EU AI Act

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for Artificial Intelligence. It adopts a risk-based approach, scaling compliance obligations based on the potential harm an AI system can cause.

Risk Levels

For a CTO, the primary task is classification, as this determines the engineering roadmap, budget, and legal liability.

1. Unacceptable Risk (Prohibited): Systems that pose a clear threat to safety or fundamental rights (e.g., social scoring, cognitive manipulation, predictive policing).
2. High Risk (Heavily Regulated): Systems used in critical infrastructure, education, employment, or law enforcement. Requires strict data governance, technical documentation, human oversight, and robustness.
3. Limited Risk (Transparency Obligations): Systems like chatbots or deepfakes. Users must be informed they are interacting with an AI, and content must be clearly labelled.
4. Minimal or No Risk: Most current AI applications (e.g., spam filters, video games). No formal filing is required.

Why it matters to a CTO

• Legal Liability: Non-compliance can lead to massive fines—up to €35M or 7% of global annual turnover.
• Product Roadmap: Product features must be audited to ensure they don't cross "unacceptable" red lines.
• Governance: High-risk systems require a formal Quality Management System (QMS) and continuous risk management throughout the lifecycle.
• Brussels Effect: Even if your company is not based in the EU, if you provide AI systems to the EU market, you must comply.

Key Deadlines

• February 2025: Prohibitions on "Unacceptable Risk" systems take effect.
• August 2025: Rules for General-Purpose AI (GPAI) models (like LLMs) take effect.
• August 2026: Full enforcement for most High-Risk systems.
• August 2027: Enforcement for High-Risk systems embedded in regulated products (e.g., medical devices).

References

• Official EU AI Act Text
• EU AI Act Summary (European Commission)
• Artificial Intelligence Act - Explainer