One Step Closer: AI Act Approved by Council of the EU

On 21 May 2024, the Council of the European Union approved the EU Artificial Intelligence Act (the “AI Act”). This is the final stage in the legislative process and comes after the EU Parliament voted to adopt the legislation on 13 March 2024. This final vote clears the path for the formal signing of the legislation and its publication in the Official Journal of the EU in the coming weeks. The AI Act will then enter into force 20 days after such publication with staggered transition periods of 6 to 36 months.

This flagship legislation – the world’s first standalone law governing the use of AI – assumes a risk-based approach; i.e., the higher the risk of harm to society an AI use case poses, the more onerous the rules that are triggered. The AI Act applies to all sectors and industries, imposing new obligations on product manufacturers, providers, deployers (i.e., users), distributors and importers of AI systems. These obligations relate to, for example, conformity assessments, data quality, technical documentation and standards, record retention, transparency and human oversight. The AI Act also applies extra-territorially; e.g., to providers based outside the EU who place an AI system on the EU market and to providers and deployers based outside the EU where the AI system output is intended for use in the EU.

Importantly, the EU is aiming for the AI Act to have the same ‘Brussels effect’ as the GDPR — in other words, to have a significant impact on global markets and practices and to serve as a potential blueprint for other jurisdictions looking to implement AI legislation. Click here to visit Sidley’s AI Monitor.

Given the particular impact of the obligations of the AI Act and the structural changes this may have on AI systems and other products, organisations are taking action to consider and implement the requirements of the AI Act well before the end of the transition period. Additionally, it is important to remember that European authorities and courts are already starting to regulate AI on the basis of adjacent legal frameworks that apply today, such as the GDPR.

From a practical perspective, businesses should consider doing the following:

  • Assess whether the business is using AI and whether such AI systems are considered high- or limited-risk.
  • Determine if and how the AI Act requirements for such high- or limited-risk systems can be met.
  • Review other AI regulations and industry or technical standards, such as the NIST AI standard, to determine how these standards can be applied to the business.
  • Develop an AI governance program, which accounts for both the AI Act and other developing AI regulations and standards in other jurisdictions.

Read more: Top 10 questions about the AI Act.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.