Exploring EU AI Act in Two Parts: 10 Questions to Understand and 10 to Master 

Part I: EU AI ACT – High-Level Overview 

What is the EU AI Act? 

The EU AI Act is a groundbreaking legal framework that seeks to regulate Artificial Intelligence (AI) systems to mitigate potential risks and ensure ethical development and deployment within the European Union. It is the first comprehensive legislation of its kind globally, aiming to establish a balance between fostering innovation and protecting fundamental rights. 

What is the scope of the AI Act? 

The AI Act applies to AI systems developed, deployed, or used within the EU market, regardless of the provider’s location. It covers various stakeholders, including providers, deployers, importers, and distributors of AI systems. However, it excludes AI systems developed or used exclusively for military, defense, or national security purposes. 

Are there specific types of AI systems that are prohibited under the AI Act? 

Yes, certain AI systems deemed to pose unacceptable risks are prohibited. These include AI systems that manipulate human behavior to the detriment of users, exploit vulnerabilities of specific groups, enable social scoring by public authorities, and utilize real-time remote biometric identification systems in publicly accessible spaces for law enforcement purposes, except in narrowly defined exceptions. 

What are high-risk AI systems, and how are they regulated? 

High-risk AI systems are those that pose significant risks to health, safety, or fundamental rights. The AI Act establishes stringent requirements for these systems, including conformity assessments, risk management systems, data quality, transparency, human oversight, and cybersecurity. Examples of high-risk AI systems include those used in critical infrastructure, law enforcement, border control, and employment. 

What are General-Purpose AI (GPAI) models? 

GPAI models are characterized by their ability to perform a wide range of tasks and be integrated into various applications. These models are typically trained on vast datasets and can adapt to different downstream systems. The AI Act introduces specific requirements for GPAI models, particularly those classified as posing systemic risks. 

What constitutes a systemic risk GPAI model? 

A GPAI model is classified as posing a systemic risk if it meets specific criteria. These include having high-impact capabilities, a significant impact on the internal market due to its reach, or being designated as such by the European Commission. These models are subject to additional obligations to mitigate potential societal harms. 

What is an AI regulatory sandbox, and what is its purpose? 

An AI regulatory sandbox is a controlled environment established by national authorities to facilitate the development, testing, and validation of innovative AI systems under strict regulatory oversight. It provides a space for experimenting with AI systems before their market release, allowing providers to assess their compliance with the AI Act and receive guidance from authorities. 

What enforcement mechanisms are in place to ensure compliance with the AI Act? 

The AI Act mandates that Member States establish enforcement mechanisms, including penalties for infringements. Penalties may include fines proportionate to the severity of the violation. Market surveillance authorities are responsible for monitoring compliance, and individuals have the right to lodge complaints regarding potential violations. 

Part II: EU AI ACT – Go Deeper 

1. What is the primary objective of the EU’s Artificial Intelligence Act? 

2. The AI Act specifically defines a “deployer.” Explain who is considered a deployer according to this definition. 

3. The AI Act distinguishes between “biometric identification” and “biometric verification.” What is the key difference between these two concepts? 

4. What are the implications of the AI Act for the use of AI systems for “social scoring” purposes? 

5. Under what very specific conditions does the AI Act allow the use of ‘real-time’ remote biometric identification systems in public spaces for law enforcement purposes? 

6. Outline the process for the adoption of common specifications for high-risk AI systems as defined by the AI Act. 

7. What is the purpose of “AI regulatory sandboxes” as established by the AI Act, and what is their timeline for implementation? 

8. What are the key data protection considerations related to the use of personal data within AI regulatory sandboxes? 

9. Explain the concept of “post-market monitoring” as it applies to high-risk AI systems under the AI Act. 

10. What role do “market surveillance authorities” play in the enforcement of the AI Act? 

Answer Key 

1. The EU’s Artificial Intelligence Act aims to establish a comprehensive legal framework for artificial intelligence, specifically addressing the risks associated with AI while positioning Europe as a global leader in AI development and deployment. 

2. A “deployer,” as defined by the AI Act, is any individual or entity, including public authorities, who utilizes an AI system under their control. This definition excludes personal, non-professional use of AI systems. 

3. “Biometric identification” involves automatically recognizing a person’s identity by comparing their biometric data to a database, regardless of consent. “Biometric verification” solely confirms if a person is who they claim to be, typically for accessing services or devices, and requires the individual’s consent. 

4. The AI Act strictly prohibits AI systems that engage in social scoring practices that lead to discriminatory or unfair treatment of individuals or groups. It safeguards against systems that evaluate people based on social behavior or predicted characteristics, leading to detrimental outcomes. 

5. ‘Real-time’ remote biometric identification systems are generally prohibited in public spaces for law enforcement, except in specific situations. These exceptions include searching for certain crime victims, preventing imminent threats to life or terrorist attacks, and identifying suspects of serious crimes listed in the regulation. 

6. If harmonized standards for high-risk AI systems are inadequate or unavailable, the Commission may request European standardization organizations to develop common specifications. If these organizations fail to address the request adequately or within the set deadline, the Commission can adopt implementing acts to establish common specifications. 

7. AI regulatory sandboxes are controlled environments designed to facilitate the development, testing, and validation of innovative AI systems before they are released to the market. National authorities are required to establish at least one such sandbox by August 2, 2026. 

8. Within AI regulatory sandboxes, personal data used for development must be kept separate, isolated, and protected. Sharing of the originally collected data is allowed only in compliance with EU data protection law. Personal data generated in the sandbox cannot be shared externally, and the processing should not lead to actions or decisions that affect the data subjects or their rights. 

9. “Post-market monitoring” mandates providers of high-risk AI systems to continuously monitor the performance of their systems throughout their lifecycle. This involves collecting, documenting, and analyzing data to ensure ongoing compliance with the requirements of the AI Act. 

10. Market surveillance authorities are responsible for enforcing the AI Act. They investigate potential violations, conduct evaluations of AI systems, and can take corrective actions, including issuing penalties, to ensure compliance. They also cooperate with other relevant authorities, particularly in cases involving fundamental rights concerns. 

Interested in speaking with our consultants? Click here to get in touch

 

Some sections of this article were crafted using AI technology