It covers all types of AI across a broad range of sectors, with exceptions for AI systems used solely for military, national security, research and non-professional purposes.[5] As a piece of product regulation, it does not confer rights on individuals, but regulates the providers of AI systems and entities using AI in a professional context.[6]
The Act classifies non-exempt AI applications by their risk of causing harm. There are four levels – unacceptable, high, limited, minimal – plus an additional category for general-purpose AI.[7]
Limited-risk applications only have transparency obligations.
Minimal-risk applications are not regulated.
For general-purpose AI, transparency requirements are imposed, with reduced requirements for open source models, and additional evaluations for high-capability models.[8][9]
The Act also creates a European Artificial Intelligence Board to promote national cooperation and ensure compliance with the regulation.[10] Like the EU's General Data Protection Regulation, the Act can apply extraterritorially to providers from outside the EU if they have users within the EU.[6]
There are different risk categories depending on the type of application, with a specific category dedicated to general-purpose generative AI:
Unacceptable risk – AI applications in this category are banned, except for specific exemptions.[15] When no exemption applies, this includes AI applications that manipulate human behaviour, those that use real-time remote biometric identification (such as facial recognition) in public spaces, and those used for social scoring (ranking individuals based on their personal characteristics, socio-economic status, or behaviour).[9]
High-risk – AI applications that are expected to pose significant threats to health, safety, or the fundamental rights of persons. Notably, AI systems used in health, education, recruitment, critical infrastructure management, law enforcement or justice. They are subject to quality, transparency, human oversight and safety obligations, and in some cases require a "Fundamental Rights Impact Assessment" before deployment.[16] They must be evaluated both before they are placed on the market and throughout their life cycle. The list of high-risk applications can be expanded over time, without the need to modify the AI Act itself.[6]
General-purpose AI – Added in 2023, this category includes in particular foundation models like ChatGPT. Unless the weights and model architecture are released under free and open source licence, in which case only a training data summary and a copyright compliance policy are required, they are subject to transparency requirements. High-impact general-purpose AI systems including free and open source ones which could pose systemic risks (notably those trained using a computational capability exceeding 1025FLOPS)[17] must also undergo a thorough evaluation process.[9]
Limited risk – AI systems in this category have transparency obligations, ensuring users are informed that they are interacting with an AI system and allowing them to make informed choices. This category includes, for example, AI applications that make it possible to generate or manipulate images, sound, or videos (like deepfakes).[9]
Minimal risk – This category includes, for example, AI systems used for video games or spam filters. Most AI applications are expected to fall into this category.[18] These systems are not regulated, and Member States cannot impose additional regulations due to maximum harmonisation rules. Existing national laws regarding the design or use of such systems are overridden. However, a voluntary code of conduct is suggested.[19]
Articles 2.3 and 2.6 exempt AI systems used for military or national security purposes or pure scientific research and development from the AI Act.[15]
Article 5.2 bans algorithmic video surveillance only if it is conducted in real time. Exceptions allowing real-time algorithmic video surveillance include policing aims including "a real and present or real and foreseeable threat of terrorist attack".[15]
Recital 31 of the act states that it aims to prohibit "AI systems providing social scoring of natural persons by public or private actors", but allows for "lawful evaluation practices of natural persons that are carried out for a specific purpose in accordance with Union and national law."[20]La Quadrature du Net interprets this exemption as permitting sector-specific social scoring systems,[15] such as the suspicion score used by the French family payments agency Caisse d'allocations familiales.[21][15]
The AI Act establishes various new bodies in Article 64 and the following articles. These bodies are tasked with implementing and enforcing the Act. The approach combines EU-level coordination with national implementation, involving both public authorities and private sector participation.
The following new bodies will be established:[22][23]
AI Office: attached to the European Commission, this authority will coordinate the implementation of the AI Act in all Member States and oversee the compliance of general-purpose AI providers.
European Artificial Intelligence Board: composed of one representative from each Member State, the Board will advise and assist the Commission and Member States to facilitate the consistent and effective application of the AI Act. Its tasks include gathering and sharing technical and regulatory expertise, providing recommendations, written opinions, and other advice.
Advisory Forum: established to advise and provide technical expertise to the Board and the Commission, this forum will represent a balanced selection of stakeholders, including industry, start-ups, small and medium-sized enterprises, civil society, and academia, ensuring that a broad spectrum of opinions is represented during the implementation and application process.
Scientific Panel of Independent Experts: this panel will provide technical advice and input to the AI Office and national authorities, enforce rules for general-purpose AI models (notably by launching qualified alerts of possible risks to the AI Office), and ensure that the rules and implementations of the AI Act correspond to the latest scientific findings.
While the establishment of new bodies is planned at the EU level, Member States will have to designate "national competent authorities".[24] These authorities will be responsible for ensuring the application and implementation of the AI Act, and for conducting "market surveillance".[25] They will verify that AI systems comply with the regulations, notably by checking the proper performance of conformity assessments and by appointing third-parties to carry out external conformity assessments.
The Act regulates the entry to the EU internal market using the New Legislative Framework. It contains essential requirements that all AI systems must meet to access the EU market. These essential requirements are passed on to European Standardisation Organisations, which develop technical standards that further detail these requirements.[26] These standards are developed by CEN/CENELEC JTC 21.[27]
The Act mandates that member states establish their own notifying bodies. Conformity assessments are conducted to verify whether AI systems comply with the standards set out in the AI Act.[28] This assessment can be done in two ways: either through self-assessment, where the AI system provider checks conformity, or through third-party conformity assessment, where the notifying body conducts the assessment.[19] Notifying bodies also have the authority to carry out audits to ensure proper conformity assessments.[29]
Criticism has arisen regarding the fact that many high-risk AI systems do not require third-party conformity assessments.[30][31][32] Some commentators argue that independent third-party assessments are necessary for high-risk AI systems to ensure safety before deployment. Legal scholars have suggested that AI systems capable of generating deepfakes for political misinformation or creating non-consensual intimate imagery should be classified as high-risk and subjected to stricter regulation.[33]
In February 2020, the European Commission published "White Paper on Artificial Intelligence – A European approach to excellence and trust".[34] In October 2020, debates between EU leaders took place in the European Council. On 21 April 2021, the AI Act was officially proposed by the Commission.[11] On 6 December 2022, the European Council adopted the general orientation, allowing negotiations to begin with the European Parliament. On 9 December 2023, after three days of "marathon" talks, the EU Council and Parliament concluded an agreement.[35][36]
The law was passed in the European Parliament on 13 March 2024, by a vote of 523 for, 46 against, and 49 abstaining.[37] It was approved by the EU Council on 21 May 2024.[13] It entered into force on 1 August 2024,[3] 20 days after being published in the Official Journal on 12 July 2024.[12][38] After coming into force, there will be a delay before it becomes applicable, which depends on the type of application. This delay is 6 months for bans on "unacceptable risk" AI systems, 9 months for codes of practice, 12 months for general-purpose AI systems, 36 months for some obligations related to "high-risk" AI systems, and 24 months for everything else.[38][37]
Experts have argued that though the jurisdiction of the law is European, it could have far-ranging implications for international companies that plan to expand to Europe.[39]Anu Bradford at Columbia has argued that the law provides significant momentum to the world-wide movement to regulate AI technologies.[39]
Amnesty International criticized the AI Act for not completely banning real-time facial recognition, which they said could damage "human rights, civil space and rule of law" in the European Union. It also criticized the absence of ban on exporting AI technologies that can harm human rights.[39]
Some tech watchdogs have argued that there were major loopholes in the law that would allow large tech monopolies to entrench their advantage in AI, or to lobby to weaken rules.[40][41] Some startups welcomed the clarification the act provides, while others argued the additional regulation would make European startups uncompetitive compared to American and Chinese startups.[41]La Quadrature du Net (LQDN) described the AI Act as "tailor-made for the tech industry, European police forces as well as other large bureaucracies eager to automate social control". LQDN described the role of self-regulation and exemptions in the act to render it "largely incapable of standing in the way of the social, political and environmental damage linked to the proliferation of AI".[15]
^Mantelero, Alessandro (2022), Beyond Data. Human Rights, Ethical and Social Impact Assessment in AI, Information Technology and Law Series, vol. 36, The Hague: Springer-T.M.C. Asser Press, doi:10.1007/978-94-6265-531-7, ISBN978-94-6265-533-1
^ abVeale, Michael; Borgesius, Frederik Zuiderveen (1 August 2021). "Demystifying the Draft EU Artificial Intelligence Act — Analysing the good, the bad, and the unclear elements of the proposed approach". Computer Law Review International. 22 (4): 97–112. arXiv:2107.03721. doi:10.9785/cri-2021-220402. ISSN2194-4164. S2CID235765823.
^Proposal:[11] Article 3 – definitions. Excerpt: "'national competent authority' means the national supervisory authority, the notifying authority and the market surveillance authority."
^Casarosa, Federica (1 June 2022). "Cybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity Act". International Cybersecurity Law Review. 3 (1): 115–130. doi:10.1365/s43439-021-00043-6. ISSN2662-9739. S2CID258697805.
^Smuha, Nathalie A.; Ahmed-Rengers, Emma; Harkens, Adam; Li, Wenlong; MacLaren, James; Piselli, Riccardo; Yeung, Karen (5 August 2021). "How the EU Can Achieve Legally Trustworthy AI: A Response to the European Commission's Proposal for an Artificial Intelligence Act". SSRN3899991.