The AI regulation will soon come into effect

AI systems deemed to pose an unacceptable risk to citizens will be prohibited. This includes a ban on the use of facial recognition in public spaces (with certain exceptions for law enforcement), systems designed to manipulate or deceive human behavior or emotions, and social scoring. AI systems classified as high-risk will need to meet stringent requirements before being placed on the market. Examples of high-risk AI include systems used in critical sectors such as employment and education, critical infrastructure, credit assessment, and biometric identification and categorization of individuals. AI systems in these sectors must undergo thorough review and certification to ensure they are safe and do not violate fundamental rights. Requirements include the use of a risk management system, technical documentation, human oversight, and transparency and information obligations.

In light of the recent rapid development of generative AI and "foundation models," such as those used by ChatGPT and others, specific regulations have been introduced in the AI regulation. These rules will cover foundation models trained on extensive datasets that can perform a wide range of tasks. These models will be subject to different levels of obligations depending on the degree to which they are considered to pose risks to society.

For AI systems with a lower risk level (e.g., virtual assistants, chatbots, and so-called deepfakes), transparency requirements will apply. This means that users must be informed when and to what extent they are interacting with AI and encountering AI-generated content.

The AI regulation will place the greatest responsibility on AI system providers (developers and those bringing the systems to the EU market). Organizations using AI systems will also bear responsibility for their use, such as maintaining human oversight and preserving logs of AI system activity. Entities that brand an AI system, make significant changes to it, or alter its use may be held accountable in the same way as providers of high-risk AI.

Sanctions for violations of the AI regulation will follow a similar model to GDPR and can amount to a maximum of €35 million or 7% of the global annual turnover of the company (whichever is higher).

Although the AI regulation is expected to come into effect this summer, it is currently planned to be implemented in phases from late autumn 2024 to spring 2027. The rules for high-risk AI will specifically begin to apply in spring 2026, but it is prudent to start preparing and examining how the regulation will affect one’s own organization.

The Data Act also facilitates easier transitions between different cloud service providers and requires that users be able to switch from, for example, a cloud solution to an on-premises solution (i.e., local data storage). Additionally, security measures will be introduced to prevent illegal transfers of data to countries outside the EU/EEA.

Another important aspect of the Data Act is that public bodies, the European Commission, the European Central Bank, and EU agencies are given the ability to access and use data held by the private sector, provided it is necessary due to exceptional circumstances. Examples of such circumstances include fulfilling a public interest mandate or responding to societal crises such as floods or wildfires.

The Data Act will be applicable from September 12, 2025. It marks a significant change in the management of data and cloud services. Therefore, it is crucial for cloud service providers, manufacturers of connected products and services, and companies looking to capitalize on the opportunities presented by the Data Act to start planning ahead to understand how it will affect their operations.

Källa: [Data Act | Shaping Europe’s digital future (europa.eu)](Data Act | Shaping Europe’s digital future (europa.eu))