The AI Act Chronicles: Scope watch

In our previous blog, we dove into the basics of the EU’s Artificial Intelligence Act (AI Act, AIA). We explored the thoughts behind it, the timing of implementation and who will be responsible for the oversight. Now, let’s get down to the specifics!

This blog tackles a crucial aspect of the AI Act: its scope. We’ll break down what kind of AI systems fall under the Act’s regulations (the positive scope) and which ones are exempt (the negative scope). We’ll also look at the definitions of some of  the key actors in the AI landscape who will be held accountable under the Act’s provisions.

By the end of this blog, you’ll hopefully have a clearer understanding of which AI systems need to comply with the Act’s requirements and who are the actors that share the responsibility for ensuring this compliance. 

First and foremost, when talking about the scope of the AI Act it is important to look at the definition of an AI system it introduced in Article 3. It was adapted almost word for word from the definition featured in the OECD Recommendation of the Council on Artificial Intelligence and it reads as follows: “AI system means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments”. While there currently isn’t any further explanation from the regulator on what exactly do the terms such as “autonomy” or “explicit” and “implicit” objectives mean, the OECD published an Explanatory memorandum that includes thorough guidelines on how to interpret them. This definition is a part of the material scope of the Act.

The scope of the Act can be found in Article 2. A list of persons that have obligations further in the text or are otherwise affected by the Act is presented there, constituting the personal scope of the AIA. Among these are 

Most of the obligations in the Act are, however, prescribed to the providers and deployers so it is only appropriate to mention their definitions. Provider is a person or public authority that develops or has developed an AI system or a GPAI model and places it on the market under its own name or trademark, whether for payment or free of charge. Deployer on the other hand is a person or any public body using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity, meaning they’re not the owner of the AI system and are just using an AI system already developed and marketed by someone else for professional purposes.

The territorial scope of the Act covers AI systems and GPAI models placed on the EU market by actors both established within the EU and outside of the EU and also AI systems of which the providers or deployers are established in a third country but the outputs of the system are used in the EU. To better understand the latter, imagine a situation where a hospital in Berlin contracts an Indian medtech company to analyze MRI scans using their AI system, which processes the images and provides diagnostic reports that will be sent back to the hospital. In this scenario, the Indian AI system processes EU data and provides results to an EU entity but is not placed on the EU market or put into service within the EU. The AI Act, however, still applies in this situation as it is foreseen by Recital 22. 

In a nutshell, it doesn’t matter whether the provider or deployer is from the EU, US or even from Australia but as long as the AI system is placed on the market within the EU or its outputs affect persons located within the EU the AI Act will apply. 

As it was already mentioned, the AI Act also outlines certain exceptions to its application. Here’s a quick breakdown of what is exempt: