Last year, a new regulation on artificial intelligence (“AI Act”) was published in the Official Journal of the European Union. This new AI Act lays down legal framework for the development, placing on the market, putting into service and use of artificial intelligence systems (“AI systems”) in the EU, in order to, inter alia, promote the uptake of human centric and trustworthy artificial intelligence, protect against harmful effects of AI systems and to support innovation.
What is AI?
AI is a fast-evolving technology that offers numerous benefits across various industries. AI can provide a number of solutions and improvements particularly evident in fields such as healthcare, food safety, education, media, infrastructure management, transportation and logistics. However, the use of AI can also pose risks and potentially cause harm. Having this in mind, it is of paramount importance to support the development and use of AI, on one hand, as well as to meet a high level of protection of public interests, such as health and safety and protection of fundamental rights, on the other hand. This should be achieved by regulating this technology, i.e., regulating placing on the market, putting into service and use of certain AI systems.
Summary of the AI Act
In order to ensure effective protection of rights and freedoms of individuals across the European Union, the rules established by the AI Act apply to both public and private entities from the EU or from a third country if the AI system is placed on the EU market, or its use has an impact on individuals located in the EU.
We are hereby providing a brief overview of some of the key provisions of the AI Act.
Risk-Based Approach
The AI Act defines 4 levels of risk for AI systems: (i) Unacceptable risk; (ii) High-risk; (iii) Limited risk; and (iv) Minimal risk.
Unacceptable risk (Prohibited AI practices)
Aside from the many beneficial uses of AI, certain AI practices can be particularly harmful and shall therefore be prohibited. In accordance with the AI Act, placing on the market, putting into service or use of an AI systems that exploit vulnerabilities related to age, disability or a specific social or economic situation, AI systems that deploy subliminal, manipulative or deceptive techniques to distort behavior, or AI systems for emotion recognition in the workplace and education institutions (except when used for medical or safety reasons), etc., are considered as AI practices that shall be prohibited.
High-risk AI systems
High-risk AI systems include AI used in areas such as critical infrastructure (AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity), education and vocational training (AI systems intended to be used to evaluate learning outcomes), employment, workers’ management and access to self-employment (AI systems intended to be used for the recruitment or selection, in particular to place targeted job advertisements, to analyze and filter job applications, and to evaluate candidates), education, etc.
These AI systems shall not be considered to be high-risk in case the specific AI system does not pose a significant risk of harm to health, safety or fundamental rights of natural persons, and if- the AI system is intended to perform a narrow procedural task, improve the result of a previously completed human activity, detect decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment, without proper human review, or to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III of the AI Act.
However, AI systems shall always be considered to be high-risk when they perform profiling of natural persons (i.e. automated processing of personal data, such as for the purpose of assessing work performance).
A provider of an AI system referred to in Annex III of the AI Act as a high-risk AI system who considers that the specific AI system is not high-risk shall document its assessment before the system is placed on the market or put into service, as well as register the system in the EU database.
In accordance with the AI Act, the EU Commission shall, after consulting the European Artificial Intelligence Board, and no later than 2 February 2026, provide guidelines specifying the implementation of the above provisions, together with a comprehensive list of practical examples of use cases of AI systems that are high-risk or not high-risk.
Requirements and obligations for high-risk AI systems
High-risk AI systems shall comply with certain requirements prescribed in the AI Act before they can be placed on the market.
For example, a risk management system shall be established, implemented, documented and maintained. The purpose of this risk management is to identify any possible risks that the high-risk AI system can pose and adopt appropriate measures in order to address these risks. Moreover, the technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date, and an appropriate human oversight shall also be provided in order to minimize potential risks.
In relation to the high-risk AI systems, different roles in the AI value chain have certain obligations.
The majority of obligations fall on providers (developers) of high-risk AI systems. For example, providers of high-risk AI systems shall ensure that the high-risk AI system is in compliance with all of the requirements prescribed in the AI Act, have a quality management system in place that ensures compliance with the AI Act, keep a set of prescribed documentation at the disposal of the competent authorities, etc.
It is important to note that the AI Act also applies to providers placing on the market or putting into service AI systems in the EU, even if they are established or located in a third country, as well as to providers and deployers of AI systems that have their place of establishment or are located in a third country, where the output produced by the AI system is used in the EU.
Providers established or located in a third country shall, prior to making their high-risk AI system available on the EU market appoint a representative, who shall be authorized to cooperate with competent authorities in relation to the high-risk AI system.
Moreover, importers of a high-risk AI system are obliged to, before placing it on the market, ensure that the system is in compliance with the AI Act, by ensuring that the provider has appointed an authorized representative, among other requirements.
Deployers (entity using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity) also have some obligations (certainly less than providers), such as obligation to cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system. It should also be noted that deployers who are employers and intend to use a high-risk AI system at the workplace, shall inform workers’ representatives and the affected workers that they will be subject to the use of a high-risk AI system. This applies to deployers located in the EU, as well as third country deployers where the AI system’s output is used in the EU.
Limited risk AI systems
Providers and deployers of limited risk AI systems are subject to lighter transparency obligations. These requirements mostly comprise providing certain information to end-users (such as information that they are interacting with an AI system in cases when the AI system is intended to interact directly with the natural person – e.g. chatbots) or disclosing that the content has been artificially generated, etc.
Minimal risk AI systems
Minimal risk AI systems are unregulated. Those are the AI systems that pose very little or no risk to the safety, rights, or well-being of individuals (such as AI systems that recommend movies, music, or books based on user preferences (e.g., Netflix, Spotify), or AI systems in wearable devices (e.g., Apple Watch) that track exercise, heart rate, or steps).
Application of the AI Act
The AI Act entered into force on 1 August 2024, and it shall apply from 2 August 2026. However, the provisions regulating prohibited AI systems shall apply from 2 February 2025; some provisions regulating high-risk AI systems shall apply from 2 August 2026, while others shall apply from 2 August 2027.
Conclusion
The AI Act marks a pivotal moment in AI regulation. While it sets ambitious goals for the safe, transparent, and ethical deployment of AI, businesses must act now to prepare for its full implementation. Early action will help businesses avoid penalties and build trust with consumers by demonstrating a commitment to responsible AI use.
By Katarina Rosic, Senior Associate, and Andjela Sever, Associate, JPM Partners
