Global menu

Our global pages


Proposal for EU Regulation of Artificial Intelligence published

  • Global
  • Technology
  • Consumer
  • Financial services
  • Health and life sciences
  • Industrials
  • Technology, Media and Telecoms



The EU Commission has set out its proposal for a Regulation on a European approach for Artificial Intelligence (‘AI’). The 108 page proposal sets out harmonised rules for the development, placement on the market of and use of AI systems in the Union following a proportionate risk-based approach.

Member States are required to lay down rules on penalties for infringements of the Regulation, with fines at a level of the higher of 30,000,000 euros or 6% of worldwide annual turnover for certain offences including the carrying out of a prohibited AI practice. Additionally, the proposed regulation imposes obligations in relation to reporting of serious incidents and of malfunctioning of AI systems which constitutes a breach of obligations under Union law.

For more detail, see the full briefing below.

Impact and actions

The regulation has vast implications for industry across numerous sectors around the world, especially given current emphasis by businesses on digitalisation and personalisation, the wideness of the definition of “AI Systems” to which it applies and its extra-territorial reach beyond the EU. It also has application, in different ways and with differing obligations, to developers, distributors and/or users of these AI systems.

The regulation lays down harmonised rules for the placing on the market, the putting into service and the use of AI systems in the European Union; prohibits certain artificial intelligence practices; sets out specific requirements for high-risk AI systems and obligations for operators of such systems; and harmonises transparency rules and obligations for AI systems intended to interact with natural persons, emotion recognition systems and biometric categorisation systems, and AI systems used to generate or manipulate image, audio or video content; and rules on market monitoring and surveillance.

The definition of AI systems is wide-reaching and, as such, will apply to AI and certain other technology.

The regulation is designed to apply to AI systems operated/used in the EU but has extra-territorial reach. As such, although an EU Regulation, the legislation will be of relevance to suppliers and manufacturers of AI systems based outside the EU as its scope extends to providers placing AI systems on the EU market or putting AI systems into service in the EU, regardless of where they are based, as well as to providers and users of AI systems located outside the EU where the output produced by the system is used in the EU. A provider established outside the EU will (unless it has an importer) be required to appoint an EU based authorised representative for the purpose of the Regulation. As with GDPR, it is expected to have a wide-reaching impact on shaping the legislative landscape for AI across the globe and, to a some extent, is expected to shape how many customers engage with adopting AI and how suppliers shape their AI products and services in a legally compliant way as a “high bar” by which to measure their approach to designing, selling, licensing and/or embedding ethical AI solutions, regardless of location.

“High risk” AI systems will have to comply with a set of horizontal mandatory requirements for trustworthy AI and follow conformity assessment procedures before those systems can be placed on the Union market.

Predictable, proportionate and clear obligations are also placed on providers and users of those systems to ensure safety and respect of existing legislation protecting fundamental rights throughout the whole AI systems’ lifecycle. This includes obligations in relation to use of data and information to be provided to end-users in certain situations.

Companies who are located in the EU and/or sell or license into the EU should be cognisant of the proposed regulation when shaping their AI solutions for their customers and/or adopting and embedding AI in their businesses. Users of AI will also need to engage with the regulation in order to ensure compliance with law.

If developing AI Systems or placing them onto the market and/or embedding AI solutions within your own businesses, now – more than ever - is the time to ensure you grapple with the implications of the proposed regulation and other relevant legislation and guidance in this area (where relevant) on your procurement or sales models, your messaging to your customers, your legal templates and your training to your business.

RAG rating

Impact in more than six months

At national level, Member States will have to designate one or more national competent authorities and, among them, the national supervisory authority, for the purpose of supervising the application and implementation of the regulation. The European Data Protection Supervisor will act as the competent authority for the supervision of the Union institutions, agencies and bodies when they fall within the scope of this regulation.

The Regulation will apply two years following its entry into force, which will be on the twentieth day following its publication in the OJEU, although certain sections may come into force earlier.

Read the full briefing.