EU AI Act

Updated May 14, 2024

 

The proposed European Union Artificial Intelligence Act is the world's most prominent AI legislation. At present, the final text of the AI Act has not been agreed. This page summarizes key expected provisions of the AI Act, and will be updated as the legislation advances.

 

Legislative Process

Key steps so far in adoption of the EU AI Act have been:

• May 2021 -- The European Commission proposed a draft of the AI Act.
• June 2023 -- The European Parliament proposed amendments to the AI Act, including fairly strict provisions to address "foundation models" (i.e. large language models, diffusion models and similar), which had risen rapidly to prominence since the legislation was proposed.
• December 2023 -- Political agreement on the key provisions of the AI Act was reached in "trilogue" negotiations among the European Commission, the Council of the European Union (comprising representatives of EU member states) and the European Parliament. The agreement retains provisions on foundation models, but these are substantially less restrictive than those proposed by the European Parliament. Following the political agreement, the European Commission published Q&As on the AI Act.

• February 2024 -- The Committee of Permanent Representatives (acting for the EU Council) endorsed a proposed final draft of the AI Act. The European Parliament committees on Internal Market Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE) then endorsed the proposed text, and the European Parliament published an updated version of the AI Act.

• March 2024 -- The European Parliament gave final approval to the AI Act on March 13, 2024.

• April 2024 -- The European Parliament released a final, corrected version of the AI Act, addressing minor drafting errors.

 

The Act would will now receive final approval from the EU Council and enter into force. Once adopted, the AI Act will fully take effect two years later (i.e. in 2026), with some obligations applying earlier or later (see European Commission Q&As for details). The International Association of Privacy Professionals has prepared a useful infographic on the timeline for entry into force of the AI Act.

 

Brief summaries of some key provisions of the AI Act are below. More detailed summaries are available from various sources including:

• law firms Taylor Wessing, William Fry and Simmons & Simmons
• Future of Life Institute
• start-up France Digitale.

 

Regulatory Framework for AI Systems

The EU AI Act will regulate AI "systems" (i.e. software applications), using a definition of "artificial intelligence" that is based upon the one adopted by the OECD. AI systems are divided into the following categories (subject to some general exceptions, e.g. for military/defense systems):

• prohibited systems -- These include systems for manipulation of human behavior, social scoring, predictive policing, emotion recognition in the workplace, and (with certain exceptions) real-time remote biometric identification by law enforcement in public spaces.
• high-risk systems -- This is most important regulatory category in terms of commercial impact, and includes systems that pose a “significant risk” to health, safety, or fundamental rights, and are intended to be used for specified purposes including (but not limited to) education, employment, critical infrastructure, public services, law enforcement, border control and administration of justice. High-risk systems will be subject to detailed regulation, including obligations associated with risk management, data governance, monitoring and documentation / record-keeping. The strictest obligations apply to "providers" of high-risk models, with "deployers" of high-risk models also subject to significant obligations.
• limited risk systems -- Systems with limited potential for manipulation are subject to transparency requirements, including informing users that they are interacting with an AI system and identifying AI-generated content.
• minimal risk systems -- AI systems not falling into the above categories are not subject to regulation.

 

Regulation of "General Purpose AI Models"

The AI Act defines "general purpose AI [GPAI] model" to be one that "displays significant generality and is capable to competently perform a wide range of distinct tasks", with certain exceptions. GPAI models will be subject to obligations regarding (a) technical documentation and information, (b) copyright policies and (c) summaries of training data, except that obligations (b) and (c) do not apply to GPAI models that are made public (including model weights). (AI Act, Arts. 3(44b) & 52c)

 

GPAI models posing "systemic risk" subject to stricter obligations. Models posing "systemic risk" are those that (a) have "high impact" based upon technical evaluations, (b) are so designated by the European Commission or (c) are trained using computing power greater than 10²⁵ floating point operations. (AI Act, Art. 52a) In addition to the general obligations for GPAI models, "systemic risk" models will be subject to obligations regarding (1) model evaluation and testing, (2) risk management, (3) incident reporting and (4) cybersecurity. (AI Act, Art. 52d)

 

Open Source AI Models

The AI Act applies reduced obligations to open source AI models (1) for which model weights and information on model architecture and training are made publicly available and (2) that are not monetized. 

 

Institutions and Implementation

The AI Act establishes new institutions:

• an AI Office within the European Commission (advised by a scientific panel of independent experts) -- the Commission decided in January 2024 (with effect from 21 February 2024) to establish the AI Office in advance of passage of the AI Act
• an AI Board comprising representatives of EU member states (advised by an advisory forum of companies, academics and NGOs).

 

Each EU member state must appoint one or more national authorities with responsibility for implementation of the AI Act and associated market surveillance.

 

The European Commission's AI Pact initiative works with organisations to plan for AI Act implementation, including Pillar I (working with the AI Pact network) and Pillar II (facilitating voluntary pledges of compliance).