Back To Blog

An Overview of the EU AI Act: What You Need to Know

Overview

Regulatory agencies and governments have been moving to institute policies and regulations that encourage artificial intelligence (AI) innovation and protect humans from potential pitfalls. Leading the way, the European Union (EU) recently passed the EU AI Act, which provides an extensive framework for evaluating and regulating the development and usage of AI in the EU [1]. Given the central role of the EU in the global economy and the commonplace usage of the internet to transcend national borders, many companies will need to comply with this act [2].

Introduction to the EU AI Act

Having taken effect on August 1, 2024, the EU AI Act represents the European Commission’s work to establish a framework for determining whether a particular implementation of AI is “trustworthy,” with trustworthiness considered in terms of whether a given risk of AI is acceptable [3].

An artificial intelligence system (“AI system”) is defined broadly in the act as “a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.” [1]

Additionally, the act differentiates between AI systems, as defined above, and “General Purpose AI Models” (GPAI) upon which AI systems are built. GPAI are defined as models that are “trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market, and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market.” [1]

Scope of the EU AI Act

The EU AI Act regulates AI systems and GPAI independently of one another. It outlines an oversight mechanism for AI systems that relies on assessing potential risks that AI could cause. The four tiers are minimal, limited, high, and unacceptable. Those systems with the most risk, a level deemed “unacceptable,” are banned from the EU. Examples of each risk tier are [4]:

  • Minimal risk: AI-enabled spam filters (the EU AI Act allows free use of minimal risk AI)
  • Limited risk: AI systems such as chatbots (the EU AI Act has specific transparency obligations for such limited risk systems)
  • High risk: AI technology used in employment and hiring procedures (high-risk AI systems are subject to strict requirements before being put on the market)
  • Unacceptable risk: AI systems used for social scoring by governments (unacceptable risk systems are banned)

Further, GPAI models are categorized as either posing a “normal” or “systemic” risk. GPAI models meet the criterion for having “systemic risk” if they have what are considered “high impact capabilities,” which are defined as computation used for training exceeding 1025 FLOPS, or if the European Commission deems it as having systemic risk (for example, after being notified by a panel of experts).

These designations and the requisite compliance with each tier fall upon any organization that develops, provides, or deploys AI, GPAI, or the output of either in or to the EU.

What the EU AI Act Means for Companies

Though approved in August 2024, the EU AI Act’s requirements will take effect gradually over the next few years [5]. The first set of requirements—including the ban on prohibited AI practices—will go into effect on February 2, 2025. Thus, depending on the specific nature of the AI used and the risk category, various steps must be taken by organizations to ensure compliance.

Non-compliance by companies may result in steep fines, with the European Commission indicating the following penalties [6]:

  • Up to 7% of global annual turnover for violations of banned AI applications
  • Up to 3% of global annual turnover for violations of other obligations
  • Up to 1.5% of global annual turnover for supplying incorrect information

Best Practices for Navigating Compliance

The following steps are recommended as companies move towards complying with the EU AI Act [7]:

  • Designate a panel or individual within your organization to review and study the EU AI Act and determine its potential applicability to your organization. You may want to consider using the EU compliance checker to get an approximation of the level of risk, if any, for your product or system. [8]
  • Conduct an AI inventory of all the products or systems within your organization that would fall under the purview of the EU AI Act.
  • Develop an internal AI governance framework that will determine how to proceed with the next steps, which will likely include:
    • Implementing a risk management process
    • Ensuring that all technical, security, and other documentation is thorough, complete, and up-to-date
    • Creating documentation and instructions for deployers and humans providing appropriate oversight
    • Ensuring that cybersecurity systems are robust and meet requirements
    • Ensuring the quality of input data and adhering to applicable national and EU copyright and privacy laws
  • Liaise with counsel to ensure that all requirements are met

EU AI Training

CITI Program’s EU AI Act course explores the transformative landscape of artificial intelligence regulation. This training thoroughly introduces the world’s first legally binding AI legislation, adopted by the European Union in 2024. Designed to address the rapid proliferation of AI technologies, the EU AI Act transitions AI policy from voluntary ethical standards to a robust legal framework based on risk assessment and compliance obligations.

In this course, learners review the EU AI Act’s scope and structure, its risk-based approach, and the role of conformity and fundamental rights impact assessments. They also gain insights into the EU AI Act’s enforcement mechanisms, its interplay with European data protection laws, and its position within the broader digital policy landscape. Licensed from the Future of Privacy Forum, this training equips professionals with the knowledge to navigate and comply with this groundbreaking legislation while understanding its global implications.

Summary

The European Union has produced a comprehensive regulatory framework to ensure the safe usage of AI in the EU. As the EU AI Act requirements will go into effect over time, there is still time to ensure compliance. The penalties for non-compliance are significant enough to warrant designating appropriate parties within one’s organization to be involved in the process. As with any endeavor of this complexity and importance, consultation with your organization’s legal counsel will be paramount and is strongly encouraged.

References

1. The European Parliament and The Council of the European Union. 2024. “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance).” Official Journal of the European Union.

2. Kosinski, Matt, and Mark Scapicchio. 2024. “What is the Artificial Intelligence Act of the European Union (EU AI Act)?” IBM Blog, September 20. Accessed December 12, 2024.

3. Laux, Johann, Sandra Wachter, and Brent Mittelstadt. 2024. “Trustworthy artificial intelligence and the European Union AI act: On the conflation of trustworthiness and acceptability of risk.” Regulation & Governance 18(1):3-32.

4. EU Artificial Intelligence Act. 2024. “High-level summary of the AI Act.” Accessed December 12, 2024.

5. EU Artificial Intelligence Act. n.d. “Implementation Timeline.” Accessed December 12, 2024.

6. European Commission. 2024. “European Artificial Intelligence Act comes into force.” Accessed December 12, 2024.

7. Thelisson, Eva, and Himanshu Verma. 2024. “Conformity assessment under the EU AI act general approach.” AI and Ethics 4(1):113-21.

8. EU Artificial Intelligence Act. n.d. “EU AI Act Compliance Checker.” Accessed December 12, 2024.