European Parliament Adopts Artificial Intelligence Legislation
On March 13, the EU Parliament adopted the EU’s Artificial Intelligence ("AI") Act. The AI Act is the EU’s first comprehensive legislation setting rules regulating artificial intelligence on an EU-wide basis. It will impose new and significant obligations on those developers, distributors and users of AI systems that affect people in the EU.
In an analysis of the Act, Norton Rose Fulbright attorneys described key provisions. The Act prohibits some types of AI, such as emotion recognition systems in the workplace and in education or inappropriate use of social scoring. For types of AI deemed to be "high-risk", it imposes a wide range of obligations on providers (i.e. those developing the systems), including risk assessments, governance and maintaining documentation, public registration and conformity assessments and declarations.
Users of these systems, referred to as "deployers," need to comply with more limited obligations including the implementation of technical and organizational measures to ensure the provider’s restrictions on use are followed and to provide appropriate and competent human oversight. Providers of "general purpose AI", such as large language models, will need to meet requirements designed to allow providers and deployers incorporating them into AI systems to better understand their capabilities and limitations. Providers of "general purpose AI" must also address other inherent issues such as potential infringements caused by training. (This can be addressed through putting in place a policy to respect EU copyright law and a summary of the content used to train the model). There are also various transparency obligations that require individuals to be informed they are interacting with AI systems or AI generated content.
The AI Act should appear on the EU’s statute books sometime in May, once final procedural steps have concluded. Most provisions are likely to apply from mid-2026, but some provisions, notably the prohibitions with the stiffest penalties, have a shorter transition period and will apply as soon as the end of this year.
Commentary
What should you do to prepare to comply with the EU's AI Act?
- Create an AI inventory
- Identify prohibited practices and high risk AI
- Establish your governance process
On building governance, here are some top tips for your toolkit:
- Start small but understand what best practice looks like for all stakeholders involve
- Establish where key stakeholders will fit in and what information they need—business units, IT development teams, data office, procurement, legal, HR.
- Create a library of legal risks with playbooks to allow some evaluation by non-experts.
For more information, see the Norton Rose Fulbright webinar and blog post.