The European Union's Artificial Intelligence Act (AI Act) represents a milestone in global AI regulation, responding to increasing demands for ethical standards and transparency in AI usage. After extensive drafting and negotiation, the Act has now been provisionally agreed upon, with final compromises reached and adoption by the European Parliament on March 13, 2024. Anticipated to take effect between May and July 2024, the AI Act establishes a comprehensive legal framework to foster trustworthy AI within and beyond Europe, emphasising the respect for fundamental rights, safety, and ethical principles.

Overseen by the newly created EU AI Office, the Act imposes significant penalties for noncompliance - exposing companies to fines of €35 million, or 7 percent of a company's annual revenue, whichever is greater. This compels the stakeholders to understand its implications for their businesses. This blog provides a nuanced exploration of the Act's key provisions, ranging from its rules on high-risk systems to its governance and enforcement mechanisms, offering insights into its potential impact on corporations, individuals and societies alike.

How does it concern me?

AI applications influence what information you see online by predicting what content is engaging to you, capture and analyse data from faces to enforce laws or personalise advertisements, and are used to diagnose and treat cancer. In other words, AI affects many parts of your life.

Like the EU’s General Data Protection Regulation (GDPR) in 2018, the EU AI Act could become a global standard, determining to what extent AI has a positive rather than negative effect on your life wherever you may be. The EU’s AI regulation is already making waves internationally. If you’re a part of an organisation that is leveraging AI/ML techniques to build amazing solutions for real-world problems in or outside the EU, then you will come across this act sooner or later. Why not understand everything there is, right now ?

The AI Act aims to “strengthen Europe’s position as a global hub of excellence in AI from the lab to the market, ensure that AI in Europe respects set values and rules, and harnesses the potential of AI for industrial use.”

- European parliament News

What should I know about the act? 

A risk-based approach 

The cornerstone of the AI Act is a classification system that determines the level of risk an AI technology could pose to the health and safety or fundamental rights of a person. The framework includes four risk tiers: unacceptable, high, limited and minimal.

Source : European Commission

Unacceptable Risk Systems

The EU's AI regulations encompass several key provisions to ensure ethical and responsible AI use. Prohibited AI practices include banning deceptive techniques, exploitation of vulnerabilities, and categorization based on sensitive attributes. Real-time biometric identification in law enforcement requires prior authorization and notification to authorities, with member states having discretion within specified limits. Additionally, reporting obligations mandate annual reports on biometric identification use, ensuring transparency and accountability in AI implementation.

High Risk Systems

The EU identifies various high-risk AI systems across sectors such as critical infrastructure, education, product safety, employment, public services, law enforcement, migration management, and justice administration. These systems are subject to stringent obligations, including risk assessment, high-quality data utilization, activity logging, detailed documentation, transparent deployment, human oversight, and robustness assurance.

High-risk AI systems will be subject to strict obligations before they can be put on the market. We have tried to simplify these for you - 

• Based on the impact of the application, define the risk-level of the system.

• Understand the regulatory requirements : Understand the requirements of your system on the basis of your use case and risk level. The standards would be laid out by the AI Office with the help of standardisation bodies like CEN/CENELEC.

• Risk management system : Evaluation and monitoring of risks posed in application in real-world

• Data and Data Governance : Ensure data representativeness, correctness and completeness, train-test-validation independence, annotation quality, fairness and bias reduction, data sufficiency and privacy of personal data.

• Technical Documentation and Transparency to deployers : Maintain and avail necessary information to assess the compliance of the system as per the requirements. Ensure full transparency of crucial information and processes with regulatory bodies as well as consumers of the application.

• Human Oversight : Enable a synergic ecosystem allowing post production monitoring by humans and intervention capabilities.

• Accuracy, Robustness and Cybersecurity : Ensure model robustness and continuous data & system integrity checks

• Quality Management System : End to end system for data and learning management quality.

  
  

Limited risk Systems 

Limited risk refers to the risks associated with lack of transparency in AI usage. The AI Act introduces specific transparency obligations to ensure that humans are informed when necessary, fostering trust. For instance, when using AI systems such as chatbots, humans should be made aware that they are interacting with a machine so they can take an informed decision to continue or step back. Providers will also have to ensure that AI-generated content is identifiable. Besides, AI-generated text published with the purpose to inform the public on matters of public interest must be labelled as artificially generated. This also applies to audio and video content constituting deep fakes.

Minimal or no risk

The AI Act allows the free use of minimal-risk AI. This includes applications such as AI-enabled video games or spam filters. The vast majority of AI systems currently used in the EU fall into this category.

General Purpose AI Systems

On a high level, a general-purpose AI model is considered to have systemic risk if its training requires over 10^25 floating point operations (FLOPs), indicating high impact capabilities. These are mainly genAI models. 

The general obligations can be met via self-assessment and can be understood here :

• Codes of Practice : Use codes of practice to demonstrate compliance until harmonised standards are published.

• Technical Documentation and Information Sharing : Necessary information to assess the compliance of the system as per the requirements; and continuous access to regulators.

• Model Evaluation : Model evaluation using standardized protocols and tools, including adversarial testing to identify and mitigate systemic risks.

• Risk Assessment : Assess and mitigate systemic risks arising from the development or use of AI models

  
  
  

By when do I need to be ready?

6 months 

• Prohibition on unacceptable risk AI 

12 months 

• Obligations on providers of general purpose Al models go into effect.

• Appointment of member state competent authorities.

• Annual Commission review of, and possible amendments to, the list of prohibited Al.

18 months 

• Commission implementing act on post-market monitoring.

24 months 

• Obligations on high-risk Al systems specifically listed in Annex III, which includes Al systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice.

• Member states have implemented rules on penalties, including administrative fines.

• Member state authorities have established at least one operational Al regulatory sandbox.

• Commission review, and possible amendment of, the list of high-risk Al systems.

36 months 

• Obligations for high-risk Al systems that are not prescribed in Annex Ill but are intended to be used as a safety component of a product, or the Al is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws, for example toys, radio equipment, in vitro diagnostic medical devices, civil aviation security and agricultural vehicles.

How does RagaAI help fulfil these obligations ? 

As we’ve seen above, compliance with these complex regulations is a crucial but a cumbersome and technically difficult task. We at RagaAI are using cutting-edge technology to build comprehensive solutions to help you navigate through these complexities and enable automated compliance management for your enterprise AI. These solutions work across all modalities of data.

RagaAI provides comprehensive tests catering to the requirements of the act (laid out objectively), using cutting-edge methods, concrete frameworks and extensive visualisation techniques.

Users can track overall compliance status with global standards put in place by various regulators and policies.

A summary view of various tests and objectives that they comply with. It also shows the risk level ( impact ) and the status of compliance. Doesn’t it look so convenient ?
The website docs enlist and meticulously present the various tests which have been designed to comply with different aspects of regulatory regimes.

Conclusion

The EU AI Act is here to stay and as the specific requirements and standards are laid out over time across all the industries, it is imperative that the AI community is ready with the tools and techniques to comply with these regulations. RagaAI is at the forefront of building these capabilities and helping enterprises ensure full governance of their systems and also comply with globally accepted standards being shaped by revolutionary measures like the EU AI Act.

Get in touch with our Experts