European Union – A proposal for the Regulation of AI offers the first structured approach to regulating AI systems

Nigel Parker

On 21 April 2021, the European Commission published its Proposal for a Regulation on a European approach for Artificial Intelligence (the draft AI Regulation). The press release can be found here. The proposal differs substantially from the draft version that was leaked last week.

Risk-based approach

The draft AI Regulation follows a risk-based approach, differentiating between uses of artificial intelligence (AI) that create (i) an unacceptable risk, (ii) a high risk, and (iii) low or minimal risk.  The European Commission has published a video and various materials that provide more detail on the draft AI Regulation, how risk has been categorised and explaining the EU approach and strategy towards AI.

AI systems

AI systems are defined as software that is developed with one or more of specific techniques and approaches (such as machine learning, knowledge representation, inductive (logic) programming, inference and deductive engines, search and optimization methods, etc.) and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with.


The draft AI Regulation will apply to placing on the market, putting into service and the use of AI systems in the EU. This will include providers of AI systems in the EU, irrespective of where they are established, users of AI systems located within the EU and providers and users of AI systems that are located in a third country, where the output produced by the system is used in the EU.

Providers are natural or legal persons, public authorities, agencies or other bodies that develop (or have developed) an AI system with a view to placing it on the market or putting it into service under their own name or trade mark, whether for payment or free of charge. Users are defined as any natural or legal person, public authority, agency or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.

The draft AI Regulation also defines other key participants across the AI value chain and includes detailed obligations for each of these categories of entities. In addition to providers and users, this includes distributors, importers and certain product manufacturers.

Some AI systems are explicitly excluded from the scope, for instance, AI developed or used exclusively for military purposes.  AI systems posing a minimal risk, such as AI-enabled video games or spam filters, are not covered by the draft AI Regulation. The European Commission highlights that the vast majority of AI systems would fall into this excluded category.

Key requirements

The draft AI Regulation further sets out:

  • prohibition of certain AI practices considered a clear threat to the safety, livelihoods and fundamental rights of individuals (e.g. AI systems that use subliminal techniques to exploit individuals or manipulate their behaviour in a manner that causes physical or psychological harm, or the use of ‘real time’ remote biometric identification in publicly accessible spaces);
  • specific requirements for high-risk AI systems and obligations for operators of such systems (e.g. all remote biometric identification systems (if not prohibited) and systems used in critical infrastructure that could put the life and health of individuals at risk, safety components of products and employment); and
  • harmonised transparency rules for certain AI systems that take into account specific risks of manipulation they pose (e.g. chatbots).

The draft AI Regulation includes specific provisions to support innovation, including regulatory sandboxes and measures supporting small-scale users and start-ups.

Supervision and enforcement

The European Commission will establish a system for registering stand-alone high-risk AI applications in a public EU-wide database. AI providers will be required to carry out a conformity assessment of those systems and provide meaningful information about them.

AI providers will be obliged to inform national competent authorities about serious incidents or malfunctioning that constitute a breach of fundamental rights obligations as soon as they become aware of them, as well as any recalls or withdrawals of AI systems from the market.

The draft AI Regulation proposes the creation of a European Artificial Intelligence Board with various tasks, which include facilitating the consistent application of the regulation, issuing opinions and recommendations and sharing best practices among Member States.  Once adopted, it is proposed that Member States will be responsible for enforcement of the regulation, with administrative fines for non-compliance up to EUR 30m or 6% of an organisation’s total annual worldwide turnover, whichever is higher.

Next steps

The draft AI Regulation will now be considered by the Council of the EU and the European Parliament. Given the controversial nature of AI and the large number of stakeholders and interests involved (the public consultation on the European Commission’s White Paper on Artificial Intelligence in 2020 generated over 1,250 responses), it is likely that there will be prolonged discussions and many amendments to the draft AI Regulation before it is finally adopted.

This article was co-authored by .