The EU AI Act: Ten key things to know

The EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down compliance obligations in respect of each of these. 

AI Systems

The definition of AI Systems in the EU AI Act aligns with the OECD definition with the EU AI Act recitals stating that this has been done in order "to ensure legal certainty, facilitate international convergence and wide acceptance". Under the EU AI Act, an AI System is:

"a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments"

As flagged in the Recitals to the EU AI Act, a key characteristic of an AI System is its ability to "infer" which the EU AI Act states "transcends basic data processing by enabling learning, reasoning or modelling" [Recital 12].

In order to qualify as an AI System under the EU AI Act all elements of the definition (noted above) will need to be met. It is therefore possible that software which contains AI may not qualify as an AI System under the EU AI Act, and conversely AI which might not be commonly thought of as such could be caught as an AI System under the EU AI Act.

AI Models

Intriguingly, the EU AI Act does not define "AI Models", but instead only defines General-Purpose AI Models (such as Large Language Models, or LLMs).

General-Purpose AI Models are defined in the EU AI Act as being:

"an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks"

The EU AI Act states, in the Recitals, that "models with at least a billion of parameters and trained with a large amount of data using self-supervision at scale should be considered to display significant generality and to competently perform a wide range of distinctive tasks".

Parameters (noted above) are, in essence, the variables that an AI model learns from during training to improve their ability to make accurate predictions.

For context, in relation to the reference of 1 billion parameters, it is thought that OpenAI's GPT-4 has around 1.76 trillion parameters and Anthropic's Claude 2 is estimated to have over 130 billion parameters. As such, many of the more powerful AI models on the market will clearly exceed the threshold that the EU AI Act envisages in order to qualify as a General-Purpose AI Model.

General-Purpose AI Models require the addition of other components, such as a user interface, in order to become an AI System. Large Language Models, or LLMs, are a common example of General-Purpose AI Models.

As discussed earlier, the EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down compliance obligations in respect of each of these.

We summarise each of these in turn below.

AI Systems

For AI Systems, the EU AI Act adopts a tiered approach based on the perceived risk level:

• Certain AI design techniques and use cases are prohibited.
• A range of use cases for AI Systems are designated as being high-risk.
• Other AI Systems are considered low risk.

Prohibited AI Systems

The EU AI Act prohibits the use of certain AI Systems - these include:

• Deploying subliminal, manipulative, or deceptive techniques to distort behaviour and impair informed decision-making, causing significant harm.
• Exploiting vulnerabilities related to age, disability, or socio-economic circumstances to distort behaviour, causing significant harm.
• Biometric categorisation systems, except labelling or filtering of lawfully acquired biometric datasets or when law enforcement categorises biometric data.
• Social scoring systems
• Systems which are used to assess the risk of an individual committing criminal offences solely based on profiling or personality traits, except when used to augment human assessments based on objective, verifiable facts directly linked to criminal activity.
• Compiling facial recognition databases by untargeted scraping of facial images from the internet or CCTV footage.
• Inferring emotions in workplaces or educational institutions, except for medical or safety reasons.
• ‘Real-time’ remote biometric identification in publicly accessible spaces for law enforcement, except in very limited situations (e.g. related to anti-terrorism).

Prohibited AI: EU AI Act Timeline

As per the timetable when the EU AI Act will come into effect (please see a summary of this timetable in Key Point Five), the obligations around prohibited AI came into effect on 2 February 2025. The European Commission published Guidelines on 4 February 2025 which provide an overview of AI practices that are deemed unacceptable due to their potential risks to European values and fundamental rights.

High-Risk AI Systems

The majority of the compliance obligations in the EU AI Act fall on providers of high-risk AI Systems. There are two categories of high-risk AI Systems under the EU AI Act:

1. High-risk AI Systems used as a safety component or a product covered by EU laws listed in Annex I of the EU AI Act and which are required to undergo a third-party conformity assessment under those Annex I laws.

2. AI Systems which fall under a use case in Annex III of the EU AI Act. Annex III covers use cases such as:

• Biometrics
• Critical infrastructure
• Education and vocational training
• Employment, workers management and access to self-employment
• Access to and enjoyment of essential private services and essential public services and benefits
• Law enforcement
• Migration, asylum and border control management
• Administration of justice and democratic processes

Article 6(3) of the EU AI Act contains an exemption to the above for use cases that would otherwise fall within the scope of Annex III (and therefore be deemed high risk). Under Article 6(3), a provider can conduct a risk assessment in order to demonstrate that:

• the AI System does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons;
• the above is satisfied due to one of the four criteria listed in Article 6(3) being fulfilled - namely, where the AI system:
  • performs a narrow procedural task;
  • improves the result of a previously completed human activity;
  • detects decision-making patterns or deviations from prior decision-making patterns and is not meant to replace or influence the previously completed human assessment without proper human review; or
  • performs a preparatory task to an assessment relevant for the purpose of the use cases listed in Annex III.

This risk assessment must have been conducted and documented before the AI system is placed on the market or put into service. The provider is also required to register the AI system in an EU database maintained by the Commission.

AI Systems that profile individuals will always be considered high-risk and will not be able to rely on the exemption in Article 6(3).

High-Risk AI: EU AI Act Timeline

As per the timetable when the EU AI Act will come into effect (please see a summary of this timetable in Key Point Five), the obligations:

• around high risk AI Systems listed in Annex I will come into effect on 2 August 2027.
• around high risk AI Systems listed in Annex III will come into effect on 2 August 2026.

General-Purpose AI Models

The EU AI Act effectively creates two categories of General-Purpose AI Models: (1) those with systemic risk; and (2) those without systemic risk.

In contrast to the rules around AI Systems, the regime in the EU AI Act governing General-Purpose AI Models is use case agnostic.

General-Purpose AI Models without systemic risk

For a look at the definition of General-Purpose Models without systemic risk under the EU AI Act, please see Key Point 1.

General-Purpose AI Models with systemic risk

The EU AI Act seeks to place additional obligations on those General-Purpose AI Models that are considered to have systemic risk. General-Purpose AI Models are considered to have "systemic risk" where one of two conditions are met:

• The General-Purpose AI Model has “high impact capabilities” evaluated on the basis of technical tools and methodologies, or
• The General-Purpose AI Model is designated by the EU Commission as having capabilities or impact equivalent to those set out in point (1) having regard to the criteria set out in Annex XIII of the EU AI Act.

A General-Purpose AI Model is presumed to have “high impact capabilities” if the cumulative amount of computation used for its training is more than 10^25 floating point operations.

AIA Timeline

As per the timetable when the EU AI Act will come into effect (please see a summary of this timetable in Key Point 5), the obligations around General-Purpose AI Models will come into effect on 2 August 2025.

The EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down compliance obligations in respect of each of these. As such, the territorial scope of the EU AI Act needs to be considered in respect of each of these categories of AI. We consider these in turn below.

In this context, it is also worth noting a few key definitions in the EU AI Act:

• “Placing on the market”: means the first making available of an AI System or a General-Purpose AI Model on the European Union market.
• “Making available on the market”: means the supply of an AI System or a General-Purpose AI Model for distribution or use on the European Union market in the course of a commercial activity, whether in return for payment or free of charge.
• “Putting into service”: means the supply of an AI System for first use directly to the deployer or for own use in the European Union for its intended purpose.

AI Systems

The EU AI Act is engaged where an AI System is:

• placed on the EU market, put into service in the EU, imported into or distributed in the EU (irrespective of where the provider of the AI System is established); or
• used by a deployer who has their place of establishment or is located in the EU.

The EU AI Act is also engaged where the output produced by an AI System is used in the EU, even if that output is generated outside the EU.

General-Purpose AI Models

The EU AI Act is engaged where a provider of a General-Purpose AI Model places it on the market in the EU or puts it into service in the EU – irrespective of where the provider is located or established.

Authorised Representative

The EU AI Act requires that: (a) providers of high-risk AI Systems; and (b) providers of General-Purpose AI Models, established outside the EU must appoint an authorised representative.

An authorised representative is defined as a natural or legal person located or established in the EU who has received and accepted a written mandate from a provider of an AI System or a General-Purpose AI Model to, respectively, perform and carry out on its behalf the obligations and procedures established by the EU AI Act.

The role of an authorised representative includes ensuring that the documentation required by the AI Act is available to the competent authorities and co-operating with those authorities

As outlined above, the EU AI Act has a broad personal and territorial scope. However, there are a few areas that are explicitly carved out and stakeholders in these areas are not required to comply with the rules of the EU AI Act.

Military, defence or national security purposes

The EU AI Act does not apply to AI Systems where and in so far as they are placed on the market, put into service, or used with or without modification exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities.

Research and development

The EU AI Act does not affect AI Systems or AI Models, including their output, specifically developed and put into service for the sole purpose of scientific research and development.

Additionally, the EU AI Act does not apply to any research, testing or development activity regarding AI Systems or Models prior to their being placed on the market or put into service. However, testing in real-world conditions is caught by the EU AI Act.

Public authorities in a third countries and international organisations

The EU AI Act does not apply to public authorities in a third country, nor to international organisations meeting the requirements of one of the aforementioned AI Act roles.

This exemption only applies where those authorities or organisations use AI Systems in the framework of international cooperation or agreements for law enforcement and judicial cooperation with the EU or with one or more Member States, provided that such a third country or international organisation provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals.

Open source

The EU AI Act does not apply to AI Systems released under free and open-source licences. For a more detailed discussion around open source AI and the EU AI Act, please see Key Point 9.

The following is a high-level summary of when the various elements of the EU AI Act come into effect.

Implementation Timetable

Key dates to be aware of are:

Transitional Arrangements under the EU AI Act

The EU AI Act also contains some transitional arrangements, these are as follows:

• General-Purpose AI Models placed onto the market before 2 August 2025 will need to comply with the EU AI Act by 2 August 2027.
• High-risk AI Systems which have been placed on the market or put into service before 2 August 2026 and are intended to be used by public authorities will need to comply with the EU AI Act by 2 August 2030.
• High-risk AI Systems placed on the market or put into service prior to 2 August 2026 shall not be subject to the EU AI Act, unless such systems are subject to "significant change" in design, in which case, the EU AI Act provisions would apply in full from 2 August 2026.
• Components of large-scale IT systems listed in Annex X of the EU AI Act, which have been placed on the market or put into service before 2 August 2027 will need to comply with the EU AI Act by 31 December 2030.

The EU AI Act creates a "value chain", which maps compliance obligations across different "operators". These "operators" are:

• Providers;
• Deployers;
• Importers; and
• Distributors.

The following is a high-level summary of the various operators within the value chain under the EU AI Act. Determining your role within the AI value chain will be critical to determining your obligations under the EU AI Act.

The EU AI Act mainly focuses on providers and deployers, and so the following will in turn also focus on those operator roles.

Provider

• Applicable to: AI Systems and General-Purpose AI Models
• Role: a provider is an operator who either:
  • develops an AI System or a General-Purpose AI Model; or
  • has an AI System or General-Purpose AI Model developed and either places such AI System or General-Purpose AI Model on the market, or puts the AI system into service under their own name or trademark.

Providers are subject to the majority of the obligations under the EU AI Act and so determining whether an entity qualifies as a provider will be a crucial step in determining the applicable compliance obligations under the EU AI Act.

Deployer

• Applicable to: AI Systems only
• Role: a provider is an operator who uses an AI system under its authority except where the AI system is used in the course of a personal non-professional activity.

Downstream Provider

• Applicable to: AI Systems and General-Purpose AI Systems
• Role: a provider of an AI System, including a General-Purpose AI System, which integrates an AI Model, regardless of whether the AI Model is provided by themselves and vertically integrated or provided by another entity based on contractual relations.

Downstream providers are granted certain rights under the EU AI Act, including:

• the right to lodge a complaint alleging an infringement of the EU AI Act in respect of a General-Purpose AI Model; and
• the right to be provided with the information listed in Annex XII of the EU AI Act by the provider of the relevant General-Purpose AI Model.

Transfer of Provider Role (High-Risk AI Systems)

In certain scenarios, the EU AI Act provides that "operators" (other than the "original" provider) can be considered a provider of a high-risk AI System.

Any distributor, importer, deployer or other third-party will be considered to be a provider of a high-risk AI System , in any of the following circumstances:

• they put their name or trademark on a high-risk AI System already placed on the market or put into service;
• they make a "substantial modification" to a high-risk AI System that has already been placed on the market or has already been put into service in such a way that it remains a high-risk AI System;
• they modify the intended purpose of an AI System, which has not been classified as high-risk and has already been placed on the market or put into service in such a way that the AI system concerned becomes a high-risk AI System.

Fine-tuning a General-Purpose AI Model

The EU AI Act indicates that where a party modifies or fine-tunes a third party General-Purpose AI Model and integrates that modified or fine-tuned model into their own AI System (or otherwise places a fine-tuned General-Purpose AI Model on the market or puts it into service) , then they will be considered the provider with respect to that modified or fine-tuned model only.

Importer

• Applicable to: AI Systems only
• Role: an importer is an operator located or established in the European Union that places on the market an AI System that bears the name or trademark of a natural or legal person established in a third country.

Distributor

• Applicable to: AI Systems only
• Role: a distributor is an operator that makes an AI System available on the Union market.

The EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down certain transparency requirements in respect of AI Systems.

 We provide a high-level summary of the transparency requirements that apply to providers and deployers of AI Systems below.

Provider Obligations

Deployer Obligations

Timing for provision of transparency information

The transparency information, summarised above, needs to be provided:

• in a clear and distinguishable manner;
•  at the latest at the time of the first interaction or exposure to the AI System;
• in accordance with applicable accessibility requirements.

High-risk AI Systems

The transparency information, summarised above, are explicitly stated in the EU AI Act to operate alongside the requirements for high-risk AI Systems (as set out in the EU AI Act), and other applicable laws that relate to transparency (either under EU or national law).

Codes of Practice

The AI Office is responsible for drawing up codes of practice to facilitate the effective implementation of the obligations regarding the detection and labelling of artificially generated or manipulated content.

As discussed above, the EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down certain transparency requirements in respect of General-Purpose AI Models.

We provide a high-level summary of these transparency requirements below.

Transparency requirements for General-Purpose AI Models

Under the EU AI Act, providers of General-Purpose AI Models are required to:

(a) draw up and keep up-to-date certain technical documentation which contains a description of the model development process, including around its training and testing (with such technical documentation containing, at a minimum, the information set out in Annex XI of the EU AI Act) for the purpose of providing it, upon request, to the AI Office and the national competent authorities;

(b) prepare, maintain and provide certain information to downstream AI System providers (i.e. those who wish to integrate the General-Purpose AI Model into their AI System) so that such downstream providers have a good understanding of the capabilities and limitations of the General-Purpose AI Model (this information should contain, at a minimum, the elements set out in Annex XII of the EU AI Act);

(c) establish a policy to comply with EU law on copyright and related rights, in particular the right to opt-out of text and data mining under Article 4(3) of Directive (EU) 2019/790; and

(d)prepare and make publicly available a sufficiently detailed summary about the content used for training of the General-Purpose AI Model (the AI Office is tasked under the EU AI Act with providing a template for this purpose).

The EU AI Act recognises that the information required to be provided under (b), above, can be balanced against the need to protect confidential information and trade secrets of the provider.

The obligations under (a) and (b) above do not apply to General-Purpose AI Models made available on an open source basis. Please see the wider article for a discussion about open source and the EU AI Act.

Codes of Practice

The EU AI Act states that providers of General-Purpose AI Models may rely on Codes of Practice published by the AI Office in order to demonstrate compliance with the transparency obligations outlined above, until a harmonised standard is published.

The European Commission has published initial drafts of its 'General-Purpose AI Code of Practice' which it plans to finalise by April 2025.

As outlined earlier, the EU AI Act requires all deployers and providers of AI systems to ensure that their personnel have a sufficient level of AI literacy.

What is AI Literacy under the EU AI Act?

The EU AI Act defines AI literacy as being skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed use of AI Systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.

What does the EU AI Act Require?

Under the EU AI Act, providers and deployers of AI Systems are required to take measures to ensure a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.

The level of AI literacy required should take into account the:

• technical knowledge, experience, education and training of the relevant individuals;
• context the AI Systems are to be used in; and
• persons or groups of persons on whom the AI Systems are to be used.

It is worth noting that:

• the AI literacy requirements under the EU AI Act only apply to AI Systems, and not to General-Purpose AI Models;
• the EU AI Act refers to voluntary codes of conduct regarding AI literacy; and
• administrative fines are not foreseen for failure to comply with the AI literacy obligations in the EU AI Act.

When do the AI literacy requirements under the EU AI Act apply from?

The AI literacy requirements under the EU AI Act came into effect on 2 February 2025. For further information around the EU AI Act implementation timeline, please see Key Point 5.

How we can help: a tailored approach

The EU AI Act makes clear that providers and deployers will need to tailor their AI literacy programme depending on a range of factors, such as the nature of the AI System at hand and the relevant knowledge level within its organisation.

Ensuring AI literacy in your business is not just a requirement of the EU AI Act, it is prudent governance. It is not a "set and forget" exercise, it is ongoing and should evolve as AI technology develops. Your AI literacy programme should stay up-to-date with the latest AI trends, technologies, and best practices.

We are helping many of our clients to design and implement bespoke AI literacy training and governance programmes across their business.

In our experience any AI literacy programme should have three core pillars:

• Technical understanding - an understanding of how AI works, proportionate to the level of technical knowledge required for the relevant staff role.
• Practical understanding - for deployers, an understanding of how to make the most of AI Systems including, for example how to construct an effective prompt for a generative AI System.
• Ethical understanding - an understanding of the ethical implications of AI, along with (combined with the technical understanding pillar) the shortfalls and limitations of AI Systems.

This following is a high-level summary of how the EU AI Act approaches open source AI. As discussed in our overview article, the EU AI Act distinguishes between AI Systems and General-Purpose AI Models, laying down compliance obligations in respect of each of these.

The approach regarding open source AI Systems and General-Purpose AI Models is considered in turn below.

AI Systems

The EU AI Act states that the regulation does not apply to AI Systems released under free and open-source licences, unless "placed on market" or "put into service" as:

• A high risk AI System;
• An AI System that is prohibited under the EU AI Act;
• An AI System that falls within the scope of the transparency requirements in Article 50 of the EU AI Act (essentially, this will be the case where an AI System interacts directly with individuals or exposes individuals to AI-generated (synthetic) content).

As such, the open source exceptions for AI Systems under the EU AI Act are fairly limited.

General-Purpose AI Models

General-Purpose AI Models are exempt from the requirements of the EU AI Act where these are released under free and open-source licences that allow for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available.

Even where this exemption does apply, the provider will still need to:

• put in place a policy to comply with EU law on copyright, in particular to identify and comply with a reservation of rights expressed pursuant to the EU Copyright Directive; and
• draw up and make publicly available a sufficiently detailed summary about the content used for training of the General-Purpose AI Model.

It is also worth noting that:

• if access is provided to a General-Purpose AI Model on a paid for basis, then it will not benefit from the exemptions around open source under the AIA; and
• open source General-Purpose AI Models are exempt from the transparency requirements under Article 50 of the EU AI Act - however, please note the below.

General-Purpose AI Models with Systemic Risk

The exception in the EU AI Act regarding General-Purpose AI Models does not apply to General Purpose AI Models with Systemic Risk.

The following is a high-level summary of when a fundamental rights impact assessment ("FRIA") might be required under the EU AI Act.

When is a FRIA required?

The EU AI Act requires a FRIA to be completed by deployers of high-risk AI Systems in the following scenarios:

• Where the relevant deployer of the high-risk AI System is a body governed by public law;
• Where the relevant deployer is a private entity providing public services; and
• Where deploying high-risk AI Systems evaluating the creditworthiness, establishing a credit score or used for risk assessment and pricing regarding life and health insurance.

A FRIA will not be required where the relevant high-risk AI System is intended to be used as a safety component in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity.

When does the FRIA need to be conducted?

The FRIA must be performed before the first use of the high-risk AI System and must be updated when the deployer considers that any of the relevant factors have changed or are not up-to-date anymore.

In similar cases, the deployer can rely on previously conducted FRIAs or existing impact assessments carried out by the provider. 

Notification requirement

Except in limited circumstances, once the FRIA has been completed, the deployer is required to notify the market surveillance authority of its results, submitting the template to be provided by the AI Office.

What is required by a FRIA?

For a FRIA, deployers are required to perform an assessment consisting of:

a. a description of the deployer’s processes in which the high-risk AI System will be used in line with its intended purpose;

b. a description of the period of time within which, and the frequency with which, each high-risk AI System is intended to be used;

c. the categories of natural persons and groups likely to be affected by its use in the specific context;

d. the specific risks of harm likely to have an impact on the categories of natural persons or groups of persons identified pursuant to point (c);

e. a description of the implementation of human oversight measures, according to the instructions for use;

f. the measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms.

As noted above, the EU AI Act requires the AI Office to provide a template FRIA which deployers can use to complete such an assessment.

Overlap with Data Protection Impact Assessments (DPIA)

The EU AI Act provides that where any of the FRIA obligations are met by any data protection impact assessment (DPIA) carried out under the GDPR, then the FRIA should complement that DPIA.