Inside the EU’s Landmark AI Regulation

On 13 March 2024, the European Parliament voted overwhelmingly in favor of the EU AI Act, hailed as the world’s first legislation to chart “a clear path towards a safe and human-centric development of AI.” The European Council endorsed the final text on 21 May 2024, and after linguistic refinements, it was published in the Official Journal of the EU on 12 July 2024. The Act entered into force on 1 August 2024, with a phased rollout over three years.

The regulation applies broadly to “providers,” “importers,” “distributors,” and “deployers” of AI systems that are placed on the EU market or affect individuals in the EU. This extraterritorial scope mirrors the GDPR’s reach, reinforcing what has been termed the “Brussels effect.” The definition of an AI system aligns with the OECD: “An AI system is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” The emphasis on inference distinguishes AI from basic automation.

Providers are entities that develop or have AI systems developed and place them on the market under their own name or trademark. Importers bring AI systems from outside the EU into the market, while distributors make AI systems available without altering their properties. Deployers are users of AI systems in professional contexts, with exemptions for personal, non-professional use.

Certain categories are excluded: free and open-source models (with exceptions for systemic general purpose AI), AI for national security or defense, and systems in research or prototyping stages before market release.

Implementation milestones include bans on prohibited practices by 2 February 2025, codes of practice by 2 May 2025, obligations for general purpose AI by 2 August 2025, and full application to most high-risk systems by 2 August 2026, with remaining high-risk categories covered by 2 August 2027.

To bridge the gap before full enforcement, the European Commission introduced the AI Pact—voluntary pledges to adopt governance strategies, identify potential high-risk systems, and promote AI literacy. First signatories were celebrated on 25 September 2024.

The Act adopts a risk-based framework:
– **Unacceptable risk** systems, such as social credit scoring or untargeted facial image scraping, are banned.
– **High risk** systems include certain biometric identification tools, AI in critical infrastructure, education, essential services, and employment-related decision-making. Annex I covers systems tied to EU harmonization legislation requiring third-party conformity assessment; Annex III lists specific high-risk applications.
– **Limited risk** systems face transparency requirements, such as labeling AI-generated content and deepfakes.
– **Minimal risk** systems, like AI-enabled video games or grammar checkers, have no additional obligations.

Providers of general purpose AI models must perform fundamental rights impact assessments, implement risk and quality management systems, label AI-generated content, and monitor accuracy, robustness, and cybersecurity. Systemic models—those trained with computing power exceeding 10^25 FLOPs—face additional duties, including energy consumption reporting and engagement with the European AI Office.

Obligations differ sharply between providers and deployers of high-risk systems. Providers must design for human oversight, ensure accuracy and cybersecurity, maintain technical documentation, manage risks, meet data governance standards, log operations, register systems, undergo conformity assessments, and affix CE markings. Deployers must inform affected individuals, conduct impact assessments in contexts like credit scoring or insurance, assign trained human oversight, ensure input data quality, and explain AI’s role in significant decisions.

Institutional oversight comes from the European AI Office, established on 21 February 2024, which will produce codes of practice and monitor compliance, particularly for GPAI providers. The European Artificial Intelligence Board, formed on 1 August 2024, coordinates national authorities and issues recommendations. Member State authorities will handle local enforcement, with individuals able to lodge complaints.

Penalties are substantial: up to 7% of global turnover or €35 million for prohibited practices, 3% or €15 million for other violations, and 1% or €7.5 million for supplying incorrect information. Related legislative efforts include the AI Liability Directive, introducing a “presumption of causality” for harm caused by AI, and the revised Product Liability Directive, updating strict liability rules for defective products.

For organizations, early steps include auditing current and planned AI systems, assessing applicability under the Act, clarifying roles, leveraging provider compliance, and strengthening data governance. Multi-stakeholder AI governance committees and ongoing audits can help maintain compliance as the regulatory landscape evolves.