or out) and clarifications related to banned uses of AI.
The full picture of what the AI Act will mean for in-scope companies is still being shaded in and fleshed out. But key details are expected to be locked down in the coming months and into the first half of next year.
One more thing to consider: As a consequence of the pace of development in the AI field, what’s required to stay on the right side of the law will likely continue to shift as these technologies (and their associated risks) continue evolving, too. So this is one rulebook that may well need to remain a living document.
AI rules enforcement
Oversight of GPAIs is centralized at EU level, with the AI Office playing a key role. Penalties the Commission can reach for to enforce these rules can reach up to 3% of model makers’ global turnover.
Elsewhere, enforcement of the Act’s rules for AI systems is decentralized, meaning it will be down to member state-level authorities (plural, as there may be more than one oversight body designated) to assess and investigate compliance issues for the bulk of AI apps. How workable this structure will be remains to be seen.
On paper, penalties can reach up to 7% of global turnover (or €35 million, whichever is greater) for breaches of banned uses. Violations of other AI obligations can be sanctioned with fines of up to 3% of global turnover, or up to 1.5% for providing incorrect information to regulators. So there’s a sliding scale of sanctions enforcement authorities can reach for.
Comments are closed.