AI Act: Who Does it Apply To and Key Takeaways

Key Stakeholders Affected by the AI Act

• Providers: These are organizations that supply AI systems or models. They are subject to the AI Act if they put their AI on the market in the EU, or if their AI's output is used within the EU.

• Deployers: These are organizations or individuals that use AI systems. If they are located in the EU or use AI outputs within the EU, they must comply with the AI Act.

• Importers: Entities in the EU offering AI systems from non-EU companies must also follow the AI Act.

• Distributors: These include any entities in the supply chain that make AI systems available in the EU, other than providers or importers.

What is an AI System Under the AI Act?

The definition of "AI system" in the AI Act aligns with international standards, such as the OECD's definition. Key characteristics include autonomy and the ability to infer outputs from inputs.

However, certain activities are exempt from the AI Act’s provisions, including:

• Research and Development (R&D): AI systems used for scientific research or testing outside real-world environments.

• Military and National Security: AI systems dedicated exclusively to these areas.

• Free/Open-Source AI: These are excluded unless they fall under high-risk or prohibited categories.

Risk-Based Framework of the AI Act

The AI Act employs a risk-based framework to regulate AI systems, with obligations varying depending on the intended use of the system. Some AI systems fall outside the scope of specific requirements, though providers and deployers must still consider other applicable laws, such as the GDPR. A fundamental obligation is ensuring that employees interacting with AI have sufficient AI literacy.

Categories of AI Systems:

• Prohibited AI: Systems that pose an unacceptable risk to individuals' fundamental rights, such as emotion recognition in workplaces, social scoring, or predictive policing, are banned outright.

• High-Risk AI: AI systems used in critical sectors like recruitment, healthcare, or law enforcement that could pose significant risks to health, safety, or rights are subject to detailed compliance requirements.

• Chatbots & Generative AI: These AI models face limited transparency obligations, such as ensuring users know they are interacting with AI and marking AI-generated content.

• General-Purpose AI: AI models that perform a broad range of tasks and can be integrated into various applications. These systems are subject to specific obligations, including cybersecurity measures and documentation requirements.

High-Risk AI Systems: Key Examples and Obligations

High-risk AI systems in sectors like healthcare, law enforcement, finance, and education face stringent requirements. This includes AI used in:

• Biometrics: Emotion recognition and biometric identification.

• Critical Infrastructure: Systems that support the operation of vital infrastructure (e.g., water, electricity).

• Recruitment & Employment: AI used for hiring, evaluations, or promotions.

• Public Services: AI used to assess eligibility for state benefits, healthcare, or emergency services.

For providers of high-risk AI systems, obligations include risk management, transparency, documentation, and regular assessments to mitigate risks.

Key Obligations for Providers and Deployers

• Providers must ensure their AI systems meet safety standards and document their compliance efforts.

• Deployers of high-risk AI must assess risks regularly, ensure appropriate safeguards, and provide transparency about AI interactions with users.

Penalties and Enforcement

Non-compliance with the AI Act can result in hefty fines. The maximum penalty can be as high as €35 million or up to 7% of a company’s global turnover, depending on the violation. Enforcement will likely be divided among national regulators and the European Commission, particularly for general-purpose AI.

Timeline for Implementation

The AI Act will gradually come into force, with key deadlines as follows:

• 6 months: Prohibited AI systems will be banned.

• 9 months: Codes of practice by the AI Office will be available.

• 12 months: Requirements for general-purpose AI models will take effect.

• 24 months: The majority of AI Act provisions will become enforceable.

• 36 months: Obligations for AI systems covered by EU product safety regulations will apply.

Preparing for the AI Act

Businesses should begin evaluating the legal risks associated with AI systems under both the AI Act and other relevant laws, such as the GDPR. While the AI Act will impact high-risk AI uses the most, many lower-risk AI applications may see less regulatory burden.

Unlike the EU, the UK has opted for a non-binding framework for AI regulation, with limited legislative intervention planned for the future. However, this could change following the 2024 UK general elections.

Next Steps for Compliance

As the AI Act nears full implementation, businesses should prepare by:

• Mapping AI-related roles and obligations across both the AI Act and GDPR.

• Ensuring appropriate safeguards for AI systems, particularly those involving personal data.

• Regularly reviewing AI governance frameworks and staying updated on new regulatory materials.

By proactively adopting AI governance measures, businesses can ensure they are well-positioned to meet regulatory requirements when the AI Act fully comes into force.