Artifical Intelligence (AI)

The AI Regulation (AI Act) officially came into force on August 1, 2024, but its provisions will not apply immediately. According to Article 113 of the AI Act, the regulation will generally take effect from August 2, 2026. However, certain sections of the regulation will become enforceable earlier.

A key date to note is February 2, 2025, when specific obligations start to apply. From this date, organizations must ensure employees who work with AI systems have adequate AI skills (Article 4), and certain AI practices that are considered manipulative or deceptive will be prohibited. This early implementation phase is crucial for preparing companies to comply with the upcoming requirements.

The AI Act aims not to restrict the use of AI but to ensure a functional single market within the EU and harmonize the legal framework across member states. From the outset, the regulation clearly outlines its protection goals in the recitals: it seeks to safeguard "health, safety, and the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’), including democracy, the rule of law, and environmental protection" (Recital 1 of the AI Act).

By referencing the Charter, which explicitly includes the right to respect for private and family life, as well as the right to the protection of personal data, the AI Act fully integrates data protection into its regulatory framework. This approach ensures that AI development and deployment in the EU align with fundamental rights and privacy standards, emphasizing the importance of protecting personal data in the use of AI technologies.

The AI Act governs the development, provision, and use of AI with the overarching goal „to improve the functioning of the internal market and promote the uptake of human-centric and trustworthy artificial intelligence (AI)“ (Article 1(1) of the AI Act).

The AI Regulation (AI Act) explicitly outlines a list of prohibited AI practices in Article 5, which will take effect starting February 2, 2025. These banned practices aim to prevent harmful or unethical uses of AI, and include (but are not limited to):

1. Techniques of Subliminal Manipulation: AI systems that influence individuals outside their conscious awareness.
2. Intentionally Manipulative or Deceptive Techniques: Practices designed to manipulate people’s behavior or decisions in a misleading way.
3. Exploitation of Vulnerabilities: Using AI to exploit the vulnerabilities or special needs of individuals, particularly those who are in a state of vulnerability (e.g., children, elderly people).
4. Social Scoring: Evaluating or categorizing individuals or groups over time based on their social behavior, personal characteristics, or predicted traits.
5. Emotion Recognition in Sensitive Environments: Inferring emotions in contexts such as workplaces or educational settings.
6. Biometric Categorization: Using biometric data to categorize individuals in ways that could reveal or infer sensitive information, such as race, political views, union membership, religious beliefs, sexual life, or sexual orientation.

Organizations that identify any of these prohibited practices in their AI systems should review Article 5 of the AI Act in detail, as some practices may only be prohibited under specific conditions or circumstances.

The classification of an AI system as a high-risk AI system is governed by Article 6 of the AI Regulation (AI Act). For the year 2026, Article 6(1) can largely be disregarded, as the systems mentioned there will not be classified as high-risk until August 2, 2027 (as indicated in Article 113(c) of the AI Act).

The primary criteria for determining whether a system is considered high-risk are outlined in Article 6(2). However, the actual classification is detailed in Annex III of the regulation, which lists specific AI applications that fall under the high-risk category.

Regardless of Annex III, a system is not deemed high-risk if it does not present a significant risk of harm to the health, safety, or fundamental rights of individuals. Specifically, this applies when the system does not substantially influence the outcome of decision-making processes (Article 6(3)). This exemption helps ensure that only genuinely impactful AI applications are subject to stringent high-risk requirements.

The AI Regulation (AI Act) defines various roles within the AI value chain, including operators, providers, importers, and distributors, each with specific responsibilities to ensure compliance.

1. Operator: As per Article 3(4), an operator is a natural or legal person, public authority, or other entity that uses an AI system under its own responsibility, except when the AI system is used for personal and non-professional purposes.
2. Provider: Defined in Article 3(3), a provider is an entity (natural or legal person, authority, or organization) that develops an AI system or a general-purpose AI model, or commissions its development, and places it on the market or puts it into service under its own name or trademark, whether for free or for a fee.
3. Importer: According to Article 3(6), an importer is a person or entity established within the EU that brings an AI system to market, which bears the name or trademark of a person or entity established outside the EU.
4. Distributor: As outlined in Article 3(7), a distributor is a natural or legal person in the supply chain who makes an AI system available on the EU market, excluding the provider or importer.

The term "actor" is used in Article 3(8) as a collective term that encompasses all these roles: provider, manufacturer, operator, authorized representative, importer, and distributor. Each actor has distinct obligations to ensure the safe and ethical deployment of AI systems, depending on their role in the AI ecosystem.

The AI Act distinguishes between AI systems and general-purpose AI models, each with specific definitions and implications.

1. AI System: As defined in Article 3(1), an AI system is a machine-based system designed to operate with varying degrees of autonomy. It can adapt after deployment and uses input data to produce outputs, such as predictions, content, recommendations, or decisions, that can affect physical or virtual environments.
2. General-Purpose AI Model: According to Article 3(63), a general-purpose AI model is an AI model with significant general applicability, capable of competently performing a wide range of different tasks, regardless of how it is marketed. It can be integrated into various downstream systems or applications. Furthermore, Article 51(2) assumes that a general-purpose AI model possesses high-impact capabilities if the total amount of computation used for its training exceeds 10²⁵ floating-point operations.

These distinctions help ensure that different AI technologies are regulated according to their capabilities and potential impact.