Artificial Intelligence Act
Status: Published in the EU's Official Journal
- Final text published in the EU Official Journal on 12 July 2024
- Entry into force on 1 August 2024
- Application on 2 August 2026 (2 years after its entry into force) of generally all rules of the AI Act including obligations for high-risk systems defined in Annex III (list of high-risk use cases), with certain exceptions where obligations are applicable earlier/later. Exceptions in detail:
- 2 February 2025: Member States shall phase out prohibited systems and companies need to comply with the AI literacy requirement;
- 2 August 2025: obligations for new general purpose AI models become applicable;
- 2 August 2027: obligations for high-risk systems defined in Annex I (list of Union harmonisation legislation) apply.
Summary
The AI Act introduces EU-wide minimum requirements for AI systems and proposes a sliding scale of rules based on the risk: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ will be strictly prohibited and those considered as ‘high-risk’ will be permitted but subject to the most stringent obligations. The AI Act is also regulating foundation models and generative AI systems under the label of ‘General Purpose AI’ with a specific set of obligations.
Scope
Applies in varying degrees to providers, users, end-product manufacturers, importers or distributors of AI systems, depending on the risk.
Key elements
- Risk-based approach to AI systems: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ to European fundamental rights, like social scoring by governments, will be strictly prohibited. ‘High-risk’ systems, like automated recruitment software, will be subject to the most stringent obligations and limited-risk systems, like chatbots and deep fakes, will be subject to transparency rules. Free use of minimal-risk systems like AI enabled video games or SPAM filter.
- Specific regulation on General Purpose AI (foundation models), tiered approach with baseline obligations for all General Purpose AI (GPAI) systems and models, and add-on obligations for GPAI models with ‘systemic risks’.
- Developers of high-risk AI systems must conduct a self-conformity assessment. High-risk AI systems and foundation models must be registered in an EU database.
- Fines:
- up to €35m or 7% of global annual turnover for infringements on prohibited practices or non-compliance related to requirements on data;
- up to €15m or 3% of global annual turnover for other requirements or obligations of AI Act, including the rules on general-purpose AI models;
- up to €7.5m or 1% of global annual turnover for providing incorrect information, incomplete or misleading information.
Challenges
- Legal uncertainty from self-conformity assessment
- High administrative burden from documentation obligations, including:
- Risk management system
- Registration of stand-alone AI systems in EU database
- Declaration of conformity needs to be signed
- For generative AI: Sufficiently detailed summary of copyrighted material training data, safeguards to ensure legality of output
- Overlap with GDPR / redundancies
Key Freshfields contact(s):
Dr. Theresa Ehlen Partner
Düsseldorf, Frankfurt am Main
Dr. Christoph Werkmeister Partner
Düsseldorf
Dr. Lutz Riede Partner
Vienna, Düsseldorf
Giles Pratt Partner
London
Rachael Annear Partner
London
Tochukwu Egenti Associate
London