EU AI Act: Navigating Stakeholder Roles & Compliance

August 1, 2024, marked a pivotal moment in global technology governance with the formalization of Regulation (EU) 2024/1689, widely known as the Artificial Intelligence Act (AI Act).¹ This landmark legislation establishes a harmonized legal framework across the European Union, aiming to foster innovation while ensuring AI systems are safe, transparent, and respectful of fundamental rights.² Unlike prior sector-specific regulations, the AI Act adopts a horizontal, risk-based approach, creating a sophisticated taxonomy that dictates specific legal obligations for a diverse array of stakeholders across the entire AI value chain.⁵

The Act's architecture is predicated on the principle that regulatory intervention should be proportional to an AI system's potential harm to individuals and society.⁵ This approach creates a complex web of responsibilities, extending from primary developers and manufacturers to importers, distributors, and professional entities deploying the technology.¹ Understanding these roles is not merely a legal necessity but a strategic imperative for any organization interacting with the European market, given the significant liability shifts and administrative requirements introduced.⁴

The Taxonomy of Risk: Determining Regulatory Obligations

The classification of an AI system fundamentally drives stakeholder obligations under the AI Act.⁴ The regulation establishes four primary tiers of risk, each triggering distinct oversight levels and compliance tasks for involved parties.² This tiered structure ensures that the regulatory burden aligns with the potential for harm.

Sponsored

International Legal Academy

Advance your career in legal education. Join the International Legal Academy — UK Register of Learning Providers.

Learn More →

Unacceptable and High-Risk Systems

Systems posing an unacceptable risk are prohibited, mandating immediate market withdrawal and cessation of use within six months. Examples include social scoring and real-time biometric identification in public spaces (with narrow exceptions).²

High-risk systems, however, are strictly regulated. These require ex-ante conformity assessments, robust quality and risk management systems, comprehensive technical documentation, and registration in an EU database.² The determination of a system as high-risk is critical, typically falling into two categories: AI intended for use as a safety component in products already covered by Union harmonization legislation (Article 6(1)), or standalone AI used in specific high-impact areas listed in Annex III (Article 6(2)).² These areas include biometrics, critical infrastructure, education, employment, and access to essential services.¹¹

Limited and Minimal/No Risk Systems

Limited risk systems primarily focus on transparency. Obligations include informing natural persons that they are interacting with an AI system or viewing AI-generated content, as seen with chatbots or deepfakes.²

Minimal/no risk systems face no mandatory legal requirements, though voluntary codes of conduct are encouraged. Examples include spam filters and basic inventory management software.² This tiered approach allows for targeted regulation while promoting innovation in less critical applications.

Sponsored

International Legal Academy

Advance your career in legal education. Join the International Legal Academy — UK Register of Learning Providers.

Learn More →

Core Stakeholders: Definitions and Jurisdictional Reach

The AI Act broadly defines