Artificial Intelligence Act: What can we learn from it?

Risk-based classification of systems 

• Prohibition of AI systems presenting intolerable risks (Article 5).

• Increased obligations for high-risk AI systems.

• Less extensive obligations for general-purpose AI systems that do not pose systemic risks and for systems interacting with humans.

• Fundamental rights impact assessments to be carried out for certain high-risk systems.

Responsibility of providers and deployers

• Deployers are now responsible when using AI systems: they must implement human oversight to ensure the system is used responsibly and address any issues. The data used with the system must be relevant and up-to-date.  

• Providers must ensure their AI systems comply with the AI Act requirements, such as maintaining detailed technical documentation and offering clear information on the system's capabilities, limitations, and performance. 

Harmonization of internal market

• Creation of a European-wide AI Office and national control authorities to ensure legal certainty by verifying the effective implementation of the regulation, and by sanctioning bad practices.  

• Registration of high-risk AI systems in an European database.

• Obtaining a CE marking will be necessary before placing a high-risk AI system on the market.   

Regulatory Sandboxes

• National authorities may establish regulatory sandboxes that offer a controlled environment for testing innovative technologies for a limited time. These sandboxes are based on a test plan agreed with the relevant authorities to ensure the compliance of the innovative AI system and to accelerate market access. SMEs and start-ups can have priority access to them.

Prohibited Artificial Intelligence Practices

AI systems that contravene the values of the European Union by violating fundamental rights are prohibited, such as:

• Unconscious manipulation of behavior;
• Exploiting the vulnerabilities of certain groups to distort their behavior;
• AI-based social rating for general purposes by public authorities;
• The use of "real-time" remote biometric identification systems in publicly accessible spaces for law enforcement (with exceptions);
• Social scoring, dark pattern AI . 

High-risk Systems (defined and listed by the EU Commission)

Companies are subject to several obligations related to documentation, risk management systems, governance, transparency, or safety, depending on their status (supplier, user, distributor, and other third parties). These systems must also be declared to the EU and bear a CE mark. 

Specific Risk Systems

These are systems that (i) interact with humans, (ii) are used to detect emotions or determine association with (social) categories based on biometric data, or (iii) generate or manipulate content (‘deep fakes’). For these systems, there is an obligation to disclose whether the content is generated through automated means or not.

Non-High-Risk Systems

Voluntary creation and enforcement of a code of conduct that may include commitments to environmental sustainability, accessibility for people with disabilities, stakeholder participation in AI system design and development, and development team diversity.

General purpose AI systems are AI systems that have a wide range of possible uses, both for direct use and for integration into other AI systems. They can be applied to many different tasks in various fields, often without substantial modification and fine-tuning. Unlike narrow AI, which is specialized for specific tasks, general-purpose AI can learn, adapt, and apply knowledge to new situations, demonstrating versatility, autonomy, and the ability to generalize from past experiences.  

Impact of the AI Act on General Purpose AI systems:  

• Codes of conduct will be established at the European Union level to guide suppliers in applying the rules regarding general-purpose artificial intelligence (GPAI) models.   

• Systemic risk: A GPAI model represents a systemic risk if it is found to have high-impact capabilities based on appropriate technical tools and methodologies, including indicators and benchmarks.   

• Specific obligations regarding systemic risks:  

  • Notify the European Commission in the event of systemic risk and mitigate such risks wherever possible.  
  • Perform model evaluation in accordance with standardized protocols and tools.  
  • Report serious incidents to national authorities and the AI Office. 
  • Cybersecurity protection. 

• Providers' obligations:  

  • Develop and maintain model technical documentation and share it with other vendors if they wish to integrate the GPAI model into other systems.  

  • Establish a policy to comply with EU copyright law.  

  • Publish a detailed summary on the content used for training the GPAI model (based on the model provided by the AI Office).

We rely on teams of highly complementary experts to offer you robust, reliable and effective compliance, in line with your strategic objectives, your use of AI and your internal processes and governance. Our consultants are committed to helping you manage your risks and create synergies as part of your AI projects. 

• Compliance specialists 

• Data Scientists  

• Cybersecurity experts  

We have built over the years key enablers that will allow to accelerate the project: modular AI governance framework, benchmark of market best practices, system mapping templates, code assessment automations, mature training modules, custom solutions functional to the PoC, standard policies, charters and procedures, etc. 

Thanks to our extensive experience of supporting our customers in AI governance and AI risk assessment, our team will be able to quickly get to grips with your specific needs and save time in interacting effectively with your  data scientists.