EU AI Act: A Practical Implementation Guide for Compliance

The EU's Artificial Intelligence Regulation (AI Act), officially Regulation (EU) 2024/1689, aims to foster trust in AI, ensure the safety of AI systems, and promote innovation. Its legal basis is Article 114(1) of the Treaty on the Functioning of the European Union (TFEU), which allows for measures to establish and ensure the proper functioning of the internal market. The AI Act's purpose, as stated in Article 1, is to improve the functioning of the internal market and promote the adoption of human-centric and trustworthy AI, while ensuring a high level of protection for health, safety, and fundamental rights, including democracy, the rule of law, and environmental protection, from the harmful effects of AI systems. This is achieved through a maximal harmonization approach, with uniform rules across the EU. Key strategies include prohibiting certain AI practices deemed unacceptable, imposing specific requirements on 'high-risk' AI systems, establishing transparency obligations for certain AI systems, regulating general-purpose AI (GPAI) models, ensuring effective enforcement, and implementing measures to foster innovation, with a particular focus on SMEs and startups. When interpreting the AI Act's provisions, the overarching purpose and legislative goals should always be considered, with ambiguities resolved in favor of these objectives. The AI Act follows a risk-based regulatory approach, categorizing AI systems and models into different risk classes with varying legal consequences. This approach is visualized in a risk pyramid, with prohibited practices at the top, followed by high-risk AI systems, AI systems with transparency obligations, and finally, systems with minimal risk. The implementation timeline is phased: general provisions and prohibitions on unacceptable risk practices apply from February 2, 2025; rules for GPAI models from August 2, 2025; full application of the regulation from August 2, 2026; and further obligations for specific AI systems by the end of 2030.

The AI Act employs a risk-based approach to categorize AI systems, leading to different compliance obligations. Step 2 guides users through classifying their AI system into one of these risk categories. This involves several sub-steps. First, it's determined if the system falls into a prohibited category under Article 5 of the AI Act, which outlines practices with unacceptable risks. If not prohibited, the next assessment (Step 2.3) is whether the system is classified as 'high-risk' according to Article 6(2) and Annex III. Annex III lists specific use cases that are considered high-risk due to their potential impact on health, safety, and fundamental rights. Even if a system is identified as high-risk, Step 2.4 checks for any applicable exceptions under Article 6(3). If the system is neither prohibited nor high-risk, it is considered to pose a 'low risk' (Step 2.5). The AI Act does not explicitly use the term 'low-risk AI systems' but refers to 'other AI systems than high-risk AI systems.' These low-risk systems, while not subject to the stringent requirements of high-risk systems, may still have certain transparency obligations or general obligations like promoting AI competence.

For AI systems classified as high-risk, the AI Act imposes significant compliance obligations on both providers and deployers. Step 4.1 details the duties of providers of high-risk AI systems. These include establishing and maintaining a quality management system, fulfilling risk management obligations, ensuring data governance, maintaining technical documentation, complying with record-keeping requirements, implementing appropriate human oversight measures, and ensuring accuracy, robustness, and cybersecurity. Providers must also undergo a conformity assessment procedure. Step 4.2 outlines the obligations for deployers of high-risk AI systems. These include using the AI system in accordance with the instructions provided by the provider, monitoring the system's performance, ensuring human oversight, and maintaining records of the system's operation. Deployers must also inform natural persons when they are interacting with an AI system and ensure that the system is used in a way that does not compromise fundamental rights.

Step 6 outlines the conformity assessment procedure, a critical process for demonstrating compliance with the AI Act's requirements, particularly for high-risk AI systems. Step 6.1 inquires about the availability of harmonized standards or common specifications that cover the requirements outlined in Chapter III, Section 2 of the AI Act. These standards, once published, can simplify the conformity assessment process. Step 6.2 details the execution of the required conformity assessment procedure, which varies depending on the risk classification and the specific type of high-risk AI system. This may involve self-assessment by the provider or assessment by a notified body. Step 6.3 addresses what actions are necessary after the conformity assessment is successfully completed, including affixing the CE marking and drawing up an EU declaration of conformity. Step 6.4 provides guidance on the procedure to follow in case of substantial modifications to the AI system, which may require a new conformity assessment.

The AI Act acknowledges the role of co- and self-regulation in complementing the legislative framework. Section 10 discusses the general principles of co- and self-regulation, which can provide more detailed guidance and industry-specific best practices. An excursus is dedicated to Codes of Practice for General Purpose AI (GPAI), highlighting how these voluntary codes can help address the unique challenges and risks associated with GPAI models. These mechanisms aim to foster a more agile and responsive regulatory environment, allowing industries to adapt to rapid technological advancements while adhering to the AI Act's core principles.

Section 12 introduces the concept of 'AI Sandboxes' (KI-Reallabore). The purpose of these regulatory sandboxes is to foster innovation by allowing companies, particularly SMEs and startups, to develop and test innovative AI systems under a relaxed regulatory framework. The guide provides an overview of the regulatory landscape for AI sandboxes, explaining their function and the benefits they offer. It details the establishment and operation of these sandboxes, including specific provisions that may privilege SMEs, enabling them to experiment with cutting-edge AI technologies in a controlled environment while still ensuring a degree of oversight and safety.