Four years after its initial proposal, the EU AI Act is now in force, marking the world's first AI legislation. This landmark ruling governs the development, use, and application of AI across the European Union.

It requires that AI systems introduced in Europe adhere to standards of safety, transparency, non-discrimination, traceability, and environmental friendliness. The Act also establishes a classification system based on the level of risk associated with different AI applications, ranging from minimal risk to complete prohibition.

High-risk applications will require extra controls to ensure data security and minimise bias, and they may need to share detailed documentation with authorities to meet conformity assessment. Companies that breach the EU AI Act could face significant fines ranging from €35 million (£29 million) or 7% of global annual revenues, whichever is higher, to €7.5 million or 1.5% of global annual revenues, depending on the infringement and company size.

Risk-Based Classification:

The Act introduces a risk-based classification system based on the risk posed to the individuals using the solution:

High Risk: Includes services affecting citizens' lives (e.g., creditworthiness evaluation, educational opportunities, critical infrastructure). These must undergo strict assessment regimes before market introduction. The EU will regularly update this list.

Limited Risk: AI applications with obligations such as disclosing user interaction with an AI system.

Minimal Risk: Applications like spam filtering or video games are deemed minimal risk and not subject to further regulatory requirements.

Prohibited AI Applications: The Act outlines several uses and applications that will be banned under the regulation. Banned applications include AI systems that:

• Use manipulative techniques
• Exploit vulnerabilities
• Implement social scoring
• Engage in untargeted web-scraping for facial-recognition databases
• Employ emotion-inference systems in workplaces or educational settings (except for medical or safety reasons)
• Conduct predictive policing based solely on profiling

It's important to note that the rules on prohibited AI systems will be among the first provisions to take effect in February 2025. See below for a full timeline of when other requirements will take effect.‍

Compliance Requirements

Compliance requirements vary depending on the risk level of a system. High-risk systems must undergo a Conformity Assessment to demonstrate adherence to the AI Act before being placed on the EU market. For example, high-risk systems will need to implement a quality management system (QMS) that meets compliance with the regulation.

The QMS will need to include but is not limited to:

• Strategy for regulatory compliance, including conformity assessment procedures and procedures for managing modifications to the high-risk AI system.
• Examination, test, and validation procedures are to be carried out before, during, and after the development of the high-risk AI system, and the frequency with which they must be carried out.
• Systems and procedures for data management, including data acquisition, data collection, data analysis, data labelling, data storage, data filtration, data mining, and any other processing of the data performed before and for the purpose of placing high-risk AI systems on the market or putting them into service.

For applications processing highly sensitive information, an external certification body may be required. This process is similar to the current ISO 27001 process, where notified bodies evaluate the system and its documentation, issuing a certificate if compliant or mandating corrective actions if not.

Implementation Timeline

• 2 February 2025: Rules on prohibited AI systems and AI literacy take effect.
• 2 August 2025: Provisions for general-purpose AI models become applicable.
• 2 August 2026: Rules for Annex III high-risk AI systems and regulatory sandboxes come into play.
• 2 August 2027: Remaining provisions of the Act become fully applicable.

Impact on Non-EU Businesses

Aside from businesses based in the EU, the AI Act applies to any company with customers in the EU or where AI system outputs are used in the EEA. This includes businesses in the UK and USA. Some organisations have already opted to limit or not roll out services across the EU ahead of the Act, including Meta, which has pulled the release of its most advanced AI model across the EU in light of regulatory uncertainty.

For guidance on what this means for your business, please reach out to our compliance team. They are on hand to determine whether this affects your business and to guide you through the necessary controls to meet compliance.

Other Developments to Consider

On this side of the channel, while we await details of the Cyber Resilience Bill and whether it includes AI or results in a complete AI bill, there are several upcoming developments for AI-enabled healthcare solutions.

The MHRA is now calling for solutions to join its Regulatory Sandbox AI-Airlock. This sandbox aims to support the development and deployment of AI and software-based medical devices. With the review of the Medical Device Regulations, several AI products are expected to be moved to higher-risk categories and potentially have additional compliance requirements. This change aligns with the risk-based classification system outlined in the Medical Devices Regulations.

Additionally, there is upcoming guidance to consider:

• Cyber Security for AI and Software-Based Medical Devices: This guidance, expected by Spring 2025, will address cybersecurity concerns specific to AI and software-based medical devices.
• Human Factors in AI Medical Devices: Guidance on applying human factors to AI-based medical devices is also due for release in Spring 2025.

We'll soon publish our in-depth AI guide to help you navigate these changes. In the meantime, please contact our compliance team if you have any questions about how these AI developments might impact your business. They are ready to assist you in understanding the implications and ensuring your compliance. Stay tuned for more updates.

‍