The transformative potential of artificial intelligence (AI) and automation is currently being intensively discussed and utilized. AI offers society and companies new perspectives and many advantages, for example to completely transform jobs and key industries.
However, amidst the global spread of AI in business and everyday life, concerns are also emerging about its ethical use and risks. In the global study "Trust in Artificial Intelligence", three out of five respondents expressed reservations about AI systems and 71% expect regulatory measures.
In response, the European Union (EU) has made significant progress with a provisional agreement on the ground-breaking Artificial Intelligence Act (AI Act), which will set a new global standard for AI regulation. The Act came into force in March 2024, meaning that most AI systems will have to comply with the Act's requirements by 2026. The AI Act takes a risk-based approach to protect fundamental rights, democracy, the rule of law and environmental sustainability.
The EU's AI Act aims to strike a balance to encourage the adoption of AI while safeguarding the rights of individuals to use AI responsibly, ethically and trustworthily.
Andreas Steffens
Director, Audit, Regulatory Advisory, Digital Process Compliance
KPMG AG Wirtschaftsprüfungsgesellschaft
Decoding the EU AI Act
Discover the potential impact of the AI Act to your organization.
Download PDF (1.8 MB) ⤓
AI holds immense promise to expand the horizon of what is achievable and to impact the world for our benefit — but managing AI’s risks and potential known and unknown negative consequences will be critical. The AI Act is set to be finalized in 2024 and aims to ensure that AI systems are safe, respect fundamental rights, foster AI investment, improve governance, and encourage a harmonized single EU market for AI.
The AI Act's definition of AI is anticipated to be broad and include various technologies and systems. As a result, organizations are likely to be significantly impacted by the AI Act. Most of the obligations are expected to take effect in early 2026. However, prohibited AI systems will have to be phased out six months after the AI Act comes into force. The rules for governing general-purpose AI are expected to apply in early 2025.1
The AI Act applies a risk-based approach, dividing AI systems into different risk levels: unacceptable, high, limited and minimal risk.2
High-risk AI systems are permitted but subject to the most stringent obligations. These obligations will affect not only users but also so-called ‘providers’ of AI systems. The term ‘provider’ in the AI Act covers developing bodies of AI systems, including organizations that develop AI systems for strictly internal use. It is important to know that an organization can be both a user and a provider.
Providers will likely need to ensure compliance with strict standards concerning risk management, data quality, transparency, human oversight, and robustness.
Users are responsible for operating these AI systems within the AI Act’s legal boundaries and according to the provider's specific instructions. This includes obligations on the intended purpose and use cases, data handling, human oversight and monitoring.
New provisions have been added to address the recent advancements in general-purpose AI (GPAI) models, including large generative AI models.3 These models can be used for a variety of tasks and can be integrated into a large number of AI systems, including high-risk systems, and are increasingly becoming the basis for many AI systems in the EU. To account for the wide range of tasks AI systems can accomplish and the rapid expansion of their capabilities, it was agreed that GPAI systems, and the models they are based on, may have to adhere to transparency requirements. Additionally, high-impact GPAI models, which possess advanced complexity, capabilities, and performance, will face more stringent obligations. This approach will help mitigate systemic risks that may arise due to these models' widespread use.4
Existing Union laws, for example, on personal data, product safety, consumer protection, social policy, and national labor law and practice, continue to apply, as well as Union sectoral legislative acts relating to product safety. Compliance with the AI Act will not relieve organizations from their pre-existing legal obligations in these areas.
Organizations should take the time to create a map of the AI systems they develop and use and categorize their risk levels as defined in the AI Act. If any of their AI systems fall into the limited, high or unacceptable risk category, they will need to assess the AI Act’s impact on their organization. It is imperative to understand this impact — and how to respond — as soon as possible.
1 European Commission. (December 12, 2023). Artificial Intelligence - Questions and Answers.
² European Council. (December 9, 2023). Artificial Intelligence Act Trilogue: Press conference - Part 4.
³ European Parliament. (March 2023). General-purpose artificial intelligence.
4 European Commission. (December 12, 2023). Artificial Intelligence - Questions and Answers.
Further interesting Insights for you
Further contact persons
Dirk Distelrath
Partner, Audit, Regulatory Advisory, Digital Process Compliance
KPMG AG Wirtschaftsprüfungsgesellschaft
Matthias Peter
Partner, Financial Services
KPMG AG Wirtschaftsprüfungsgesellschaft
Francois Heynike, LL.M. (Stellenbosch)
Partner
Leiter Technologierecht
KPMG Law Rechtsanwaltsgesellschaft mbH
+49-69-951195770
Kontaktformular
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia