Who has to comply with the AI Act?
Artificial Intelligence is no longer a futuristic concept; it’s here and shaping our world in real-time. Thus, with this rapid growth comes the need for regulation.
With this blog, enter into the world of the AI Act – the EU’s ambitious legal framework designed to ensure AI development remains ethical, transparent, and safe. We previously talked about the importance of the AI Act, and why understanding it can only be beneficial for your business. But the real question is – who exactly is impacted by this sweeping legislation?
From AI developers and tech giants to businesses using AI-powered tools, this overview explores who must comply with the AI Act and emphasizes why staying ahead of these new regulatory requirements is crucial for your business.
Are you in the compliance zone?
To be able to understand whether you should pay attention to the AI Act, the first thing you need to make sure is whether your business is the one that falls within the scope of the AI Act.
Article 2 of the AI Act pays special attention to defining the list of entities to which the provisions apply, which are:
- Providers
- Deployers
- Importers
- Distributors
- Product manufacturers
- Affected persons that are located in the Union (EU).
Who are Providers under the EU AI Act?
Providers are the most strictly regulated under the AI Act, with the wide range of defining who is considered as provider following the regulation. It includes natural as well as legal entity, public authority, agency, or other body. To qualify, providers must have either developed an AI system or general-purpose AI model themselves, or had one developed on their behalf.
Additionally, they must have either:
- placed the AI system on the market or
- put it into service.
The most important fact to highlight is that the AI Act will be applicable to the providers not only when the AI system or AI models is developed, placed or put into the service at the territory of the EU (European Union).
Providers may also fall under the scope of the Act if they are based in a third country, but their AI system’s outputs are used within the EU. Lastly, the AI system or model must be released under the provider’s name or trademark. The majority of obligations under the AI Act apply to providers of high-risk AI systems.
Who are Deployers under the the EU AI Act?
Another subject that falls into the scope of the AI Act are deployers. On the one side, we have the ones who are either developing, placing or putting the AI systems on the market (providers), and logically, there should be other side – the ones that are using the AI systems. Deployers are natural or legal entities (as well as public authority, agency, or other bodies) that are using the AI system under its authority, for professional activities. That implies that AI Act is not applicable when deployers are natural persons, who are using the AI system for personal non-professional purpose.
The same territorial approach is used as previously described – deployers can be either established or based in the EU, or in third countries. However, even if they are located in the third countries, they are still in the scope if outputs produced by the AI systems are used in the EU. Notably, in a business-to-consumer setting, individuals as end users of AI systems are not considered as deployers under the AI Act. Additionally, if deployers operate under someone else’s authority (similar to processors under the GDPR), they would not be classified as deployers, in the context of the regulation.
Who are Importers under the the EU AI Act?
After analysing what is meant by providers and deployers, in the terms of the AI Act you may have already identified yourself in one of the appropriate categories. However, there is also a special category to which the AI Act applies that is neither a provider nor a deployer. You’re probably wondering, who are they, and why are they important?
Importers as the ones who cannot be categorized as providers nor deployers, but they are:
- entities established or located in the EU, which are
- placing the AI system on the EU market, that bear the name or trademark of individuals or entities, based in third countries.
In the terms of importing the AI systems from third-countries, importers are the first ones to make those AI systems available in the EU.
Who are Distributors under the the EU AI Act?
These individuals, or legal entities, are key players in the AI supply chain, distinct from providers and importers, who take on the responsibility of making AI systems available in the EU after they have already been imported and placed on the market. Their role typically involves distributing, marketing, or further handling the AI systems, ensuring they reach end users or other businesses.
These actors might include distributors, or resellers, who facilitate the adoption of AI systems across different sectors. While they are not involved in the initial development or direct import of the technology, they play a crucial role in the supply chain by ensuring the continued availability and compliance of AI systems within the EU market.
Who are Product Manufacturers under the the EU AI Act?
Product manufacturers integrate AI systems into their own products and introduce them to the market, or put them into service. By embedding AI technology within their offerings, these manufacturers ensure that the AI system functions as part of a broader product solution.
This means that when the final product (for instance, a device) is sold or activated, the AI system operates seamlessly alongside other features. In essence, these manufacturers are responsible for making AI-powered products available to consumers or businesses, while also ensuring that the combined system complies with relevant regulations and meets safety standards. This process not only enhances the functionality of their products but also allows AI systems to reach a wider market through integrated applications.
Who are Authorized Representatives under the the EU AI Act?
In essence, authorized representatives serve as the bridge between non-EU providers (providers located outside of the EU) and EU regulators, ensuring that AI systems entering the EU market meet the necessary legal and safety standards. Their primary role is to ensure compliance with the AI Act’s requirements within the EU market.
Authorized representatives are natural or legal entities located or established in the EU, who received and accepted the written mandate from a provider, to perform and carry out on the behalf of the provider the obligations determined by the AI Act.
Affected persons that are located in the EU
In addition to the abovementioned entities, the AI Act applies to affected persons as well. Even though the definition of affected persons is not the part of the final AI Act, it is understandable that the regulation paid attention to the ones whose rights could be affected.
With that in mind, affected persons should be understood as individuals, natural persons, located in the EU, who may be impacted by or subject to AI systems.
Exemptions from the rules
Like any regulatory framework, the AI Act includes certain exemptions. Traditional software that does not meet the cumulative criteria outlined in the definition of an AI system falls outside its scope. To ensure clarity and compliance, the AI system defined following the AI Act is:
- machine-based system
- designed to operate with varying levels of autonomy
- that may exhibit adaptiveness after deployment
- that based on the explicit or implicit inputs, can generate outputs such as predictions, content, recommendations, or decisions
- which can influence physical or virtual environments.
If the software does not cumulatively meet these conditions, it is not subject to the AI Act. Additionally, the AI Act:
- Exempts certain types of AI software: Free and open-source AI software is generally exempted to foster innovation and collaboration, provided it meets specific conditions and exclusions. However, this exemption does not extend to AI systems classified as high-risk, prohibited under Article 5, or subject to specific transparency requirements outlined in Article 50.
- Specifies sector-based exclusions: The AI Act recognizes that some sectors require different regulatory approaches. For instance, AI systems used exclusively for scientific research and development are not covered by the AI Act, thereby allowing the academic and scientific communities to advance AI technology more freely. Similarly, the Act does not apply to AI systems developed or used for military, defence, or national security purposes.
- Excludes personal use: As mentioned before, in the term of deployers, individuals using AI systems solely for personal, non-professional activities are not subject to the Act.
Staying ahead of the curve – Navigating the AI Act Compliance
Understanding who must comply with the AI Act is crucial for businesses and entities involved in the AI ecosystem. Whether you’re a provider developing AI systems, a deployer using the AI system, an importer introducing foreign AI technologies to the EU market, or an entity involved in the AI supply chain, it’s essential to be aware of your obligations under this regulation. The AI Act aims to create a balanced regulatory framework that promotes innovation while ensuring safety, transparency, and accountability.
For non-EU entities, having an authorized representative in the EU can facilitate compliance and streamline interactions with regulatory authorities. Meanwhile, sectors like scientific research and military applications, as well as personal use cases, are exempt from certain provisions, reflecting the Act’s nuanced approach to regulation.
As AI continues to evolve and integrate into various aspects of our lives and businesses, staying informed about these regulatory requirements will help you navigate the complexities of the AI Act effectively. Playing by the rules is always a smart and safe choice to make, especially when we are talking about the ubiquitous AI. Ensuring compliance not only mitigates legal risks but also positions your organization as a responsible and forward-thinking player in the AI landscape.