Late in the evening on Friday 8 December in Brussels was a historic moment for AI regulation in Europe. After three days of extensive final debate the EU Parliament, Council and Commission finally announced provisional agreement on the EU AI Act, the bloc’s landmark legislation regulating development and use of AI in Europe. It is one of the world’s first comprehensive attempts to regulate the use of AI.
The EU AI Act awaits formal adoption by both Parliament and Council before it will become EU law.
The legislation has been some time in the making, starting with the EU Commission’s Proposal for a Regulation on AI in 2021. Following the explosion of interest in AI large language models in 2023, the nature of the regulation has had to evolve rapidly to keep pace with the technological advancements. Recent delays in the passing of the legislation have related to debates over whether and how the Act should regulate AI foundation models, the advanced generative AI models that are trained on large sets of data with the ability to learn and perform a variety of tasks, as well as over the use of AI in law enforcement.
The Act takes a prescriptive, risk-based approach to the regulation of AI products. AI is defined in line with the approach of the OECD to distinguish it from simpler software systems. Obligations are imposed on technology producers and deployers based on the risk category into which their technology fits. Technologies that pose “unacceptable” levels of danger are forbidden, while “high-risk” technologies face heavy restrictions. The list of prohibited technologies includes biometric identification systems, with narrowly defined law enforcement exceptions, as well as any other systems that use purposely manipulative techniques or social scoring, such as predictive police systems and emotional recognition systems. Untargeted scraping of facial images from the internet and CCTV is banned and AI used to create manipulated images, such as ‘deep fakes’ will need to make clear that the images are generated by AI.
Foundation models have been brought within the scope of the Act. which takes a similar tiered and risk-based approach to the obligations imposed on these models. Whilst details of the legislation are still to emerge, the EU has agreed a two-tiered approach for these models with “transparency requirements for all general-purpose AI models (such as ChatGPT)” and “stronger requirements for powerful models with systemic impacts”. An AI Office within the European Commission will be set up to oversee the regulation of the most advanced AI models.
In terms of obligations under the Act, those looking to provide and deploy AI face specific transparency and safety constraints. To limit threats to areas such as health, safety, human rights, and democracy, providers of high risk AI must utilise protections in stages such as design and testing. This entails assessing and mitigating hazards, as well as registering models in an EU database. Certain users of high risk AI systems that are public entities must also register in the EU database.
Penalties related to prohibited practices are up to EUR 35 million or 7% of a company’s annual global revenue, whilst violation of the Act’s obligations, or the incorrect supply of information, attract penalties of EUR 15 million or 3% of turnover, and EUR 7.5 million or 1.5% respectively. There is provision for more proportionate caps on administrative fines for SMEs and start-ups in the case of breach of the provisions of the AI Act. Exactly how the Act will be enforced is still to be made clear.
The provisional agreement makes clear that the EU AI Act does not apply outside the scope of EU law, which still catches providers of AI systems placed in the EU market irrespective of whether they are established in EU, and does not affect member states’ competencies in national security. Nor does it apply to AI systems used solely for research and innovation or to people using AI for non-professional reasons. The Act will apply two years after it comes into force, with some exceptions for specific provisions.
Some technology groups and European companies have raised concerns with the legislation, fearing that it will stifle innovation in Europe, particularly with respect to foundation models. Technology groups argued that the uses of AI, rather than the technology itself, should be regulated (which more closely reflects the approach currently being taken in many other parts of the world.) However, EU representatives believe that their final negotiations have achieved a better balance between enabling innovation and promoting responsible technology.
If you haven’t already conducted a risk assessment to identify the impact of the EU AI Act on your business, now is the time to get started – assess your AI systems to determine whether they will be subject to the EU AI Act once it enters into force and becomes applicable, and in which risk category your AI systems will fall.
Of course, compliance with the EU AI Act will be only one part of your Responsible AI governance programme. The EU AI Act may be heralded by the EU as the first comprehensive AI law, but there are many AI related developments being introduced by lawmakers across the world and, of course, regulators are already scrutinizing organizations’ compliance with existing laws when it comes to AI (including with respect to data privacy, consumer protection, and discrimination).
Accordingly, we recommend that you:
- audit your development and use of AI within the organization and your supply chain;
- decide what your AI principles and redlines should be (likely to include ethical considerations that go beyond the law including parameters set by the EU AI Act);
- assess and augment existing risks and controls for AI where required (including to meet applicable EU AI Act requirements), both at an enterprise and product lifecycle level;
- identify relevant AI risk owners and internal governance team(s);
- revisit your existing vendor due diligence processes related to both (i) AI procurement and (ii) the procurement of third party services, products and deliverables which may be created using AI (in particular, generative AI systems);
- assess your existing contract templates and any updates required to mitigate AI risk; and
- continue to monitor AI and AI adjacent laws, guidance and standards around the world to ensure that the company’s AI governance framework is updated in response to further global developments as they arise.