On 9 December 2023, the negotiators of the European Parliament and the Council Presidency agreed on the final version of what is described as the world’s first comprehensive legal framework for artificial intelligence: the “Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence and amending certain Union acts” or “EU AI Regulation” for short.
The law prohibits the use of AI systems that pose an “unacceptable risk” in the European Union. In other cases, it sets out different obligations for AI systems that are classified as “high risk” or “limited risk”.
Agreement was also reached on the regulation of so-called basic models, including measures to comply with European copyright law, requirements to publish detailed summaries of the content used to train these systems and to produce technical documentation relating to the use of the models.
Who is affected by the regulation?
The law applies to both providers and users of AI systems that are used in the EU or have an impact on the EU. The location of the provider is irrelevant. Accordingly, providers or users of AI systems in third countries such as the United States are also affected by the EU AI Regulation, provided that the output of the system is used in the EU.
Which AI systems does the law cover?
The law uses the definition of AI systems proposed by the OECD:“An AI system is a machine-based system that derives from the inputs fed to it how to generate outputs such as predictions, content, recommendations or decisions that can affect physical or virtual environments.”
The law does not apply to AI systems:
- which are used exclusively for military or defense purposes;
- used exclusively for research and innovation purposes; and
- which are used by persons for non-professional reasons.
The EU AI Regulation covers certain applications, including AI systems for emotion recognition in the workplace, for capturing facial images from the internet or CCTV footage to create facial recognition databases. The use of AI systems to perform remote biometric identification in public will only be permitted if this is necessary for law enforcement purposes. However, safeguards must be put in place to ensure that these systems are only used to search for people suspected of serious crimes.
What are the requirements of the regulation?
The auditing and security requirements depend on the level of risk posed by the AI system to its users and other stakeholders of the respective system. While AI applications that pose unacceptable risks are prohibited, AI systems with limited risk are subject to lighter transparency obligations, such as notifying users that the content they are using has been generated by AI.
High-risk AI systems, on the other hand, are subject to stricter requirements and obligations, such as the implementation of a mandatory risk impact assessment, also and in particular with regard to compliance with fundamental rights. In addition, high-risk systems are subject to an approval procedure. Users have the right to receive explanations about decisions based on high-risk AI systems that affect their rights.
What are the penalties for non-compliance?
Similar to the calculation of fines under the European General Data Protection Regulation, fines for violations of the law are calculated as a percentage of the liable party’s global annual turnover in the previous financial year or as a fixed amount, whichever is higher:
- 35 million euros or 7% for infringements involving the use of prohibited AI applications;
- 15 million euros or 3% for breaches of the obligations under the Act; and
- 7.5 million euros or 1.5% for providing false information.
However, proportional upper limits for fines against small and medium-sized enterprises and start-ups will be introduced. Citizens can submit complaints about the use of AI systems that affect them.
When does the regulation come into force?
Technical fine-tuning of the regulation is now pending, which will then be submitted to the representatives of the EU member states for approval. In principle, the law should come into force two years after its entry into force, although some provisions will come into force at a later date. This is because detailed issues still need to be clarified, which is why it is quite likely that the law will come into force in 2026.
The author and your usual contacts will be happy to answer any questions you may have!
Micaela Schork, LL.M.
schork@tigges.legal
+49 211 8687 134