Welcome to our latest blog post, where we present the key insights from our first webinar of the series, “AI Talks: Understanding the EU AI Act.” This virtual series is designed to help businesses navigate the complexities of the European Union’s Artificial Intelligence Act (EU AI Act), which is set to revolutionize the regulatory landscape for artificial intelligence (AI) in Europe.
The EU AI Act is set to reshape the regulatory landscape for AI systems deployed in the EU. As the first comprehensive AI law of its kind, it introduces strict compliance requirements, including AI literacy obligations, prohibited uses of AI systems and a phased rollout of enforcement mechanisms. Here’s what businesses need to know to stay ahead of the curve.
1. The AI Act at a glance
The EU AI Act aims to establish a harmonized framework for AI systems, categorizing them based on risk levels. Notably, the EU AI Act introduces:
- A broad scope covering providers, deployers, manufacturers, importers and distributors of AI systems, even if they are based outside of the EU but operate within its market. Check our blog post, ‘EU AI Act: Does It Affect Your Organization or Not?’ to learn more about your role and responsibilities under the EU AI Act.
- A definition for AI systems.
- A phased enforcement schedule starting with certain obligations coming into effect immediately.
- Severe penalties for noncompliance, potentially exceeding those imposed under the General Data Protection Regulation (GDPR).
What is an AI system under the EU AI Act?
The EU AI Act does not apply to all AI systems but specifically targets those that meet the definition of an ‘AI system’ as outlined in Article 3(1) of the AI Act: ‘“AI system” means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments’.
To clarify the scope of this definition, the European Commission (EC) has issued guidelines on the definition of an AI system, which aim to assist providers and other relevant persons – including market and institutional stakeholders – in determining whether a system constitutes an AI system within the meaning of the EU AI Act.
The EC acknowledges in the guidelines that, due to the rapidly evolving nature of AI technology, it is impossible to provide an exhaustive list of systems that either fall within or outside the definition of an AI system. This may pose challenges for companies when assessing whether their systems are within scope of the EU AI Act and understanding their obligations under it.
While the guidelines provide valuable insight, they are nonbinding, and any definitive interpretation of the EU AI Act will be determined by the Court of Justice of the European Union (CJEU).
2. Immediate compliance obligations as of 2 February 2025
a. AI literacy (Article 4)
i. Concept
Article 4 of the EU AI Act requires providers and deployers of AI systems to ensure a sufficient level of AI literacy for their staff and any other users who are interacting with AI systems.
The EU AI Act does not specify how AI literacy should be achieved by providers and deployers. However, to support this requirement, the EU AI Office has created a living repository of ongoing practices among AI system providers and deployers. The purpose of the repository is to share examples of AI literacy initiatives that organizations are implementing. These practices can help others understand how to build their own strategies for meeting the literacy obligations in Article 4.
The repository of AI literacy compiles practices gathered through a survey shared exclusively with AI Pact pledgers, at least for now. As such, the list of practices provided is not exhaustive and will be updated regularly.
The EU AI Office recalls that adopting the practices listed in the repository does not automatically guarantee compliance with Article 4 of the AI Act.
ii. What should you do now to prepare for compliance with your literacy obligations?
- Evaluate current practices: Assess the current AI literacy levels within your organization. Are your staff and users equipped with the right knowledge and training?
- Leverage the repository of AI practices: Consult the living repository to find practices that could be relevant to your organization. Even if your AI literacy efforts are still in the planning phase, it is useful to learn from others.
- Assess whether you should engage in the AI Pact.
- Regularly update practices: Stay updated with evolving AI literacy standards, be proactive in improving your organization’s literacy efforts and make sure you document them to demonstrate compliance.
b. Prohibited AI practices
i. Concept
Article 5 of the EU AI Act prohibits the placing on the EU market, putting into service or use of certain AI systems which pose an ‘unacceptable risk’, including AI systems used for the following purposes:
- Harmful AI-based manipulation and deception.
- Harmful AI-based exploitation of vulnerabilities.
- Social scoring.
- Individual criminal offence risk assessment or prediction.
- Untargeted scraping of the internet or CCTV material to create or expand facial recognition databases.
- Emotion recognition in workplaces and education institutions.
- Biometric categorisation to deduce certain protected characteristics.
- Real-time remote biometric identification for law enforcement purposes in publicly accessible spaces.
These prohibitions came into effect six months after the AI Act entered into force, starting from 2 February 2025.
The EC recently adopted the guidelines on the practical implementation of the practices prohibited under Article 5 of the AI Act. These guidelines aim to enhance legal clarity and offer insights into the EC’s interpretation of the prohibitions in Article 5 of the EU AI Act, ensuring their consistent, effective and uniform application. They are intended to serve as practical guidance for competent authorities enforcing the AI Act, as well as for providers and deployers of AI systems to help ensure compliance with their obligations. The guidelines also provide some clarity around exclusions from the scope of the EU AI Act – such as national security, defence and military purpose, judicial and law enforcement cooperation with third countries, research and development, or personal nonprofessional activity.
It is important to note that these guidelines are nonbinding. Any definitive interpretation of the AI Act can only be provided by the CJEU.
c. Is your compliance documentation covered by legal privilege?
The EU AI Act grants regulators broad investigative powers, including access to AI risk assessments and compliance documentation. However, legal privilege can protect certain internal communications from disclosure. Businesses should consider consulting legal counsel to ensure compliance strategies remain privileged where applicable.
3. Next steps for businesses
For businesses with a global presence, the guidance issued by the EC is a crucial resource for managing the complexities of complying with the EU AI Act. Below you will find some recommended practices to enhance your compliance strategy:
- Assess whether your AI systems fall under the EU AI Act’s scope.
- Identify whether your company is a provider, deployer or both under the EU AI Act.
- Review and mitigate risks associated with AI deployments.
- Ensure compliance with AI literacy obligations through staff training.
- Consult legal counsel to ensure your AI compliance strategies remain privileged.
- Monitor regulatory updates, including forthcoming EU guidelines.
With the EU AI Act’s phased implementation, now is the time for businesses to align their AI strategies with regulatory expectations. Compliance today will help organizations mitigate risks and avoid significant penalties in the future.
For further legal insights on AI compliance, please do not hesitate to contact us.
Authors
Patrick Van Eecke, Partner, Brussels
Enrique Gallego Capdevila, Special Counsel, Brussels
