Written by Kieran Harte

Following agreement by the Committee of Permanent Representatives (COREPER) on 2 February 2024 and the adoption by the European Parliament’s Internal Market and Civil Liberties Committees on 13 February 2024, the EU has moved a step closer to adopting a landmark Artificial Intelligence (AI) Act, in a world’s first, following endorsement by EU countries of the political agreement reached in December 2023.

The regulation will be based on a future-proof definition of AI following a risk-based approach, as opposed to the principles-based approach taken by the United Kingdom. It will apply right across industry and services from the banking and retail to car and airline sectors. It will also set parameters for the use of AI for military, crime, and security purposes.

The AI Act has been designed to balance innovation and safety, fostering reassurance through its obligations on compliance, transparency, and accountability, in a similar way to GDPR, while at the same time ensuring responsible and trustworthy development of AI that will encourage investment and innovation in the technology.

Most AI systems will not be regulated as they pose a minimal risk to EU citizens right and freedoms. Unacceptable risks that pose a clear threat to the fundamental rights of people, such as emotion recognition systems in workplace setting will be prohibited. High-risk AI systems will be expected to meet strict mandatory requirements, including systems for assessing and mitigating risk, quality datasets, activity logging, transparency obligations, and human oversight. Users will also be made aware that they are interacting with a machine – deep fakes and other AI generated content will be labelled as such, while systems will be designed so that synthetic content is marked in a machine-readable format and detectable as artificially generated or manipulated.

Companies breaching the rules risk facing fines that would range from €35 million or 7% of global annual turnover (whichever is higher) for violations of banned AI applications, €15 million or 3% for violations of other obligations and €7.5 million or 1.5% for providing incorrect information. SMEs and start-ups will face proportionately reduced fines for infringements of the AI Regulation.

The Regulation will enter into force in mid-2024 and should apply from 2026, although parts of the legislation will kick in earlier, such as the ban on prohibited practices that will apply after 6 months. The next step for the AI Act is a plenary vote by the European Parliament scheduled for the week of 10 April 2024.

Separately, the UK National Cyber Security Centre has published a report on the near-term impact of AI on the cyber threat on how AI will impact the efficacy and effectiveness on cyber operations and the cyber threats posed by AI in the next couple of years. It notes that AI is already being used to a certain extent by cyber threat actors, and that it makes it easier for other cyber criminals and hacktivists to operate.