The world officially has its first comprehensive set of major regulations specifically targeting artificial intelligence: the European Union's AI Act. The AI Act was first introduced in 2021, garnering political consensus among European lawmakers in December of last year, and leading many experts to conclude its eventual passage was merely a matter of time. That expectation proved correct when the European Parliament passed the AI Act on March 13.
The AI Act takes a "risk-based" approach, placing AI systems into one of four risk categories, ranging from "minimal" to "unacceptable," based on the relative threat they pose. The AI Act imposes few, if any, limitations on minimal-risk AI, including spam filters and AI-enabled video games. On the other side of the spectrum are unacceptable-risk AI categories, which include social scoring systems and predictive policing and are banned outright by the AI Act. The AI Act also specifically targets and imposes various regulations on generative AI products, including rules related to the transparency of their training data sets, reporting serious incidents, and labeling manipulated images. The AI Act requires that certain AI systems, including those in the high-risk category, be registered with a centralized database.
The AI Act applies to AI system deployers, providers, and distributors/importers. The Act defines a deployer as any legal or natural person using an AI system under their authority in a professional capacity, e.g., companies deploying AI as part of their business. Providers are any entity that develops an AI system and "places it on the market," whether or not they charge a fee. Importers and distributors are, generally stated, entities involved in the supply chain of offering an AI system in the EU that they themselves did not develop. The AI Act has a significant extraterritorial effect, as does the General Data Protection Regulation (GDPR). While the AI Act applies only to deployers and importers located or established in the EU, those geographic limits do not apply to providers or distributors.
Full-scale compliance with the AI Act will be a monumental endeavor for many companies, particularly those that develop AI or leverage AI tools extensively. Even before the official passage of the AI Act, many companies had already begun taking steps toward compliance. Their endeavors were aided by a late-January leak of the pre-final text of the AI Act, assumed to be very close, if not identical to, the final version.
With the passage of the AI Act, the EU is yet again the first mover in attempting to comprehensively regulate an emerging technology. As with GDPR and its impact on data privacy, many commentators believe the AI Act will create an AI regulatory reference point, prompting other jurisdictions to follow suit with copycat AI-targeted legislation. Other commentators are less laudatory of the EU AI Act's prospects, noting that it could quickly become outdated as AI continues to evolve rapidly.
After receiving approval from the EU member states, the AI Act is expected to become law in May or June of this year. Its provisions will come into effect in stages, beginning six months after its implementation with a ban on unacceptable-risk categories of AI. The AI Act is expected to be in full force by mid-2026.