Artificial Intelligence Act
Status: In draft
- Formal approval of the final text by the Parliament on 13 March 2024 and formal endorsement by the Council expected in April. Expected entry into force by the end of Q2 or in Q3/2024.
- Application expected by the end of Q2 or in Q3 2026 (2 years after its entry into force) of generally all rules of the AI Act including obligations for high-risk systems defined in Annex III (list of high-risk use cases), with certain exceptions where obligations are applicable earlier/later. Exceptions in detail:
- 6 months after entry into force (i.e. probably by the end of Q4 2024 or in Q1 2025) Member States shall phase out prohibited systems;
- after 12 months (i.e. probably by the end of Q2 or in Q3 2025) obligations for new general purpose AI governance become applicable;
- after 24 months (i.e. probably by the end of Q2 or in Q3 2026) all rules of the AI Act become applicable including obligations for high-risks systems defined in Annex III (list of high-risk use cases);
- after 36 months (i.e. probably by the end of Q2 or in Q3 2027) obligations for high-risks systems defined in Annex II (list of Union harmonisation legislation) apply.
Summary
The AI Act introduces EU-wide minimum requirements for AI systems and proposes a sliding scale of rules based on the risk: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ will be strictly prohibited and those considered as ‘high-risk’ will be permitted but subject to the most stringent obligations. The AI Act is also regulating foundation models and generative AI systems under the label of ‘General Purpose AI’ with a specific set of obligations.
Scope
Applies in varying degrees to providers, users, end-product manufacturers, importers or distributors of AI systems, depending on the risk.
Key elements
- Risk-based approach to AI systems: the higher the perceived risk, the stricter the rules. AI systems with an ‘unacceptable level of risk’ to European fundamental rights, like social scoring by governments, will be strictly prohibited. ‘High-risk’ systems, like automated recruitment software, will be subject to the most stringent obligations and limited-risk systems, like chatbots and deep fakes, will be subject to transparency rules. Free use of minimal-risk systems like AI enabled video games or SPAM filter.
- Specific regulation on General Purpose AI (foundation models), tiered approach with baseline obligations for all General Purpose AI (GPAI) systems and models, and add-on obligations for GPAI models with ‘systemic risks’.
- Developers of high-risk AI systems must conduct a self-conformity assessment. High-risk AI systems and foundation models must be registered in an EU database.
- Fines:
- up to €35m or 7% of global annual turnover for infringements on prohibited practices or non-compliance related to requirements on data;
- up to €15m or 3% of global annual turnover for other requirements or obligations of AI Act, including the rules on general-purpose AI models;
- up to €7.5m or 1% of global annual turnover for providing incorrect information, incomplete or misleading information.
Challenges
- Legal uncertainty from self-conformity assessment
- High administrative burden from documentation obligations, including:
- Risk management system
- Registration of stand-alone AI systems in EU database
- Declaration of conformity needs to be signed
- For generative AI: Sufficiently detailed summary of copyrighted material training data, safeguards to ensure legality of output
- Overlap with GDPR / redundancies
Key Freshfields contact(s):
Dr. Theresa Ehlen パートナー
Düsseldorf, Frankfurt am Main
Dr. Christoph Werkmeister パートナー
Düsseldorf
Dr. Lutz Riede パートナー
Vienna, Düsseldorf
Giles Pratt パートナー
London
Rachael Annear パートナー
London
Matthias Hofer プリンシパル・アソシエイト
Vienna
Zofia Aszendorf シニア・アソシエイト
London
Rachel Zaldivar Johnson シニア・アソシエイト
New York
Tochukwu Egenti アソシエイト
London