On 1 August 2024, the EU regulation 2024/1689 laying down harmonised rules on artificial intelligence (the AI Act) entered into force, with provisions that will become applicable gradually over the following 6 to 36 months. The regulation sets out a framework for ensuring the safe, ethical, and transparent use of AI within the EU. It covers a broad range of AI systems, with a particular focus on high-risk applications in sectors such as healthcare, transportation, and law enforcement, as well as general-purpose AI.
Scope and risk-based approach
The scope of the AI Act covers a broad range of entities involved in the development, deployment, and use of AI systems within the EU. It applies to AI providers placing AI systems or general-purpose AI models on the EU market. Deployers — those using AI systems — are also included, as well as product manufacturers that integrate AI systems with their products and market them under their own name or trademark. The AI Act includes several exclusions from its scope. Testing activities and personal, non-professional, use of AI systems are for example exempt, as well as AI systems and models used for scientific research and development. Open-source licenses are partially exempt, provided that they do not pose high risks.
The AI Act adopts a risk-based approach to regulate AI systems, categorizing them based on the level of potential risk they pose. Certain AI systems are outright prohibited. These systems are AI-systems that, for example, deploy subliminal techniques beyond a person’s consciousness, exploit any of the vulnerabilities of a natural person, scores natural persons based on their social behaviour and that infer emotions of a natural person in the areas of workplace and education institutions.
The majority of the requirements set out in the AI Act apply to high-risk AI systems. This is AI-systems that are intended to be used as a safety component of certain products and AI systems that are listed in Annex III. Annex III contains a list of AI systems used in, for example, areas such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration and democratic processes. AI systems that are not high-risk are subject to lighter requirements regarding transparency and AI literacy of staff. Certain requirements apply to general-purpose AI models and general-purpose AI systems. This is models and systems that display significant generality and that are capable of performing a wide range of tasks.
This approach is intended to ensure that regulatory oversight is proportional to the risks associated with the AI system, allowing for a flexible framework that balances innovation with protection of fundamental rights.
Obligations and sanctions
The AI Act imposes a significant number of obligations on providers and deployers of high-risk AI systems, such as the requirement to implement a quality management system, keep documentation and logs, report incidents, conduct a prior conformity assessment and indicate conformity upon request. Providers must also draw up an EU declaration of conformity, ensure CE marking, and complete registration. Additionally, accessibility requirements must be met.
General-purpose AI models are also subject to the compliance requirements. These include self-assessment and mitigation of systemic risks, serious incidents reporting, conducting test and model evaluations, as well as cybersecurity requirements.
The AI Act allows the EU Commission to issue orders, warnings, and even ban certain AI systems. It also imposes fines for breaches, including up to 35 million euros or 7% of total annual turnover for violations of Article 5 (prohibited AI), and 15 million euros or 3% for other breaches, including obligations related to general-purpose AI models. Additionally, there are fines of 7.5 million euros or 1% for providing incorrect or incomplete information, with lower caps for SMEs and startups. Public authorities or bodies can face administrative fines of 1.5 to 0.75 million euros. The Commission may impose fines on general-purpose AI model providers up to 15 million euros or 3% of their annual total worldwide turnover, whichever is higher.

Challenges and Positive effects
The AI Act aims to establish a regulatory framework for AI systems that results in the development of sustainable and safe AI systems. The regulation faces challenges such as the technological complexity of AI, the need to keep pace with rapid technological change, and the difficulties in accurately classifying AI risks. These new requirements on businesses will entail a new compliance burden for any business involved in the development or use of AI systems. The balancing act between ethical standards and economic competitiveness might have a negative effect on future innovation. At the same time, ethical standards have the potential of building trust in AI and thus encouraging future investments in the use of AI. The Act also supports a harmonized digital single market, reducing regulatory fragmentation across member states, thus making it easier for AI companies to share their innovations across the EU.