A Guide to Navigating the EU AI Act & Digital Services Act

The EU AI Act provides a comprehensive framework for regulating AI systems based on risk levels, and a separate regulatory regime for general-purpose AI models. It seeks to ensure AI technologies are designed and deployed in a manner that respects EU values and fundamental rights.

The DSA provides a liability framework for online intermediaries operating in the EU and sets requirements around how they manage illegal and harmful content published, and goods and services sold, via their services.

In practice, this covers a broad range of businesses that store or transmit the content of third parties, including internet service providers, providers of web-based messaging and email services, providers of cloud computing or web hosting services, social media networks, app stores, online marketplaces, and online search engines. Ultimately, it aims to create a safer digital space by protecting users and establishing accountability for digital service providers.

• Promote Ethical and Safe AI Use: Ensure AI systems operate safely and ethically.
• Ensure Transparency and Accountability: Provide clear information about AI systems and their operations.
• Protect Fundamental Rights: Safeguard individuals' rights and freedoms.

• Enhance Transparency: Ensure clear communication about digital services.
• Ensure Accountability: Hold content and service providers responsible for their actions.
• Protect User Rights: Promote a safer online environment and safeguard users' rights.

• Unacceptable Risk AI: Prohibited AI systems posing significant threats to safety or rights (e.g., social scoring systems).
• High-Risk AI: AI systems in critical areas (e.g., medical devices, transportation, credit scoring) requiring stringent oversight.
• Limited Risk AI: Moderate-risk AI systems subject to transparency obligations (for e.g., spam filters, artistic deep fakes)
  Minimal Risk AI: Low-risk AI systems are encouraged to adhere to codes of conduct.

• Removing illegal content: Promptly address illegal content. Trusted flaggers are responsible for detecting potentially illegal content and alerting online platforms. They are entities designed by the national Digital Services Coordinators.
• Reporting harmful content: Provide transparency about actions taken against harmful content.
• Transparency requirements: Disclose algorithmic decision-making processes and advertising practices.

• Unacceptable Risk AI: Banned from the EU market.
• High-Risk AI: Must undergo rigorous testing, obtain CE Marking, and meet transparency and documentation requirements.
• Limited and Minimal Risk AI: Must provide clear information to users and adhere to voluntary codes of conduct

• Adherence to Regulations: Non-EU companies must ensure their AI systems and digital services meet EU standards.
• Transparency and Documentation: Provide detailed documentation and transparency reports as required.
• Monitoring and Audits: Be prepared for monitoring and audits by the EU AI Office and relevant National Authorities

• By 6 months after entry into force: Prohibitions on unacceptable risk AI
• By 9 months after entry into force: Codes of practice for General Purpose AI (GPAI) must be finalised
• By 12 months after entry into force: GPAI rules apply, Member State competent authorities are appointed; annual Commission review and possible amendments to prohibitions introduced
• By 18 months after entry into force: Commission issues implementing acts creating a template for high-risk providers’ post-market monitoring plan
• By 24 months after entry into force: Obligations on high-risk AI systems apply. Member States to have implemented rules on penalties, including administrative fines; Member State authorities to have established at least one operational AI regulatory sandbox; Commission review and possible amendment of list of high-risk AI systems.
  • High-risk AI systems include AI systems in biometrics, critical infrastructure, education, employment, access to essential public services, law enforcement, immigration and administration of justice.

All regulated entities will need to comply by 17 February 2024.

The AI Office will develop compliance methodologies and monitor high-risk AI systems. National Authorities will enforce regulations, conduct audits, and impose penalties. Substantial fines will be imposed for non-compliance; this could be as high as 7% of a company’s global annual turnover.

The DSA includes a full set of investigative and sanctioning measures that can be taken by national authorities and the European Commission. The commission can apply fines, periodic penalties, and request temporary suspension of services.
Substantial fines will be imposed for non-compliance; this could be as high as 6% of a company’s global annual turnover.

Both the EU Act and DSA have extraterritorial reach, meaning they apply to any company offering services or products to EU citizens, regardless of where the company is based.

• Be comprehensive in identifying all AI systems in use and map their respective risk levels accordingly.
• Ensure that each AI system used in the organisation has been evaluated to identify its intended use and potential risks.
• Maintain comprehensive technical documentation for high-risk AI systems.
• Implement organisational processes and system controls to ensure human oversight and transparency.

• Review and align internal policies on illegal content online and the protection of users’ fundamental rights online, including the freedom of speech.
• Prioritise transparency and ensure that there is clear communication internally about content moderation and algorithmic decisions.
• Establish relevant user support systems to provide mechanisms for users to appeal and seek redress for content-related decisions.