Artificial Intelligence (AI) governance is rapidly becoming a critical focus for companies, and now the lightly legislated area of software automation is seeing its first major regulation: the European Union Artificial Intelligence Act (the “AI Act”). On March 13, 2024, the EU passed the AI Act, marking a significant step forward in AI regulation. Taking effect on August 1, 2024, the AI Act is the first comprehensive AI regulation introduced by a major global authority, and is expected to set a global standard for AI governance. The Act categorizes AI applications into three risk levels: unacceptable, high, and low risk, establishing a clear regulatory framework for AI technologies. Broad Definitions and Classifications The AI Act provides a broad definition of an AI system as “a system that can, with some level of autonomy, process inputs to infer how to generate outputs,” such as predictions, decisions, or content creation. Companies such as Facebook, X (Twitter), TikTok, and Google have faced litigation over recommendations made by their algorithms, and companies such as OpenAI have faced similar litigation over text or images generated by their AI systems. The AI Act definition broadens the range of regulated AI systems and ensures that a wide range of AI technologies, from machine learning models to more complex systems, fall under its regulatory scope. In addition to general AI systems, the Act distinguishes a specific category called General-Purpose AI (GPAI). GPAI refers to AI systems capable of performing a wide variety of tasks beyond a single specialized function. These systems, like large language models or advanced machine learning algorithms, possess a high degree of adaptability, allowing them to be applied across different domains, such as language processing, image recognition, and problem-solving. Examples of these GPAI systems range from Tesla’s full self-driving cars to voice assistants like Apple’s Siri. The inclusion of GPAI in the AI Act reflects the increasing development of more versatile AI technologies that can evolve beyond narrowly defined applications. Since GPAI systems can impact multiple sectors and industries, they pose unique challenges in terms of governance, ethics, and accountability. By distinguishing GPAI, the Act acknowledges the broader societal implications of AI systems that operate with significant generality, furthering the need for a tailored regulatory framework to manage the risks and benefits these technologies present. This nuanced approach allows the EU to regulate AI in a way that is forward-looking, ensuring that as AI technologies evolve, the governance framework remains robust and adaptable. Prohibited and Restricted AI Practices The Act prohibits AI practices that intentionally manipulate individuals into making harmful choices they would not otherwise make. This includes AI systems used for exploitative purposes or those that pose significant risks to individuals’ rights and safety. It also prohibits using AI in real-time facial recognition surveillance or in automatically categorizing individuals. Recently, Rite Aid settled with the Federal Trade Commission and was banned from using facial recognition to identify shop lifters in its stores. High-risk AI systems, such as those used in medical devices, employment, and education, are subject to stringent regulations to ensure their safe and ethical use. Read our other article on Key Requirements for High-Risk AI Systems. Phased Implementation of the Act The Act’s requirements will be phased in over time. Key dates to be aware of include:
  • March 13, 2024 – The EU AI Act was enacted: This marks the official passage of the Act by the European Union, establishing the regulatory framework for AI governance.
  • August 1, 2024 – The AI Act comes into force: From this date, the Act’s provisions begin to apply, requiring organizations to start aligning their AI systems with the new regulatory requirements.
  • By November 2, 2024: Member States must identify and publicly list the authorities responsible for overseeing AI-related fundamental rights protections. They must notify the European Commission and other Member States of these designations.
  • Starting in 2025: Prohibitions on certain high-risk AI systems, including those posing unacceptable risks, will take effect. Additionally, rules related to Notified Bodies, General Purpose AI models, Governance structures, Confidentiality, and Penalties will be enforced.
  • 12 months from the effective date (August 2025): Specific rules for General Purpose AI (GPAI) models will take effect for new models, guiding their use and regulation.
  • Mid-2025 (Expected) – Compliance implementation begins: Providers of high-risk AI systems will need to begin ensuring compliance with the Act’s requirements. Guidelines and technical standards will likely be published to assist organizations with implementation.
  • 24 months from the effective date (August 2026): Requirements for high-risk AI systems, such as continuous risk management, data governance, and human oversight, will come into force. Organizations deploying these systems must be fully compliant by this time.
  • 36 months from the effective date (August 2027): AI systems that are products or safety components of products regulated under existing EU laws (e.g., medical devices, vehicles) will be subject to the AI Act. Compliance with relevant safety standards and product regulations will be mandatory.
  • Ongoing Monitoring and Updates: The Act sets mechanisms for continuous monitoring and updates, ensuring that the regulations evolve with advancements in AI technology.
Implications for Companies The EU AI Act imposes significant implications for companies operating in or engaging with the European Union's market. It affects a broad spectrum of stakeholders involved in AI, including providers, deployers, importers, distributors, product manufacturers, and authorized importers. Furthermore, the Act extends its reach to providers and deployers based outside the EU if their AI systems or the outputs of those systems are utilized within the EU. At Dorf Nelson and Zauderer LLP, we offer comprehensive guidance on the diverse risks associated with AI technology for businesses and their employees, including its integration into products and services for customer access. Our experienced attorneys provide counsel on intellectual property protection for AI technologies and work closely with clients to develop tailored generative AI policies and guidelines that align with specific business needs and risk tolerance. We diligently monitor updates to the EU AI Act and its implications for companies, crafting strategies to ensure compliance with forthcoming obligations.