What the EU law on AI means

AI holds the great promise of expanding the horizons of what is achievable and changing the world for our benefit. Dealing with the risks and known and unknown negative consequences of AI will be crucial. The AI Act was passed in March 2024 and aims to ensure that AI systems are safe, respect fundamental rights, encourage AI investment, improve governance and promote a harmonised EU single market for AI.

The definition of AI contained in the AI Act is broad and covers various technologies and systems. As a result, organisations are significantly affected by the AI Act. Most obligations will come into force at the beginning of 2026. However, banned AI systems must be withdrawn from use no later than six months after the AI Act comes into force. The rules for general AI will come into force at the beginning of 2025.¹

The AI Act follows a risk-based approach that categorises AI systems into different levels of risk: unacceptable, high, limited and minimal risk.²

High-risk AI systems are permitted, but are subject to the strictest obligations. These obligations apply not only to the users, but also to the so-called "providers" of AI systems. The term "provider" in the AI Act covers the developers of AI systems, including organisations that develop AI systems for purely internal use. An organisation can be both a user and a provider.

Providers will have to ensure compliance with strict standards in terms of risk management, data quality, transparency, human oversight and robustness.

Users of AI are responsible for operating their AI systems within the legal boundaries of AI law and according to the specific instructions of the provider (shared responsibility). This includes obligations in relation to the intended purpose and use cases, data processing, human oversight and monitoring.

New provisions have been added to take account of recent advances in general purpose AI (GPAI) systems, including large generative AI models such as GPT.³ These models can be used for a variety of tasks and can be integrated into a large number of AI systems, including high-risk systems. They are increasingly forming the basis for many AI systems in the EU. To take account of the wide range of tasks performed by AI systems and the rapid expansion of their capabilities, it has been agreed that GPAI systems and the models on which they are based must fulfil transparency requirements. In addition, GPAI models with higher complexity, capabilities and performance will be subject to stricter requirements. This approach will help to mitigate systemic risks that may arise from the widespread use of these models.⁴

Existing EU laws, for example on personal data, product safety, consumer protection, social policy and national labour law and practice, continue to apply. The same applies to the sectoral legal acts of the European Union. Compliance with the AI Act does not release organisations from their existing legal obligations in these areas.

What you need to do now:

Inventory: Companies should take the time to create an overview of the AI systems they have developed and use.

Categorisation: These AI systems should then be categorised according to the risk levels as defined in the AI Act.

Assessment: If any of the AI systems surveyed fall into the limited, high or unacceptable risk category, you will need to assess the impact of the AI Act on your organisation.

Implementation: Additional measures to reflect appropriate governance and compliance must be implemented for the AI systems concerned in accordance with the AI Act.