EU AI Act Shifts to Risk-Based Model
The EU AI Act has officially entered its implementation phase, shifting from a traditional liability-centric framework to a granular, risk-based model. With enforcement just months away, this move is designed to curb "Big Brother-like abuses" and forces tech vendors in high-risk sectors like elections and public services to prioritize data governance, human oversight, and explainability. Industry pushback is already mounting against the groundbreaking rules.
The EU's risk-based framework sorts AI systems into four tiers: unacceptable, high, limited, and minimal risk. Unacceptable-risk applications, such as government-run social scoring and real-time biometric identification in public spaces, are banned outright with few exceptions. High-risk systems, including those in recruitment, credit scoring, and critical infrastructure, face stringent requirements before and after they reach the market. A new European AI Office, established in February 2024, will oversee the rules for general-purpose AI models and coordinate enforcement among member states. This body has the power to conduct model evaluations, request information from tech providers, and impose sanctions for non-compliance. It also supports the AI Board, composed of representatives from each member state, to ensure consistent application of the Act. The implementation is phased, with the ban on prohibited systems taking effect in early 2025. Rules for general-purpose AI models will apply from August 2025, while most obligations for high-risk systems begin in August 2026. Full compliance for all systems, including those already on the market, is expected by August 2027. Penalties for non-compliance are severe and can exceed GDPR fines. The heftiest fines are for violations involving prohibited AI practices, reaching up to €35 million or 7% of a company's global annual turnover, whichever is higher. Providing regulators with misleading information can result in fines of up to €7.5 million or 1% of global turnover. The Act's extraterritorial reach means it applies to any company whose AI-driven products or services are used within the EU, regardless of where the company is based. This "Brussels effect" is expected to influence global standards, though some analysts believe its impact may be more limited than that of GDPR due to competing regulatory approaches from other nations. Despite the phased rollout, major European companies like Airbus and Siemens have pushed for delays, citing regulatory complexity and risks to competitiveness. Tech giants have also lobbied against the rules, with Meta refusing to sign a voluntary code of practice due to legal uncertainty. The European Commission has so far rejected a broad pause but has signaled that targeted delays for specific provisions could be considered if essential guidelines are not ready.
