EU Artificial Intelligence Act

Documentation Updated: 2025-03-09

Description

EU Artificial Intelligence Act

• Purpose: First comprehensive legal framework for AI systems
• Jurisdiction: European Union
• Effective Date: Expected 2025 (after transition period)
• Detection Tools:
  • Prompt Injection - Search
  • Prompt Injection - Validation
• Related Risks:
  • LLM02: Sensitive Information Disclosure
  • LLM03: Supply Chain
  • LLM06: Excessive Agency
  • LLM07: System Prompt Leakage
• Related Regulations:
  • GDPR - Data Protection, User Rights
  • NIS Directive - Cybersecurity Standards

The EU Artificial Intelligence Act is a comprehensive legislative proposal designed to ensure the safe, transparent, and accountable use of AI within the European Union. It adopts a risk-based approach to regulate AI systems, imposing stricter obligations on high-risk applications while fostering innovation in low-risk scenarios. The Act is a pivotal step in harmonizing AI regulation across Europe and protecting fundamental rights.

Scope & Applicability

The Act applies to AI system providers and users operating within the EU and extends to non-EU entities that place AI systems on the EU market.

• Covered Entities: AI developers, deployers, and users in both public and private sectors.
• Data Types: Any data processed by AI systems, with heightened scrutiny for systems processing personal or sensitive data.
• Key Exemptions: AI systems used for military purposes and low-risk applications that do not impact fundamental rights.

Key Requirements

Organizations must ensure that AI systems are developed and deployed responsibly, with comprehensive risk management and transparency:

• Establish risk management frameworks and conduct impact assessments for high-risk AI systems.
• Maintain detailed technical documentation and conformity assessments.
• Special Focus Areas:
  • High-Risk AI Requirements: Implement measures such as human oversight, rigorous testing, and clear documentation for systems affecting critical sectors.
  • Transparency Obligations: Disclose AI system capabilities, limitations, and decision-making processes.
• Additional Focus: Ensure ongoing post-market monitoring and establish incident reporting mechanisms.

Impact on LLM/AI Deployments

For LLM and AI systems, compliance with the EU AI Act means integrating risk management and transparency from design through deployment:

• Risk Management: Incorporate systematic risk assessments into AI development cycles.
• Human Oversight: Build mechanisms for human intervention in high-risk automated decisions.
• Documentation: Create detailed model cards and technical files for transparency.
• Security and Observability Considerations:
  • Robust Logging: Maintain logs of AI decision-making processes.
  • Access Controls: Restrict system access to prevent unauthorized modifications.
  • Regular Audits: Conduct periodic reviews and risk assessments.
  • Incident Reporting: Establish automated reporting for serious incidents.
  • Compliance Monitoring: Regularly update documentation and processes to align with evolving standards.

Enforcement & Penalties

The EU AI Act will be enforced by national authorities in coordination with the European Artificial Intelligence Board.

• Enforcement Body: National regulatory authorities and the European Artificial Intelligence Board.
• Fines and Penalties:
  • High-Risk Violations: Fines up to €20 million or 4% of global annual turnover.
  • Other Serious Violations: Fines up to €10 million or 2% of global annual turnover.
• Additional Enforcement Mechanisms: Mandatory conformity assessments, CE marking, and continuous post-market surveillance.
• Operational Impacts: Non-compliance can lead to product recalls, market access restrictions, and significant reputational damage.

Resources & References

• Official Regulation Text
• EU AI Act Guidelines