The European Union is changing the world of AI: The entry into force of the Artificial Intelligence Act is "around the corner".

The proposal for a Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (the "AI Act") and amending certain legislative acts of the Union (hereinafter as the "Regulation") was adopted by the Council of the EU on 21 May 2024, following a trilogue between representatives of the European Parliament, the Council of the EU and the European Commission, with publication in the Official Journal of the EU and entry into force of the Regulation. According to Article 113 of the Regulation, the Regulation enters into force on the twentieth day following its publication in the Official Journal of the EU. As the Regulation is expected to be published in the Official Journal of the EU on 12 July 2024, the Regulation can be expected to enter into force on 1 August 2024.

The Regulation is a major piece of legislation that will affect not only the obligations of AI system providers, but also the operation of companies using AI in their business, impacting all of our lives. It is a key element of the EU's Digital Single Market strategy. The Regulation aims to encourage the uptake of AI and address the risks associated with certain uses of AI. This is the first ever comprehensive legal Regulation of AI.

The Regulation will apply to AI systems that meet the definition under Article 3(1) of the Regulation, which defines an AI system as a machine-based system capable of functioning independently to varying degrees, which can adapt and learn after being deployed. It processes, for explicit or implicit objectives, incoming data to produce outputs like predictions, content, recommendations, or decisions, aimed at achieving specific or general goals, and can influence both physical and digital environments. To resolve the question of whether or not the Regulation will apply to an AI system, it does not matter whether or not the AI system is presented as an AI system or is referred to as an AI system, but whether or not it meets the definition above.

AI system types

The Regulation diversifies the AI systems according to the degree of risk that the system creates into:

1. Systems with unacceptable risk - this category includes AI systems that will be prohibited from being used after the Regulation enters into force and shall be applied (cf. Article 5 of the Regulation). This includes, for example, AI systems that create or disseminate facial recognition databases through the untargeted retrieval of facial images from the internet or CCTV footage, AI systems with the aim of inferring the emotions of individuals in the workplace and in educational institutions, except where the use of the AI system is intended to be introduced or marketed for medical or safety reasons,
2. High-risk systems (Article 6) - High-risk AI systems, unlike systems with unacceptable risk, will be able to be used, but only always while meeting the obligations set out in the Regulation. These obligations include e.g. meeting specified requirements on input data quality, automatic logging of AI steps, AI transparency, human supervision of AI. High-risk AI systems under Annex III of the Regulation include, for example, AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity, or AI systems intended to be used by a judicial authority or on their behalf to assist a judicial authority in the investigation and interpretation of the facts of a case and in the application of the law to facts of a case, or to be used in a similar way in alternative dispute resolution,
3. Other systems that are not high-risk or unacceptable-risk systems - AI systems falling into this group will only be subject to some of the obligations set out in the Regulation, such as the transparency obligation (Article 50), while these systems will also have to notify users that their data is being processed by AI – typically the now well-known chatbots such as ChatGPT, and
4. Systems not subject to Regulation under the Regulation - AI systems with minimal or no risk e.g. spam filters in email.

Application of the Regulation

The Regulation shall, with certain exceptions, apply from 24 months after the Regulation enters into force. As the Regulation has a so-called partial applicability, certain provisions shall apply from different times, for example depending on the degree of riskiness of the AI system used as defined in the Regulation (Article 113).

The part of the Regulation prohibiting the use of AI systems with unacceptable risk shall apply from 6 months after the Regulation enters into force – in accordance with the above-mentioned, the prohibition on the use of AI systems with unacceptable risk should be applied from 2 February 2025. The part of the Regulation setting out the conditions and requirements for the use of high-risk AI systems shall apply from 36 months after the Regulation enters into force. The part of the Regulation imposing transparency requirements on other systems that are not high-risk systems or unacceptable risk systems shall apply from 12 months after the Regulation enters into force.

Sanctions

An effective, proportionate and dissuasive sanction can be imposed on operators using AI in the EU, regardless of where the AI was developed and where the servers on which the AI operates are located, for breaches of the obligations set out in the Regulation. The possibility to impose a sanction is influenced by the corrective provided by the Regulation, which requires that the interests of small AI system providers and start-ups and their economic viability are taken into account. The penalties are graduated according to the gravity of the breach of the Regulation, with the most severe penalty provided for in the Regulation being the imposition of an administrative fine of up to EUR 35 000 000 or, if the breach is committed by an undertaking (company), up to 7% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

The European Artificial Intelligence Office (AI Office) will play a key role in how the Regulation is put into practice for individual operators affected by it. Its aim will be to ensure a single European system for the governance of AI. The role of the Office will include issuing new rules on AI governance. The monitoring of these changes by AI system operators and their active involvement in the AI debate will also be essential for the development of these rules in the right direction.