AI Act: everything you need to know about the European regulation on AI

The European Union adopted the European Regulation on Artificial Intelligence (or AI Act) in 2024 with the objective of establishing a unified legal framework for the development and use of AI systems. This first comprehensive global regulation aims to promote the opportunities offered by this technology while minimizing its potential dangers.

Why were the regulations introduced?

L'AI Act was introduced to establish a clear and unified legal framework for the use of artificial intelligence in Europe. The European Commission presented the first draft in April 2021. After lengthy negotiations, the final version was adopted in January 2024. This regulation is driven by rapid technological progress in the field of AI, which brings both opportunities and risks. Societal and ethical challenges, such as discrimination due to biased algorithms, lack of transparency in automated decisions or the misuse of AI for mass surveillance, urgently required legal regulation.

The aim of the AI ​​Act is to promote innovation without compromising fundamental European values ​​such as data protection, security and human rights. The EU takes a risk-based approach, where particularly dangerous AI applications are strictly regulated or even banned. At the same time, the regulation aims to strengthen European companies in global competition by ensuring confidence and legal certainty.

Classification of AI systems according to risk categories

The regulation takes a risk-based approach and thus divides different AI systems into four categories:

1. Unacceptable risk : This category includes all AI systems considered to pose a threat to the security, livelihoods or rights of individuals. These are prohibited. In this category we find the systems of social ratingi.e. the assessment of people's behavior or personality by state authorities, or AI systems used for facial recognition in public spaces without consent.
2. High risk : these systems are authorized, but subject to strict requirements and entail extensive obligations for suppliers and operators of the systems. This category includes, for example, AI systems in critical infrastructureas in transport to guarantee safety. Likewise, theAI in personnel managementwhich influences hiring or firing decisions, is subject to specific requirements.
3. Limited risk/transparency risk : The third risk category includes AI systems with specific transparency requirements, intended for direct interaction with users. They must be informed of the interaction with these systems. Most generative AI falls into this category.
4. Minimal risk : the majority of AI systems belong to the fourth category and are not subject to any specific requirements by the AI ​​Act, such as spam filters or the AI-controlled characters in video games.

Requirements and obligations for developers and suppliers

For developers and suppliers of AI systems, especially those at high risk, the EU AI Regulation establishes a series of requirements aimed at ensuring the responsible use of these technologies. These requirements concern various aspects: transparency, security, precision or even quality of the underlying data; they aim to ensure the security and reliability of AI technologies without harming innovation.

Risk management

Companies must implement an ongoing risk management system that identifies, evaluates and minimizes potential hazards. This includes regularly reviewing the impacts of the AI ​​system on individuals as well as society as a whole. Particular emphasis is placed on discrimination, unintentional bias in decision-making and risks to public safety.

Data quality and avoidance of bias

Training data used for the development of an AI system must meet high quality standards. This means that they must be representative, free from errors and sufficiently diverse to avoid discrimination and bias. Companies are required to establish bias verification and correction mechanisms, particularly when artificial intelligence is used in sensitive areas such as human resources decisions or law enforcement.

Documentation and records

Developers must create and maintain comprehensive technical documentation of their AI systems. This documentation must not only describe the structure and operation of the system, but also make the decision-making processes of artificial intelligence understandable. Additionally, companies must keep records of the operation of their AI systems to enable later analysis and, if necessary, error correction.

Transparency and user information

The regulation requires that users be clearly informed when interacting with an AI. For example, chatbots or virtual assistants must clarify that they are not human interlocutors. In cases where AI systems make decisions that have a significant impact on individuals (for example, credit applications or application procedures), those affected have the right to an explanation of how the decision was made.

Human supervision and intervention possibilities

High-risk AI systems should not operate completely autonomously. Companies must ensure that human control elements are built in, allowing people to intervene and make corrections if the system behaves incorrectly or unexpectedly. This is particularly important in areas like medical diagnosis or autonomous mobility, where bad decisions can have serious consequences.

Accuracy, robustness and cybersecurity

The EU AI Regulation requires AI systems to be reliable and robust to minimize decision errors and security risks. Developers must prove that their systems operate stably under various conditions and are not easily affected by external attacks or manipulation. This includes cybersecurity measures, such as protection against data leaks or unauthorized manipulation of algorithms.

Conformity assessment and certification

Before a high-risk AI system is released to the market, it must undergo a compliance assessment to verify that it meets all regulatory requirements. In some cases, an external audit by a designated body is necessary. The regulation also provides for continuous monitoring and regular reassessment of systems to ensure they continue to meet standards.

Impacts and challenges for businesses

The AI ​​Act establishes a clear legal framework for businesses, aimed at promoting innovation and trust in AI technologies, but also leads to increased efforts in compliance, technical adaptations and market strategies. Companies developing or using AI technologies must take these new requirements seriously, to avoid legal risks and remain competitive in the long term.

Higher costs and bureaucratic procedures

One of the biggest challenges for businesses is the additional costs of complying with new regulations. In particular, providers and users of high-risk AI systems must implement significant measures that require investments in new technologies, qualified personnel and possibly external advisors or auditing bodies. Small and medium-sized enterprises (SMEs) may struggle to mobilize the financial and human resources needed to meet all regulatory requirements.

Companies that fail to comply with regulations risk hefty fines, as is already the case with the General Data Protection Regulation (GDPR).

Promoting innovation

Despite the additional regulations, the regulation can contribute in the long term to strengthening trust in AI systems and promoting innovation. Companies that quickly adapt to new requirements and develop transparent, secure and ethical AI solutions can gain a competitive advantage.

The introduction of clear rules creates a unified legal framework within the EU, reducing uncertainties in the development and use of AI. Companies can market their technologies more easily within the EU, without having to deal with different national regulations. The AI ​​Act is also one of the first of its kind in the world and sets high standards. Companies that comply can position themselves as trusted suppliers in the market, giving themselves an advantage over competitors with less stringent regulations.

The AI ​​Act concerns companies based in the EU, but also international companies that offer AI systems in the European Union or use data collected there for AI applications. Thus, an American company offering AI-based recruitment software in the EU will have to comply with European regulations.

This extraterritorial effect forces many companies outside the EU to adapt their products and services to the new standards if they wish to serve the European market. While this could lead to a more uniform global approach to AI regulations, it could also pose a barrier for non-EU companies wanting to enter the EU market.

However, there are also fears that European companies could be disadvantaged internationally. While innovations in artificial intelligence in the United States and China often advance with few restrictions, the EU's strict regulations could slow the development and implementation of new technologies by European companies. This could pose a particular challenge for startups and SMEs when they have to compete with tech giants with much greater resources.