Four Key Things You Should Know About the EU AI Act

Photo 037

AI is already part of day-to-day business for many organisations, whether through customer-facing tools, internal systems or as part of their own service offering. The EU AI Act introduces harmonised rules for the development, supply and use of AI across the EU. Importantly, it is not just relevant to businesses developing AI systems. It can also apply to companies that buy, use, or integrate AI tools into their own business operations. Below, we look at four key things businesses should know about the EU AI Act.

1. What AI does the EU AI Act cover?

At the heart of the EU AI Act is the concept of an AI system. The Act only applies to technology falling within that definition. It defines an AI system as follows:

"a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

The definition is designed to capture systems with AI capabilities such as learning, reasoning or modelling, rather than traditional software that simply follows fixed human instructions.

The Act sets out a risk-based approach – in a nutshell, AI systems can fall under one of the following five categories:

  • Prohibited AI practices;
  • High-risk AI systems;
  • AI systems which are intended to interact directly with an individual or which create content viewed by an individual;
  • General Purpose AI (GPAI) models;
  • Minimal risk / no-risk AI systems.

Minimal risk / no-risk AI systems: Most AI systems will likely fall into the minimal or no-risk category and will not be subject to detailed obligations set out under the EU AI Act – apart from the broad obligation around AI literacy. This obligation applies to all AI systems, and obliges providers and other persons to have sufficient skills, knowledge and understanding of AI systems to allow them to deploy AI systems in an informed manner.

Prohibited AI practices: Some uses of AI are banned altogether. These are the uses the EU considers incompatible with its values and fundamental rights. Prohibited AI practices are, for example: Subliminal techniques which can materially distort a person's behaviour by impairing their ability to make an informed decision in a way that causes or is reasonably likely to cause them significant harm; social scoring systems based on known, inferred or predicted personality characteristics; or emotion recognition systems in the workplace or educational institutions, subject to limited exceptions.

High-risk AI systems: Other AI systems are not banned, but are treated as high-risk, namely:
a) AI systems forming part of products that are covered by existing EU product safety legislations, and
b) AI systems that fall within specific high-risk categories listed in the Act and additionally pose a significant risk of harm to health, safety or fundamental rights. This can include AI systems used in areas such as biometrics, critical infrastructure, education, or employment.

If a system is classed as high-risk, it must meet a number of requirements in order to be compliant with the EU AI Act. Key requirements include appropriate risk management, data quality, technical documentation, automatic record-keeping, and allowing for human oversight.

AI systems which are intended to interact directly with an individual or which create content viewed by an individual: These AI systems may not qualify as being high-risk, but are subject to specific transparency requirements. This is particularly relevant for chatbots, generative AI tools and other customer-facing systems. Individuals will generally need to be told when they are interacting with an AI system. Certain AI-generated or manipulated content may need to be labelled clearly as being artificially generated or manipulated.

General Purpose AI (GPAI) models: The Act also introduces a separate regime for providers of general-purpose AI (GPAI) models. These models are capable of performing a wide range of tasks and may be integrated into numerous downstream applications, subject to specific exemptions. Providers of GPAI models are subject to a range of obligations, for example, maintaining technical documentation, sharing up to date information with further operators within the supply chain, complying with EU copyright legislation and providing training data summaries. Where a GPAI model presents a systemic risk, additional and more stringent requirements apply.

2. Who needs to comply?

The Act applies across the AI supply chain, not just to the business that originally developed the technology. In case of high-risk AI systems, the Act imposes obligations on providers, deployers, importers, and distributors of the supply chain.

Two important operators in a supply chain are providers and deployers. A provider is the organisation that develops an AI system or GPAI model, or arranges its development, and places it on the market or puts it into service under its own name. A deployer is an organisation that uses an AI system under its authority, other than in the course of a purely personal, non-professional activity. This can cover, for example, an employer making available an AI system to its staff.

This distinction matters because obligations vary by operator, and providers generally face the most onerous ones. A sensible first step for most businesses will be to work out their position in the AI supply chain and the role they play in relation to the AI tools they develop, integrate or use.

3. Where does it apply?

The EU AI Act has a wide territorial reach. It applies not only to organisations established or located in the EU, but also to organisations outside the EU where their AI systems or GPAI models are placed on the EU market, put into service in the EU, or where the output of the AI system is used in the EU.

So, even if a business is based outside the EU, it may still need to comply with the EU AI Act if its AI tools or their outputs are available and used in the EU.

4. What are the consequences of getting it wrong?

The EU AI Act sets out potentially substantial fines, particularly for prohibited practices and other serious breaches. The level of fine depends on the nature of the breach.

For example, for non-compliance with the prohibited AI practice rules can attract fines of up EUR35 million or, for companies, 7% of total worldwide annual turnover for the preceding financial year, whichever is higher.

What should businesses do now?

A key first step for organisations is to understand how AI is being used across their business. That means identifying the relevant tools and systems used, understanding whether the organisation is acting as a provider or deployer or other relevant operator, and considering whether any use cases could fall under the scope of the EU AI Act and trigger significant compliance obligations.

The EU AI Act is only part of the picture when it comes to developing, buying in or using AI tools. Businesses should also be thinking about wider legal and commercial issues, including data protection, intellectual property and the contractual framework that underpins their use of AI. Clear contractual terms can help address points such as ownership of outputs, liability for inaccurate inputs or outputs, responsibility for non-compliance in the supply chain, and the risk of third-party IP infringement. We can help with reviewing AI-related contracts, and drafting terms that reflect how your business develops, supplies or uses AI. For businesses looking for ongoing support, our Small Print Service offers a monthly subscription contract support package for SMEs which allows for certainty over legal fees and easy access to prompt, pragmatic advice that helps identify the small print that you might miss.


Want to learn more about how we can help you with agreements related to the supply or use of AI?

Contact a member of our IPDC team
Contact Us

This article does not constitute legal advice and should not be relied upon for business or legal decisions.

You must enable javascript to view this website