EU AI Act Adopted, Posing Global Compliance Challenge
The EU AI Act has been adopted, creating what some call the biggest compliance challenge for global enterprises. The law's extraterritorial reach affects any platform with EU users, mandating strict transparency, traceability, and reporting for high-risk systems. It is expected to set a new global minimum standard for AI governance, including provenance labeling and incident response.
- The Act categorizes AI systems into four risk levels: unacceptable, high, limited, and minimal. Unacceptable-risk applications, such as government-run social scoring and manipulative AI, are prohibited entirely. High-risk systems, while not banned, are subject to stringent legal requirements. - Fines for non-compliance are substantial, ranging from €7.5 million or 1.5% of worldwide annual turnover to €35 million or 7% of turnover, depending on the violation. These penalties surpass even those of the GDPR, with the highest fines reserved for violations related to prohibited AI practices. - A new European AI Office has been established within the European Commission to oversee the implementation and enforcement of the Act. This office will play a key role in supervising general-purpose AI models, supporting governance bodies in member states, and promoting a consistent application of the rules. - The regulation has a staggered implementation timeline. The ban on prohibited AI practices took effect in February 2025. Rules for general-purpose AI models will apply from August 2025, while most rules for high-risk systems will be enforced starting in August 2026. - High-risk AI applications are specifically defined and include systems used in critical infrastructure, education, employment (such as CV-sorting software), law enforcement, and the administration of justice and democratic processes. These systems must undergo a conformity assessment before being placed on the market. - The Act introduces specific rules for general-purpose AI (GPAI) and foundation models, which are the basis for many AI systems. These rules include transparency requirements, such as providing detailed summaries of the data used for training and complying with EU copyright law. - To facilitate compliance, the law encourages the creation of "codes of practice" to serve as technical standards. Additionally, each EU member state is required to establish at least one AI regulatory sandbox by August 2026 to allow for the testing and development of innovative AI systems in a controlled environment. - The regulation addresses the use of AI in political contexts by classifying systems used to influence voters in political campaigns as high-risk. Furthermore, AI-generated content that is "deep fake" audio or video, or text published to inform the public on matters of public interest, must be clearly labeled as artificially generated.
