EU’s AI Act: Implications for Non-EU Providers and Deployers

Regulation (EU) 2024/1689 on Artificial Intelligence: Overview of the AI Act

The Artificial Intelligence Act (hereinafter referred to as the AI Act), adopted by the Council on 21 May 2024 and published in the Official Journal of the European Union (OJEU) on 12 July 2024, aims to establish harmonized rules for the deployment and use of AI systems across the European Union (EU). The act’s primary purpose is to enhance the functioning of the internal market while ensuring a high level of protection for health, safety, and fundamental rights.

Purpose of the AI Act

The purpose of the AI Act is to improve the internal market and promote the uptake of human-centric and trustworthy artificial intelligence, while safeguarding fundamental rights enshrined in the Charter of Fundamental Rights of the European Union. This includes ensuring democracy, the rule of law, and environmental protection against potential harmful effects of AI systems.

Scope and Applicability

The AI Act applies not only to providers and deployers based within the EU but also has an extraterritorial scope. This means it affects providers (those who develop or place AI systems on the market) and deployers (those who use AI systems) from non-EU countries if their AI systems affect individuals within the EU.

Implementation Timeline

The implementation of the AI Act is progressive, with different provisions coming into effect at staggered intervals:

• General provisions and rules related to AI systems with an unacceptable risk will be applicable from February 2, 2025.
• Provisions regarding governance and confidentiality will be active from August 2, 2025.
• High-risk AI systems will be governed under the act starting from August 2, 2027.

Key Provisions of the AI Act

The AI Act categorizes AI systems based on their risk levels and imposes varying degrees of regulatory requirements:

1. Unacceptable Risk

The AI Act prohibits certain AI practices deemed to pose an unacceptable risk. These include:

• Deploying subliminal techniques that manipulate individuals’ behavior without their awareness.
• Exploiting vulnerabilities due to age, disability, or socio-economic status.
• Using AI for social scoring that leads to unfair treatment of individuals.

2. High Risk

AI systems identified as high-risk must comply with stringent requirements. These systems may include:

• Biometrics (e.g., facial recognition systems).
• Critical infrastructure management (e.g., AI systems for transport and energy).
• Employment-related systems (e.g., recruitment AI).

Providers of high-risk AI systems are required to maintain comprehensive documentation, conduct risk assessments, and ensure human oversight.

3. Lower Risk

For lower-risk AI systems, the Act mandates transparency obligations. Providers must inform users when they are interacting with an AI system and ensure that AI-generated content is clearly marked.

Governance and Compliance

The EU will establish an AI Office to oversee compliance with the AI Act. This office will be supported by the European Artificial Intelligence Board, which provides guidance and assists member states in applying the Act consistently.

Penalties for Non-Compliance

Violations of the AI Act can lead to substantial fines, which can reach up to €35 million or 7% of the total worldwide annual turnover, depending on the severity of the infringement. The penalties aim to ensure compliance and deter non-compliance.

Conclusion

The AI Act positions the EU as a leader in establishing ethical and regulated AI frameworks while fostering innovation and market entry for SMEs and startups. The Act’s comprehensive approach to risk management reflects a commitment to balancing technological advancement with the protection of fundamental rights.