In order to efficiently ensure that fundamental rights are protected, deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services and deployers of certain high-risk AI systems listed in an annex to this Regulation, such as banking or insurance entities, should carry out a fundamental rights impact assessment prior to putting it into use. Services important for individuals that are of public nature may also be provided by private entities. Private entities providing such public services are linked to tasks in the public interest such as in the areas of education, healthcare, social services, housing, administration of justice. The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals likely to be affected, identify measures to be taken in the case of a materialisation of those risks. The impact assessment should be performed prior to deploying the high-risk AI system, and should be updated when the deployer considers that any of the relevant factors have changed. The impact assessment should identify the deployer’s relevant processes in which the high-risk AI system will be used in line with its intended purpose, and should include a description of the period of time and frequency in which the system is intended to be used as well as of specific categories of natural persons and groups who are likely to be affected in the specific context of use. The assessment should also include the identification of specific risks of harm likely to have an impact on the fundamental rights of those persons or groups. While performing this assessment, the deployer should take into account information relevant to a proper assessment of the impact, including but not limited to the information given by the provider of the high-risk AI system in the instructions for use. In light of the risks identified, deployers should determine measures to be taken in the case of a materialisation of those risks, including for example governance arrangements in that specific context of use, such as arrangements for human oversight according to the instructions of use or, complaint handling and redress procedures, as they could be instrumental in mitigating risks to fundamental rights in concrete use-cases. After performing that impact assessment, the deployer should notify the relevant market surveillance authority. Where appropriate, to collect relevant information necessary to perform the impact assessment, deployers of high-risk AI system, in particular when AI systems are used in the public sector, could involve relevant stakeholders, including the representatives of groups of persons likely to be affected by the AI system, independent experts, and civil society organisations in conducting such impact assessments and designing measures to be taken in the case of materialisation of the risks. The European Artificial Intelligence Office (AI Office) should develop a template for a questionnaire in order to facilitate compliance and reduce the administrative burden for deployers.
Table of contents
Section 1: Classification of AI Systems as High-Risk
Article 6: Classification Rules for High-Risk AI Systems
Article 7: Amendments to Annex III
Section 2: Requirements for High-Risk AI Systems
Article 8: Compliance with the Requirements
Article 9: Risk Management System
Article 10: Data and Data Governance
Article 11: Technical Documentation
Article 13: Transparency and Provision of Information to Deployers
Article 15: Accuracy, Robustness and Cybersecurity
Section 3: Obligations of Providers and Deployers of High-Risk AI Systems and Other Parties
Article 16: Obligations of Providers of High-Risk AI Systems
Article 17: Quality Management System
Article 18: Documentation Keeping
Article 19: Automatically Generated Logs
Article 20: Corrective Actions and Duty of Information
Article 21: Cooperation with Competent Authorities
Article 22: Authorised Representatives of providers of high-risk AI systems
Article 23: Obligations of Importers
Article 24: Obligations of Distributors
Article 25: Responsibilities Along the AI Value Chain
Article 26: Obligations of Deployers of High-Risk AI Systems
Article 27: Fundamental Rights Impact Assessment for High-Risk AI Systems
Section 4: Notifying Authorities and Notified Bodies
Article 28: Notifying Authorities
Article 29: Application of a Conformity Assessment Body for Notification
Article 30: Notification Procedure
Article 31: Requirements Relating to Notified Bodies
Article 32: Presumption of Conformity with Requirements Relating to Notified Bodies
Article 33: Subsidiaries of and Subcontracting by Notified Bodies
Article 34: Operational Obligations of Notified Bodies
Article 35: Identification Numbers and Lists of Notified Bodies Designated Under this Regulation
Article 36: Changes to Notifications
Article 37: Challenge to the Competence of Notified Bodies
Article 38: Coordination of Notified Bodies
Article 39: Conformity Assessment Bodies of Third Countries
Section 5: Standards, Conformity Assessment, Certificates, Registration
Article 40: Harmonised Standards and Standardisation Deliverables
Article 41: Common Specifications
Article 42: Presumption of Conformity with Certain Requirements
Article 43: Conformity Assessment
Article 45: Information Obligations of Notified Bodies
Article 46: Derogation from Conformity Assessment Procedure
Section 1: Classification Rules
Section 2: Obligations for Providers of General Purpose AI Models
Article 53: Obligations for Providers of General Purpose AI Models
Article 54: Authorised Representative
Section 3: Obligations for Providers of General Purpose AI Models with Systemic Risk
Article 55: Obligations for Providers of General-Purpose AI Models with Systemic Risk
Article 57: AI Regulatory Sandboxes
Article 58: Detailed arrangements for and functioning of AI regulatory sandboxes
Article 60: Testing of High-Risk AI Systems in Real World Conditions Outside AI Regulatory Sandboxes
Article 62: Measures for Providers and Deployers, in Particular SMEs, Including Start-Ups
Section 1: Governance at Union Level
Article 65: Establishment and Structure of the European Artificial Intelligence Board
Article 66: Tasks of the Board
Article 68: Scientific Panel of Independent Experts
Article 69: Access to the Pool of Experts by the Member States
Section 2: National Competent Authorities
Article 70: Designation of National Competent Authorities and Single Point of Contact
Section 1: Post-Market Monitoring
Section 2: Sharing of Information on Serious Incidents
Article 73: Reporting of Serious Incidents
Article 74: Market Surveillance and Control of AI Systems in the Union Market
Article 75: Mutual Assistance, Market Surveillance and Control of General Purpose AI Systems
Article 76: Supervision of Testing in Real World Conditions by Market Surveillance Authorities
Article 77: Powers of Authorities Protecting Fundamental Rights
Article 79: Procedure for Dealing with AI Systems Presenting a Risk at National Level
Article 81: Union Safeguard Procedure
Article 82: Compliant AI Systems Which Present a Risk
Article 83: Formal Non-Compliance
Article 84: Union AI Testing Support Structures
Article 85: Right to Lodge a Complaint with a Market Surveillance Authority
Article 86: A Right to Explanation of Individual Decision-Making
Article 87: Reporting of Breaches and Protection of Reporting Persons
Article 88: Enforcement of Obligations on Providers of General Purpose AI Models
Article 89 : Monitoring Actions
Article 90: Alerts of Systemic Risks by the Scientific Panel
Article 91: Power to Request Documentation and Information
Article 92: Power to Conduct Evaluations
Article 93: Power to Request Measures
Article 94: Procedural Rights of Economic Operators of the General Purpose AI Model
Article 95: Codes of Conduct for Voluntary Application of Specific Requirements
Article 96: Guidelines from the Commission on the Implementation of this Regulation
Article 100: Administrative Fines on Union Institutions, Agencies and Bodies
Article 101: Fines for Providers of General Purpose AI Models
Article 102: Amendment to Regulation (EC) No 300/2008
Article 103: Amendment to Regulation (EU) No 167/2013
Article 104: Amendment to Regulation (EU) No 168/2013
Article 105: Amendment to Directive 2014/90/EU
Article 106: Amendment to Directive (EU) 2016/797
Article 107: Amendment to Regulation (EU) 2018/858
Article 108: Amendment to Regulation (EU) 2018/1139
Article 109: Amendment to Regulation (EU) 2019/2144
Article 110: Amendment to Directive (EU) 2020/1828
Article 111: AI Systems Already Placed on the Market or put into Service
Annexes
Annex I: List of Union Harmonisation Legislation
Annex II: List of Criminal Offences
Annex III: High-Risk AI Systems
Annex IV: Technical Documentation
Annex V: EU Declaration of Conformity
Annex VI: Conformity Assessment Procedure Based on Internal Control
Annex VII: Conformity Based on Assessment of Quality Management System and Assessment of Technical Documentation
Annex VIII: Information to be Submitted upon the Registration of High-Risk AI Systems
Annex IX: Information to be Submitted upon the Registration of High-Risk AI Systems
Annex X: Union Legislation on Large-Scale IT Systems in the Area of Freedom, Security and Justice
Annex XI: Technical Documentation Referred to in Article 53(1a)
Annex XII: Transparency Information Referred to in Article 53(1b)
Annex XIII: Criteria for the Designation of General Purpose AI models with Systemic Risk
Search within the Act
2 May 2024 – The AI Act Explorer has now been updated with content from the European Parliament's 'Corrigendum' version from 19 April 2024. The content of the Act is unlikely to change any further.
Recital 96
Feedback – We are working to improve this tool. Please send feedback to Risto Uuk at risto@futureoflife.org
The text used in this tool is the ‘Artificial Intelligence Act, Corrigendum, 19 April 2024’. Interinstitutional File: 2021/0106(COD)