What’s the deal with the AI Act?

Meet The Authors

Emeline Banzuzi

Emeline Banzuzi

Privacy & Data Governance Counsel

Emeline Banzuzi serves as a legal counsel and reseacher specializing in the dynamic field of law, technology and society, with expertise in data protection consulting, risk management, compliance within FinTech, and academic reseach.

Joel Himanen

Joel Himanen

Data Scientist

Joel Himanen is a versatile data scientist with a strong emphasis on advanced analytics, machine learning, and artificial intelligence, having prior experience in data-driven sustainability projects in both the private and public sectors.

What’s the deal with the AI Act?

In the early hours of December 9th, the European Union Parliament and Council finally came out with a provisional agreement on the contents of the Artificial Intelligence Act (AIA). In this blog post, we will summarize the main contents of the AIA and discuss its possible implications and open questions using the development and deployment of Large Language Models (LLM) as an example. 

The short version

The EU’s Artificial Intelligence Act aims to govern the development and deployment of AI systems in the EU, while ensuring that these systems are safe and respect the health, safety and fundamental rights and freedoms of EU citizens. The provisional agreement states that the Act will apply two years after its entry into force (i.e. following its publication in the Official Journal of the EU), shortened to six months for the bans it contains. The Act most notably impacts AI system deployers, who are regulated according to the risk category of their use case. On the side of generative AI, foundational model developers are facing significant requirements for transparency, safeguards, and testing. 

Digging a little deeper

The first draft of the Act was published in April 2021, and its final version is currently undergoing the EU legislative procedure. After the latest agreement, the Act still needs to be confirmed by both the Parliament and the Council, as well as undergo legal-linguistic revisions, before formal adoption. 

The Act defines an “AI system” as a machine-based system that, with varying levels of autonomy and for explicit or implicit objectives, generates outputs such as predictions, recommendations, or decisions that can influence physical or virtual environments. The regulation applies to providers, deployers, and distributors of AI systems as well as “affected persons”, meaning individuals or groups of persons who are subject to or otherwise affected by an AI system.

The AIA establishes varying obligations for developers and deployers of AI systems, depending on which risk classification the system in question may fall in. The Act presents four risk categories, namely: 

 

  • Unacceptable risk: AI systems that are a clear threat to the safety, livelihoods, and rights of individuals (e.g. systems used for social scoring and systems that exploit vulnerable groups such as children). The use of these systems is prohibited. 
  • High risk: AI systems that that pose significant harm to the health, safety, or fundamental rights of individuals. Examples of high-risk AI systems include those used for the management of critical infrastructure, education, employment, law enforcement, and border control. High-risk systems will be subject to strict obligations before they can be placed on the market: providers and deployers of these systems must, for instance, develop a risk management process for risk identification and mitigation; apply appropriate data governance & management practices to training, validation, and testing data sets; enable human-oversight; ensure technical robustness and cybersecurity; as well as draw up documentation that demonstrates AIA compliance. (For a complete list of obligations, see Arts. 9-17 AIA).  
  • Limited risk: Examples of limited-risk AI systems include systems intended to interact with individuals, e.g. chatbots and deep fakes. The compliance obligations for limited-risk AI focus on transparency: users of these systems must be clearly informed that they are interacting with an AI system. 
  • Minimal risk: Examples of minimal risk AI include spam filters, AI-enabled video games, and inventory management systems. The AIA allows for the free use of minimal risk AI.  

The risk categories have fluctuated throughout the drafting stages of the AIA.

Implications for model developers and deployers

 AI model and application developers are, of course, quite anxious about the Act, because it has the potential of monumentally impacting the development and usage processes. As the AIA proposal phase is being finalized, it is important to consider possible scenarios and think about the impact the Act would have on different groups in the AI field. 

Let’s consider the hottest AI topic of 2023: Large Language Models (LLM). One way to view the LLM lifespan is to divide it into three phases (upstream to downstream): foundation model (FM) development, fine tuning, and deployment. What possible implications would the AI Act have on these phases? 

Foundation model developers are the ones doing the “heavy lifting”. They develop the model architecture, scrape together and process the enormous data masses required to pre-train the model, and execute the actual pre-training, during which the model learns most of its capabilities. These are organizations backed by significant resources, since gathering the data and especially the compute-intensive pre-training are expensive activities. Having the most impact on the model itself, a FM developer will, according to the current proposal, be regulated relative to the cumulative amount of compute used for model training. For example, a FM classified as “high-impact” (more than 10^25 floating point operations during training) would also have stricter transparency requirements concerning, for instance, disclosing copyrighted training material. This is a huge requirement; the amount of data required for pre-training is so massive, that its collection process is highly automated, and thus, there is only minimal control over the substance itself. An interesting detail is that according to the latest agreement, open-source models will be subject to lighter regulation. 

Fine tuners have a smaller, yet significant impact on the model. They take a pre-trained FM and continue training it on a smaller, more specialized dataset. In a way, they perform the same manipulations on the model as the FM developer, just on a smaller scale. The interesting question follows: how will the AIA discern between them? Will fine tuners be subject to the same, computational impact -relative transparency requirements as FM developers? In any case, fine tuners will have it easier in the sense that they have far more control over the content of their datasets. 

Model deployers (considering them separate from fine tuners) do not affect the LLM itself. Rather, they decide on the final use case (although the fine tuner might already have trained the model for that case), and control how the model can be used. This means that they will most likely be subject to the bulk of the AIA’s risk category -based regulation. Deployers also build the software around the FM, affecting how the model can be used, how its inputs and outputs are processed, and how much control the end user is able to exercise over it. Consequently, more “classical” questions of software and information security might well become a critical part of AIA compliance. 

What next?

For now, we must wait for the finalized texts to come out to grasp the details of the Act. Meanwhile, every organization dealing with AI systems will have to ponder on the implications of what we know now. Deployers will already have to start giving serious thought on risk categorization and the following requirements. FM developers brace themselves for the additional work that comes with curating masses of training data, while weighing open vs. closed-source development in a new light. 

Copyright Challenges in the Age of AI – Part 2

Meet The AuthorsDr. Olli Pitkänen is  proficient expert with extensive experience in ICT and law, leading multidisciplinary projects and providing expertise in legal aspects of ICT, IPRs, privacy, and data as a founder of an IT law firm and advisor to companies and...

Realizing the Value of Networked Data – Part 1

Meet The AuthorsEmeline Banzuzi serves as a legal counsel and reseacher specializing in the dynamic field of law, technology and society, with expertise in data protection consulting, risk management, compliance within FinTech, and academic reseach.Joel Himanen is a...

Copyright Challenges in the Age of AI – Part 1

Can a copyright holder’s exclusive right to make copies prevent AI developers from using copyrighted works in training data?

Trustworthy data for responsibility and sustainability

Meet The Author

Marko Turpeinen

Marko Turpeinen

CEO

Dr. Marko Turpeinen is a visionary leader with 25+ years of experience in digital transformation and innovation, having worked at prestigious institutions like MIT Media Lab and EIT Digital, and initiating the global MyData movement at Aalto Univesity.

Trustworthy data for responsibility and sustainability

Data and AI play a crucial role in proving that companies act responsibly and meet their environmental, social and governance (ESG) targets.

An image representing ethical practices, such as a person holding a data globe with care

Current reality is that ESG data practices are inefficient and inaccurate. ESG data comes from a myriad of sources and is of variable quality. Availability of data is spotty, especially when the scope of data collection and analysis extends beyond company’s own borders to its supply chain and partners. There is plenty of manual work involved and every company does the work by themselves. This results in vast amounts of duplicate work.

Collaborative Data Sharing in the Era of CSRD

European Union’s Corporate Sustainability Reporting Directive (CSRD) came into effect in January this year. It modernises and strengthens the rules concerning the ESG information that companies are required to report. Large stock listed companies are expected to begin reporting in 2025 based on their 2024 data, and other companies will follow suit when CSRD is gradually rolled out. Companies subject to the CSRD will have to report according to European Sustainability Reporting Standards (ESRS), provide the reporting in a standardised digital format, and include their business networks (e.g. supply chains) in their environmental impacts.

 Very large number of companies will be affected by growing regulatory demands regarding ESG reporting. What if companies could collaborate more efficiently to meet these needs? Instead of every company collecting the data for themselves there would be clear benefits in forming data sharing practices to make sustainability data available for all parties in the ecosystem. This would help to minimize duplicate work for ecosystem participants, and provide better transparency of the whole value chain for all. In a data ecosystem, sustainability improvements can be driven – and even co-funded – by the whole value chain together.

An image portraying a handshake or a group of people collaborating

The Rulebook Approach for Mitigating Risks and Ensuring Fair Data Use in Ecosystems

Despite its clear benefits, data sharing also brings forth several thorny issues regarding business risks, data hygiene, disclosure of trade secrets, corporate security policies, and fair data use. How can a company show that its data and methods can be trusted? How can the ecosystem participants trust each other to not to misuse the data? Do the others get unfair advantage from my data?

 Trust-building, fair data use and minimization of risks amongst the ecosystem participants can be tackled by a rulebook approach. Sitra’s fair data economy rulebook model is one leading example of this approach, taking a holistic view to governance of data ecosystems. It helps organizations to form new data sharing networks and implement policies and rules for them.

 The rulebook approach also helps data providers and data users to assess any requirements imposed by applicable legislation and contracts appropriately in addition to guiding them in adopting practices that promote the use of data and management of risks. With the aid of the rulebook approach, parties can establish a data network based on mutual trust that shares a common mission, vision, and values. This fosters trust and responsible use of data.

An image portraying a handshake or a group of people collaborating

The Imperative of Responsibility and Sustainability in the Industrial Landscape

Responsibility and sustainability have risen as key drivers for creating functioning data ecosystems. This is demonstrated in lighthouse data sharing initiatives, such as Catena-X for the automotive industry. The aim of Catena-X is to grow into a network of more than 200,000 data sharing organizations. Catena-X has picked harmonized and accurate ESG reporting as the most urgent business challenge to be resolved in the ecosystem.

 We are headed towards a future where data sharing and collaboration is expected in a massive scale, and potentially influencing everyone who have a stake in the industrial ecosystem. As the importance and impact of these initiatives spread and grow, holistic ESG data governance approach is business critical for building trust in data ecosystems.

Copyright Challenges in the Age of AI – Part 2

Meet The AuthorsDr. Olli Pitkänen is  proficient expert with extensive experience in ICT and law, leading multidisciplinary projects and providing expertise in legal aspects of ICT, IPRs, privacy, and data as a founder of an IT law firm and advisor to companies and...

Realizing the Value of Networked Data – Part 1

Meet The AuthorsEmeline Banzuzi serves as a legal counsel and reseacher specializing in the dynamic field of law, technology and society, with expertise in data protection consulting, risk management, compliance within FinTech, and academic reseach.Joel Himanen is a...

Copyright Challenges in the Age of AI – Part 1

Can a copyright holder’s exclusive right to make copies prevent AI developers from using copyrighted works in training data?

What’s the deal with the AI Act?

In the early hours of December 9th, the European Union Parliament and Council finally came out with a provisional agreement on the contents of the Artificial Intelligence Act (AIA). In this blog post, we will summarize the main contents of the AIA and discuss its possible implications and open questions using the development and deployment of Large Language Models (LLM) as an example.

Trustworthy data for responsibility and sustainability

Data and AI play a crucial role in proving that companies act responsibly and meet their environmental, social and governance (ESG) targets.