The EU’s AI Act: A Risk-Based Approach with Implementation Timelines and Penalties

The EU’s Artificial Intelligence (AI) Act aims to take a targeted, proportionate approach to managing the risks posed by AI systems. It categorizes AI practices and systems into several risk categories:

Prohibited AI Practices (Unacceptable Risk Level)

This includes manipulative practices violating EU rights and values, like exploiting the vulnerabilities of children. Such practices are immediately banned once the AI Act enters into force, with no grace period. Violations carry massive fines of up to €30 million or 6% of the company’s worldwide annual turnover. This is important. The fine can be a percentage of the organization's annual revenue, not a flat amount (ex; $500,000 USD).

High-Risk AI Systems

AI systems like those used in critical infrastructure and high-risk sectors like healthcare and transport must meet comprehensive requirements on data quality, documentation, transparency, human oversight, and robustness. These systems can still be used if rigorous rules are followed.

Providers of high-risk systems have 24 months after the adoption of the Act to achieve full compliance. Failure to meet requirements after that transition period faces penalties of up to €20 million or 4% of annual worldwide turnover.

Transparency Obligations

AI systems interacting with humans or generating deep fakes must ensure people are notified they are dealing with an AI. Such transparency rules also take effect 24 months after the Act’s adoption, with up to €20 million or 4% annual turnover fines for violating obligations.

Lower-Risk AI Systems

Providers of non-high-risk AI are encouraged to voluntarily apply codes of conduct helping ensure trustworthy practices like reducing bias risks. No specific timeline or penalties apply.

In summary, the Act prohibits unacceptable AI activities immediately, while allowing the continued development of high-risk and transparent AI under strict controls with two years for providers to implement governance and technical measures before significant fines may apply for non-compliance.

If you have not begun evaluating the scope of AI development or use in your environment, begun assessing impact and risk, and considered appropriate risk treatment, you're already running out of time. Please don't take lightly your obligations under this new legislation.

As always, if you have questions, comments, or feedback, please don't ever hesitate to reach out...I'm always available to assist any way I can.