The European Artificial Intelligence Act: Penalties and Timelines

By Sade Sobande

This is the third in our series of regulatory updates on the EU Artificial Intelligence Act (AIA). Since more than one month has passed since the law’s approval, we are providing this article ahead of the AIA’s publication in the Official Journal of European Union (OJEU).

Background

On May 21 2024, the EU AIA was approved and given the final green light by the EU Council. The AIA establishes requirements for compliance of AI systems and general-purpose AI (GPAI) models made available or put into service in the EU market. In our first regulatory update we discussed scope, classification, conformity and economic operators. Our second regulatory update went on to discuss best practices, enforcement and innovation. In this update we focus specifically on the penalties and timelines associated with AIA compliance.

Definitions

The AIA introduces a number of terms and definitions that may be unfamiliar to medical device manufacturers. Those of relevance to this update are repeated verbatim from the AIA or defined here based on contextual use within the AIA for clarity:

• "AI system": means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. (Article 3(1))
• "General-purpose AI model": means an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market. (Article 3(63))
• "Undertaking": refers to any entity engaged in economic activity within the EU. This includes companies, businesses, organizations that develop, deploy, or use AI systems.*
• "Union institutions, bodies, offices and agencies’" refer to various entities that are part of the institutional framework in the EU. These entities are involved in the administration, implementation and regulation of EU policies and laws. The AIA applies to AI systems used by these entities to for instance, ensure compliance with safety, transparency and ethical standards.*
• "Provider": means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge. (Article 3(3))

*These terms are not formally defined in the AIA. An informal definition has been noted here, taking into account the context and usage.

Penalties

Hefty fines are to be enforced for AIA non-compliance. For prohibited AI systems, the fines can be as high as €35 million or seven percent of worldwide annual turnover for the preceding financial year, whichever is higher.

Providers of general-purpose AI models may be fined three percent of their annual total worldwide turnover in the preceding financial year or €15 million, whichever is higher, for non-compliance.

Union institutions, bodies, offices and agencies found to be non-compliant with the prohibition of AI practices will be subject to fines of up to €1.5 million. While any other non-compliance will be subject to fines of up to €750,000.

Anyone who supplies incorrect, incomplete or misleading information to notified bodies or national competent authorities in response to a request, this can result in fines of up to €7.5 million or, if the offender is an undertaking, up to one percent of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Impact and timelines

In addition to the EU Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR), medical device manufacturers of AI-enabled and ML-enabled devices will need to comply with the AIA. Due to the nature of medical devices and IVDs, it is envisioned that the majority of AI/ML-enabled devices will fall into the high-risk category. While it is planned for these devices to undergo conformity assessment under the MDR or IVDR, the practicality is yet to be understood due to the specificities of each regulation.

Table 1 outlines the timeline and actions for compliance with the AIA. Medical device and IVD manufacturers subject to the AIA will have a maximum three-year period to comply with the regulation, unless a significant change to the AI system is made which will trigger compliance obligations sooner.

Concluding remarks

With the AIA, the world now has its first comprehensive legally binding framework for regulating AI technologies. It addresses the ethical, legal and societal implications. Although medical device and IVD manufacturers will have a maximum three-year period to comply, we have seen with the MDR and IVDR how important it is to use these transition periods effectively.

A proactive approach is recommended. Manufacturers should reach out to their Notified Bodies to discuss plans for expanding their scopes to include AIA competency as well as start to perform a gap analysis of their product portfolio. This, along with a comprehensive quality plan, will help position companies for compliance on the relevant date of application.

Sade Sobande is Lead Quality and Regulatory Affairs Consultant at Emergo by UL.