AI Act: Agreement reached on the first supranational regulatory framework on Artificial Intelligence

December 2023
By Luca Carabetta

After more than two years of work, and following intense negotiations in recent weeks, a final political agreement has been reached on the AI Act, the world’s first supranational regulatory framework concerning artificial intelligence.

Getting the act approved was far from a given, both because of the numerous delays and setbacks resulting from the continuous evolution of technology (an initial agreement had already been found in May 2023 that included the novelties of generative AI), and because of the recent stance taken by France, Germany and Italy against stricter European regulation and in favour of self-regulation by market players.

These three countries specifically raised concerns about the risk of over-regulation for developers of so-called foundation models, advanced AI models like GPT-4, and the stringent punitive measures.

However, these objections were addressed within a 72-hour negotiation window involving the European Parliament, European Commission, and representatives of Member States.

Regarding AI models, a decision was made to establish two tiers. First-tier models are labelled as “high-impact” which encompass advanced models (currently distinguished by computing power, similar to President Biden’s recent executive order). Prior validation and impact assessment will be necessary for these models to access the European market. For second-tier models, which aren’t as high-impact, specific transparency obligations will be required for access to the European market.

An important agreement was also found concerning remote biometric control: a compromise was reached to allow its usage by law enforcement solely in specific situations, like imminent terrorist threats, searching for victims, or investigating serious crimes. Practices such as manipulation, emotion recognition in sensitive areas like schools or workplaces, social scoring, and any practices extracting private and sensitive information from European citizens remain prohibited.

The envisioned sanctions are substantial, ranging from €7.5 to €35 million or from 1.5% to 7% of turnover.

The Act is set to be officially approved in the coming months. Six months after implementation, it will already be valid for prohibited systems, while for other categories, it will take effect after two years. DG Connect will be responsible for the AI Pact from now on, a mechanism allowing companies to voluntarily comply before its effective enforcement. There’s also consideration for the possibility of establishing regulatory sandboxes for startups and SMEs in the experimental phase.

Importantly, the AI Act can be updated using alternative methods to standard legislative procedures, ensuring it keeps pace with the swiftly evolving technological and geopolitical landscape. It will also be crucial to assess the impact of the measure in the productive world, with particular reference to start-ups.

The measures seems to be in line with the principle it was originally based on in 2020-2021: safeguarding the fundamental rights of European citizens amidst such a disruptive technological revolution with the concept of risk being put at the centre.

In conclusion, Europe has undeniably achieved a historic milestone despite facing significant challenges. While this regulation can protect European citizens, it might also create regulatory discrepancies. Therefore, it is necessary to strive towards a global framework for the sector involving other pivotal players in this revolution, such as the United States and China.