The AI act is about to be adopted. A set of new rules will apply to AI systems thanks to this EU regulation. Let’s discover 10 provisions that not many people may have noticed!

AI generated edited illustration of an android with a tablet and European stars in the background, text: 10 hidden gems in the AI act

1) Machine-brain interfaces and virtual reality may facilitate manipulation

In a recital, machine-brain interfaces and virtual reality are cited in the manipulation techniques topic as an example of technologies that can facilitate AI-enabled manipulation. « They allow for a higher degree of control of what stimuli are presented to persons, insofar as they may be materially distorting their behaviour in a significantly harmful manner », the AI act is saying.

2) Lists of data sources of GPAI have to be published

As a transparency measure, providers of general purpose AI models have to « make publicly available a sufficiently detailed summary of the content used for training the general purpose model ». This obligation applies for data used in the pre-training and training of such models and should also include information on the text and data protected by copyright laws.

3) AI should be accessible-by-design for persons with disabilities

A recital is citing the United Nations Convention on the Rights of Persons with Disabilities and state that all technologies should be accessible, including AI systems. Therefore, « Providers should ensure compliance with these requirements by design. » Another recital includes accessibility requirements for information and notifications on the transparency requirement of AI system that directly interact with people.

4) Authorities protecting fundamental rights have powers

The AI act establish two types of national competent authorities: « notifying authorities » and « market surveillance authorities ». Nonetheless, authorities protecting fundamental rights are also given powers under the AI act. An article is dedicated to them. For instance, it states that such authorities « shall have the power to request and access any documentation » related to high-risk AI systems.

5) The European Commission can revoke any notified body

In the article named « Challenge to the competence of notified bodies », a provision gives power to the Commission to step in at the national level and revoke any notified body. The text states that « Where the Member State fails to take the necessary corrective measures, the Commission may, by means of implementing acts, suspend, restrict or withdraw the designation. »

6) Downstream providers can lodge a complaint to the AI office

In many EU laws, complaints can be lodge to national competent authorities (and we can still do that with the AI act), but not at the EU level. The AI act gives the possibility to lodge a complaint at the EU level, to the Commission’s AI office. This right is only given to downstream providers (which are providers of an AI system which integrates an AI model, regardless of whether the model is provided by themselves and vertically integrated or provided by another entity based on contractual relations).

7) Startups will have lower fines

In case of non-compliance, the penalties for SMEs and startups will be lower. As many EU laws, fines are calculated with percentage of total worldwide annual turnover or with a fixed amount, with the rule of « whichever is higher ». For startups and SMEs, this last rule is amended with the rule of « whichever is lower ».

8) The AI act is extraterritorial

The AI act deals with extraterritoriality by saying that « this Regulation should also apply to providers and deployers of AI systems that are established in a third country, to the extent the output produced by those systems is intended to be used in the Union. »

9) AI systems could be intermediary services of the DSA

Some recitals of the AI act are dedicated to the overlap with other EU laws such as the DSA. It is mentioned that « the AI systems subject to this Regulation may be provided as intermediary services or parts thereof within the meaning of Regulation (EU) 2022/2065, which should be interpreted in a technology-neutral manner. »

10) Logs have a minimal conservation date

In terms of data protection, we often have a maximal conservation date for data, but rarely a minimal one. The AI act impose a 6 months conservation of logs of high-risk AI systems.