By Muhammad Siddique Ali Pirzada
The European Artificial Intelligence (AI) Act, which took effect on August 1, 2024, represents a landmark in global AI regulation. As the world’s first comprehensive framework for governing AI, it highlights the European Union’s (EU) ambition to position itself at the forefront of developing safe and trustworthy AI on a global scale.
The European Artificial Intelligence Act was initially proposed by the EU Commission in April 2021 amidst escalating concerns over the risks associated with AI systems. Following extensive negotiations marked by both consensus and contention, the European Parliament and the Council reached a final agreement in December 2023. The legislation is designed to establish a cohesive and uniform regulatory framework for AI across the EU, aiming to promote innovation while addressing the potential risks inherent in AI technologies. The Act is underpinned by a forward-looking definition of AI and a risk-based regulatory approach.
The AI Act categorizes AI systems according to their risk levels:
1. Low-Risk AI: This category encompasses systems such as spam filters and video games, which are deemed low-risk and are not subject to mandatory regulations. Developers may, however, opt to adhere to voluntary guidelines aimed at enhancing transparency.
2. Moderate-Risk AI: This includes systems like chatbots and AI-generated content. Such systems are required to clearly disclose to users when they are interacting with AI. For instance, deepfakes must be explicitly labeled as artificially generated to prevent misinformation.
3. High-Risk AI: This category covers critical applications, such as medical AI tools and recruitment software, which are subject to stringent requirements regarding accuracy, security, and data quality. These systems must also undergo continuous human oversight. Regulatory sandboxes are available to facilitate the safe development of these high-risk technologies.
4. Banned AI: Certain AI systems are prohibited due to their unacceptable risk levels. This includes technologies used for government social scoring or AI-driven toys that could promote hazardous behavior in children. Specific biometric systems, such as those used for emotion recognition in workplace settings, are also banned unless narrowly exempted by regulation.
The Act is notably comprehensive and applies horizontally across diverse sectors, encompassing a broad spectrum of AI activities. Its scope is meticulously crafted to include everything from high-risk models to general-purpose AI systems. This extensive coverage ensures that both the deployment and ongoing development of AI adhere to rigorous standards and regulations. A notable and distinctive feature of the Act is its extraterritorial scope. It is not limited to organizations based within the EU but also applies to non-EU entities whose AI systems are utilized within the EU. Consequently, global technology companies and AI developers must ensure compliance with the Act’s requirements to make their services and products accessible to EU users.
Under the AI Act framework, “providers” are defined as entities that develop AI systems, whereas “deployers” are those responsible for implementing these systems in practical applications. Although their roles are distinct, deployers may assume the role of providers if they make significant modifications to an AI system. This interplay between providers and deployers highlights the necessity for well-defined regulations and robust compliance strategies. The AI Act provides for certain exemptions, including AI systems utilized for military, defense, and national security purposes, as well as those developed exclusively for scientific research. Additionally, AI systems intended for personal, non-commercial use are exempt, as are open-source AI systems, provided they do not fall into high-risk or transparency-required categories. These exemptions are designed to concentrate regulatory efforts on AI with substantial societal implications while fostering innovation in less critical domains.
The AI Act is enforced through a multi-layered regulatory framework, involving various authorities within each EU member state, as well as the European AI Office and the AI Board at the EU level. This structure is designed to ensure consistent application of the AI Act across the EU. The European AI Office plays a pivotal role in coordinating enforcement efforts and offering guidance. The AI Act imposes substantial penalties for noncompliance, with fines reaching up to 7% of global annual revenue or €35 million, whichever is greater, for violations involving prohibited AI activities. Other infractions, such as failing to meet high-risk AI system requirements, incur lesser fines. These significant penalties underscore the EU’s commitment to enforcing the AI Act and deterring unethical AI practices.
The AI Act explicitly prohibits certain AI techniques that are deemed harmful, exploitative, or contrary to EU principles. These prohibited practices include the use of AI systems that employ subliminal or manipulative methods, exploit vulnerabilities, or engage in social credit scoring. The Act also restricts the application of AI in areas such as predictive policing and emotion recognition, particularly within workplaces and educational environments. These prohibitions reflect the EU’s commitment to safeguarding fundamental rights and ensuring that AI development adheres to ethical standards.
Entities utilizing high-risk AI systems must comply with stringent requirements, including following the provider’s guidelines, ensuring human oversight, and conducting regular monitoring and reviews. They are also required to maintain comprehensive records and collaborate with regulatory authorities. Furthermore, deployers must carry out data protection and impact assessments on basic rights as necessary, underscoring the importance of responsible AI deployment.
The European AI Office, a component of the European Commission, is responsible for enforcing regulations related to general-purpose AI models and ensuring the consistent application of the AI Act across member states. The AI Board, which includes representatives from each member state, will support the uniform implementation of these regulations and provide strategic guidance. Together, these bodies will work to ensure regulatory consistency and address emerging challenges in AI governance.
General-purpose AI (GPAI) models, which are designed to perform a range of tasks, must adhere to specific requirements under the AI Act. Providers of these models are required to publish comprehensive summaries of the data used for training, maintain detailed technical documentation, and comply with EU copyright laws. Models identified as posing systemic risks face additional obligations, including notifying the European Commission, conducting adversarial testing, and ensuring robust cybersecurity measures.
The AI Act represents a pivotal development for technology businesses within the European Union. This legislation mandates that organizations designing and deploying AI, especially those with high-risk systems, adhere to stringent requirements for transparency, data integrity, and human oversight. Although compliance may increase operational costs for IT companies, the potential for substantial fines—up to 7% of global annual turnover for violations, particularly related to restricted AI applications—underscores the EU’s firm stance on enforcement. Nevertheless, the AI Act has the potential to stimulate innovation. By setting clear standards, it ensures a level playing field for all EU AI developers, fostering competitiveness and the advancement of reliable AI technology.
The Act also introduces controlled testing environments, known as regulatory sandboxes, to support the secure development of high-risk AI systems. These sandboxes enable firms to test and refine their AI products under regulatory supervision. Moreover, by prioritizing human rights and core values, the EU is positioning itself as a pioneer in ethical AI research. This approach aims to build public trust in AI, essential for its widespread adoption and integration into everyday life, and is expected to yield significant long-term benefits, including improved public services, healthcare, and manufacturing efficiency.
The European Artificial Intelligence Act marks a milestone in global AI regulation, establishing a benchmark for balancing innovation with the protection of fundamental rights. For major technology firms operating within the EU, the Act presents both challenges and opportunities. It demands navigation through a complex regulatory framework while striving to maintain a culture of innovation.
About the Author
Muhammad Siddique Ali Pirzada is a final year LL.B (Hons) student at Pakistan College of Law (University of London). He currently serves as Managing Editor at Legal Education Access Portal (LEAP). Pirzada has authored articles in leading publications, including the University of Oxford Politics Blog, Cambridge International Law Journal Cornell Journal of Law & Public Policy and Berkeley Journal of International Law (Travaux). He has gained work experience at top-tier law firms such as Al Tamimi & Company – DIFC, Bhandari Naqvi Riaz, Mohsin Tayebaly & Co., and The Supreme Court of Pakistan under Mr. Justice Syed Mansoor Ali Shah. He is an active member of the Young International Arbitration Group and has contributed as a Research Assistant to The Millennium Project’s South Asia Foresight Network, focusing on Artificial Intelligence and Foreign Policy. He can be reached at msa.pirzada@outlook.com
European Studies Review 