Main goals
The European Commission has set out four main goals for the regulatory framework:
The Act sets out a unified definition of AI, which includes machine learning as well as expert systems and statistical models. The Act defines AI as „software that is developed with one or more of the techniques and approaches listed in Annex I and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with“.
It also harmonises the rules for the development, launch and use of AI systems across the EU, based on a balanced risk-assessment approach..
Levels of risks
The Act follows a risk-assessment approach that distinguishes between the AI used, creating (i) unacceptable risk, (ii) high risk, (iii) limited risk and (iv) minimal risk.
AI systems that are a threat to humans are considered an unacceptable risk. This includes, in particular, systems that:
Such systems will be banned. However, in certain cases they may be exempted.
AI systems that have a negative impact on security or fundamental rights will be considered high risk. These will be divided into two main categories. The first category will be systems that are used in products covered by EU product safety legislation. These include toys, cars, medical devices, lifts or aerospace products.
The second category includes AI systems from eight specific areas that will have to be registered in the EU database, including:
High risk AI systems must comply with strict quality rules and disclosure, control and monitoring requirements. The Act deals in detail with these high risk systems. The specific regulatory requirements impact in particular on their providers. Providers will have to, among other things, develop a risk management system throughout the life cycle of the system, perform data management, create technical documentation to demonstrate compliance, create user instructions, implement a quality management system, etc.
However, it is not only the providers, but also others in the “chain”, such as importers, distributors or users of such systems. The role of importers and distributors is primarily to verify that the high risk system complies with the applicable regulations. This means that the importer must verify the conformity of the system by checking its documentation, while the distributor must verify that the system has the CE marking (conformité européenne). The CE marking demonstrates that the product complies with EU safety, health and environmental requirements.
The challenge for users is to use the high risk AI system in accordance with the instructions provided by the provider. In the future, we will certainly not avoid situations where a user, i.e. a company or its customers, will suffer damage as a result of using the system. It will be subject to litigation to prove whether the AI system was used in accordance with or in violation of the rules for its use. Other obligations include, for example, the need for human supervision of the system, monitoring of input data and system operation, and retention of automated records for at least six months.
For AI systems with limited risk, meeting minimum transparency requirements will be sufficient under the new regulatory framework. Their users will have to be informed that they are interacting with AI and will have to be able to decide whether or not they want to continue using the system.
This category will mainly include AI systems that generate or manipulate image, audio or video content.
The Act allows for essentially free use of AI with minimal risk. This group includes applications such as video games or spam filters.
GPAI stands for "general purpose AI". It refers to systems such as ChatGPT. These are among the most widely used types of AI by the public today. GPAI can be classified as high-risk AI systems if they can be directly used for at least one purpose that is classified as high-risk. Special rules apply to providers of all GPAI models and they must meet the following requirements:
EUROPEAN AI OFFICE
The European Artificial Intelligence Authority ("the Authority") will be established within the European Commission as part of the Directorate-General for Communications Networks, Content and Technology. The Office forms the foundation for a unified European AI governance system.
In particular, it will play a key role in the implementation of the Act by supporting national administrations. Primarily, it will enforce the rules for GPAI systems, will have powers to require information from AI system providers and will also have the power to impose sanctions for breaches of the Act.
The Office will work with both Member States and the wider expert community through dedicated forums and expert groups. Specifically, the Office will be tasked with supporting the Act and enforcing the rules set out therein, contributing to the application of the Act among Member States, including the establishment of various advisory bodies at EU level, developing tools and methodologies for assessing the capabilities and impact of AI systems, preparing guidelines and directives to support the effective implementation of the Act, etc..
The Act also contains significant sanctions for breaches of the rules contained therein, in particular sanctions for breaches of the absolute prohibition on the use of certain AI systems and sanctions for operators for breaches of their obligations..
There are two types of sanctions. They are either fixed penalties or penalties expressed as a percentage of the company's annual turnover, with the higher option being applied. In the case of operators, a fine of up to EUR 15 million or 3% of annual turnover may be imposed. For breaches of the absolute prohibition, the fine can be up to EUR 35 million or 7% of the company's annual turnover..
When imposing a fine, it will also take into account:
As already indicated above, an AI Office will be established within the Commission to monitor the effective implementation and compliance of GPAI model providers.
The effectiveness of the Act is divided into four main timelines:
CONCLUSION