EU AI Initiatives

How are agentic AI systems regulated under the EU AI Act? A group of leading scholars just answered this question. 'AI Agents Under EU Law' is the most sophisticated and detailed legal analysis on the topic. It assesses how various laws, including the EU AI Act, GDPR, and Product Liability Directive, regulate AI agents. Noting that "agents" and "agentic AI" are not explicitly defined or covered in the AI Act—and that there is not yet any substantive EU guidance on this—the authors outline a practical compliance framework that organisations can implement, to govern their agentic AI systems. The key message is that the AI Act is use case focused. This means that whether or not an AI system is high-risk depends on the specific domain of use. For example, an agentic AI system used for recruitment may be high-risk, whereas an agentic AI system used solely for academic research is unlikely to be. The major challenge, after risk classification, is determining how agentic AI systems can be developed and deployed in a way that is aligned with the requirements for high-risk AI systems: as stipulated in the AI Act itself and the draft and evolving CEN/CENELEC standards. The paper highlights core tensions between the autonomous, proactive, and unpredictable nature of agentic AI systems and their behaviour, and the requirements mentioned above, relating to risk management, robustness, human oversight, and transparency. For example, if the behaviour and actions of AI agents deployed in production change in ways that are significant and were not foreseeable or accounted for in the original conformity assessment, then this could potentially be non-compliant. The authors highlight "emergent behavioural drift" as an area of concern. This means that if you have an autonomous agentic AI system used in a high-risk AI domain, you will need to think carefully about the specific guardrails—including how agentic AI authority and action scope is bounded—and associated development and deployment choices, to ensure EU AI Act compatibility. The very autonomy and proactiveness that makes agentic AI so powerful is also a compliance risk, in certain scenarios. Kudas to Luca Nannini Aleksandr Tiulkanov LL.M., CIPP/E Adam Leon Smith DEng FBCS Michele Joshua Maggini Enrico Panai Sandra Feliciano Elena Maran James G. Piercosma Bisconti Lucidi, Ph.D. for this important contribution

Yesterday, the AI Office published the third draft of the General-Purpose AI Code of Practice, a key regulatory instrument for AI providers seeking to align with the EU AI Act. Developed with input from 1,000 stakeholders, the draft refines previous versions by clarifying compliance requirements and introducing a structured approach to regulation. GPAI providers must meet baseline obligations on transparency and copyright compliance, while models classified as having systemic risk face additional commitments under Article 51 of the AI Act. The final version, expected in May 2025, aims to facilitate compliance while ensuring AI models adhere to safety, security, and accountability standards. The Code introduces the Model Documentation Form, requiring AI providers to disclose key details such as model architecture, parameter size, training methodologies, and data sources. Transparency obligations include specifying the provenance of training data, documenting measures to mitigate bias, and reporting compute power and energy consumption. GPI providers must also outline their models’ intended uses, with additional requirements for systemic-risk models, including adversarial testing and evaluation strategies. Documentation must be retained for twelve months after a model is retired, with copyright compliance mandatory for all providers, including open-source AI. GPAI providers must establish formal copyright policies and comply with strict data collection rules. Web crawlers cannot bypass paywalls, access piracy sites, or ignore the Robot Exclusion Protocol. The Code also requires providers to prevent AI-generated copyright infringement, mandate compliance in acceptable use policies, and implement mechanisms for rightsholders to submit copyright complaints. Providers must maintain a point of contact for copyright inquiries and ensure their policies are transparent. For AI models with systemic risk, the Code introduces a Safety and Security Framework, aligning with the AI Act’s high-risk requirements. Providers must assess risks in areas such as cyber threats, manipulation, and autonomous AI behaviours. They must define risk acceptance criteria, anticipate risk escalations, and conduct assessments at key development milestones. If risks are identified, development may need to be paused while safeguards are implemented. GPAI providers must introduce technical safeguards, including input filtering, API access controls, and security measures meeting at least the RAND SL3 standard. From 2 November 2025, systemic-risk models must undergo external risk assessments before release. Providers must maintain a Safety and Security Model Report, report AI-related incidents within strict timeframes, and implement governance structures ensuring responsibility at all levels. Whistleblower protections are also required. With the final version expected in May 2025, AI providers have a short window to prepare before the AI Act takes full effect in August.

🚨 EU AI Act Handbook (May 2025) By White & Case LLP If you’re working on compliance or policy implementation, this is probably the most comprehensive and current private-sector resource on the EU AI Act yet. 📘 Why it stands out This 117-page handbook isn’t just a summary. It’s a deep, practical interpretation of the EU AI Act, breaking down uncertainty, gray areas, and implementation pitfalls with the clarity you’d expect from seasoned EU law practitioners. It covers: Definitions and role assignments across the value chain Risk classification, including systemic risk for GPAI High-risk AI requirements: logging, risk management, transparency GPAI & foundation model duties – including open-source distinctions Impact on downstream users, importers, and deployers Enforcement timelines and overlapping regulations (like GDPR & DSA) 🔍 What’s fresh This May 2025 edition reflects the final text of the Act and anticipates how courts and regulators might interpret ambiguous provisions. It translates vague mandates into actionable steps for tech companies, SMEs, and legal teams alike. 💬 Quote from the intro “Where the EU AI Act is ambiguous, we aim to be clear. Where it is high-level, we aim to be grounded.” — Tim Hickman, Dr. iur Sylvia Lorenz, Jenna Rennie, Clara Hainsdorf (White & Case) 💡 Why it matters? The EU AI Act doesn’t operate in a vacuum. It collides and overlaps with GDPR, the DSA, and national laws. This handbook gives structure and language to navigate it all – not just for compliance teams, but for product leads and AI governance folks trying to do the right thing in a shifting landscape. === Did you like this post? Connect or Follow 🎯 Jakub Szarmach Want to see all my posts? Ring that 🔔.

Europe just made AI governance non-negotiable. prEN 18286 (EU AI Act QMS) is out, once cited, it grants presumption of conformity. Reality check: ISO/IEC 42001 ≠ EU AI Act compliance. Translation: for high-risk AI providers, you’ll need evidence, not promises, design controls, data governance, risk management, and post-market monitoring that auditors can verify. Do these 5 moves now: - Map every AI system to EU AI Act risk tiers. - Implement controls aligned to the new harmonized standards. - Show your work: tech docs, eval evidence, audit trails. - Challenge vendors—model cards, data lineage, red-team results. - Monitor in production like safety-critical software. Simplifying it , your fast path: risk-map → standardize controls → prove with evidence → vendor due diligence → live monitoring. Simple to say, and hard to fake. If you’re “waiting to see,” you’re already late. Presumption of conformity will favor the prepared. #EUAIAct #AICompliance #AIStandards #CENCENELEC #ISO42001 #GPAI #ResponsibleAI #EUAIAct #AIGovernance #AICompliance #AIStandards #RiskManagement

⛔What U.S. Companies Should Know About the EU AI Act’s QMS Requirements⛔ U.S. leaders who assume the EU AI Act is just “Europe’s problem.” It isn’t. If your company develops, deploys, or integrates AI systems that reach EU customers or users, you will soon be expected to prove that those systems are managed under a Quality Management System (#QMS) designed for AI. ➡️The hidden trigger: “placing on the market” You do not have to be headquartered in Europe to fall under the Act. If you offer, deploy, or distribute an AI system in the EU, even through a local reseller, you are considered a provider. That status brings legal obligations such as documented risk management, data governance, human oversight, technical documentation, and post-market monitoring (#PMM). ➡️Why #ISO42001 helps but is not enough Many firms are rightly investing in ISO42001 certification because it allows them to establish an AI Management System (#AIMS). That is a smart first step because it gives structure, governance, and auditability. The EU AI Act goes further: It requires a specific QMS for presumption of regulatory conformity, described in the forthcoming CEN and CENELEC QMS Standard (which is in Working Draft status). When finalized, that standard will become the harmonized European reference that provides presumption of conformity under Article 17. ➡️What the EU QMS requires beyond ISO42001 Even if you are ISO 42001-certified, you will need additional evidence and documentation: 🔸Technical documentation for each AI system, including design, versions, intended purpose, and maintenance plan 🔸Records of consultation regarding fundamental rights 🔸Integrated risk management covering accuracy, robustness, cybersecurity, and bias 🔸Dataset governance evidence showing representativeness, quality, and bias mitigation 🔸Human oversight records including interfaces, training, and incident handling 🔸Post-market monitoring (PMM) plans and serious incident reports 🔸An EU Declaration of Conformity and CE marking for high-risk systems ➡️A practical path for U.S. organizations 🔹Map your exposure and identify products or models that reach EU users. 🔹Adopt ISO42001 to build the management foundation. 🔹Align with the QMS Working Draft by expanding documentation, consultation, and monitoring. 🔹Coordinate early with a Notified Body if your AI falls in a high-risk category outside the scope of Annex III, points 2-8 (these entities can self-assess) 🔹Integrate this framework with your existing compliance systems such as ISO27001, ISO27701, and ISO9001 so that audit cycles and evidence align. ➡️The bigger takeaway The EU AI Act is not a paperwork exercise. It represents a shift toward evidence-based assurance that shows, rather than claims, that AI systems are safe, fair, and well-governed. ISO42001 provides the discipline. The EU QMS provides the legal recognition. Together they define what trustworthy AI looks like for organizations operating across the globe.

The Future of Privacy Forum and OneTrust have published an updated guide to help organizations navigate Conformity Assessments (CAs) under the final version of the EU #Artificial Intelligence Act. CAs are a cornerstone of the EU AI Act's compliance framework and will be critical for any organization developing or deploying high-risk #AIsystems in the EU. The guide offers a clear and practical framework for assessing whether, when, and how a CA must be conducted. It also clarifies the role of CAs as an overarching accountability mechanism within the #AIAct. This guide: - Provides a step-by-step roadmap for conducting a Conformity Assessment under the EU AI Act. - Presents CAs as essential tools for ensuring both product safety and regulatory compliance. - Identifies the key questions organizations must ask to determine if they are subject to CA obligations. - Explains the procedural differences between internal and third-party assessments, including timing and responsibility. - Details the specific compliance requirements for high-risk #AI systems. - Highlights the role of documentation and how related obligations intersect with the CA process. - Discusses the use of harmonized standards and how they can create a presumption of conformity under the Act. This guide serves as a practical resource for understanding the conformity assessment process and supporting organizations in preparing for compliance with the EU AI Act.

Think the EU AI Act only hits Big Tech? Think again. If your company uses AI in hiring, credit, or monitoring, even through a vendor, you're in scope. The AI Act is risk-based regulation with different rules for "providers" (who build AI) and "deployers" (who use it). Most commercial organizations fall into one of these buckets. The reality is you're probably a "deployer" with obligations. If your AI system or its output is used in the EU, you're in scope. Even if you're a U.S. company with no EU operations. 𝗙𝗼𝘂𝗿 𝗖𝗮𝘁𝗲𝗴𝗼𝗿𝗶𝗲𝘀 𝗬𝗼𝘂 𝗡𝗲𝗲𝗱 𝘁𝗼 𝗞𝗻𝗼𝘄: 🚫 Prohibited AI (banned since Feb 2025) Social scoring, emotion recognition in workplaces/schools, real-time biometric ID in public spaces ⚠️ High-Risk AI (compliance deadline: Aug 2, 2026) Recruitment tools, employee monitoring, task allocation, credit scoring, biometric ID 💬 Transparency AI (disclosure required) Chatbots, deepfakes, AI-generated content must be labeled 🤖 GPAI Models (Big Tech problem) New models compliant since Aug 2025. Existing models until Aug 2027 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿 𝘃𝘀. 𝗗𝗲𝗽𝗹𝗼𝘆𝗲𝗿 Using an AI recruitment or monitoring/evaluation system? Algorithmic scheduling? AI-powered credit decisions? Biometric access control? Emotion recognition? You're a "deployer." Your vendor is the "provider." "My vendor handles compliance" is NOT a defense. You have separate, independent obligations. 𝗣𝗿𝗼𝘃𝗶𝗱𝗲𝗿 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀 (𝘃𝗲𝗻𝗱𝗼𝗿𝘀):  • Conformity assessment before market release  • Technical documentation and CE marking  • Risk management and data governance systems  • Quality management system  • Registration in EU database  • Post-market monitoring and incident reporting 𝗗𝗲𝗽𝗹𝗼𝘆𝗲𝗿 𝗼𝗯𝗹𝗶𝗴𝗮𝘁𝗶𝗼𝗻𝘀:  • Human oversight, monitoring, data governance, potentially fundamental rights impact assessments  • Follow provider instructions and maintain logs  • Monitor AI performance in practice  • Report serious incidents  • Ensure input data quality 𝗪𝗵𝗮𝘁 𝗬𝗼𝘂 𝗠𝘂𝘀𝘁 𝗗𝗼 𝗕𝘆 𝗔𝘂𝗴𝘂𝘀𝘁 𝟮, 𝟮𝟬𝟮𝟲: ✓ Human Oversight – Meaningful ability to intervene (not rubber-stamping) ✓ Monitoring – Track performance, log incidents ✓ Data Governance – Quality-check input data ✓ Impact Assessments – Assess fundamental rights before deployment ✓ Documentation – Maintain logs and follow instructions 𝗧𝗵𝗲 𝗕𝗼𝘁𝘁𝗼𝗺 𝗟𝗶𝗻𝗲 If you're using AI-powered HR tools, credit decision-making, or biometric systems, you have compliance obligations by August 2026.   The goal isn't perfection. It's demonstrable good faith effort, documented risk assessment, and avoiding prohibited practices. ---------- This is part 2 of my recap from Phil Lee's session on the EU Data Act and AI Act at the Openli AI Summit. Part one covered the EU Data Act (link in comments). This post covers the AI Act.

In <16 months most of the EU AI Act comes into force. This is despite: -> huge gray areas in the law -> delays in publication of "Harmonised Standards" -> onerous requirements for "High-Risk AI Systems" Regulators don't care about your pain. But StackAware does, so we put together an actionable procedure addressing the law’s requirements. This applies only to private sector organizations operating as Deployers (and not doing so on behalf of public authorities, EU institutions, bodies, and offices). ⬛ BEGIN EU AI Act Deployer Compliance Procedure ⬛ 1. The CISO must: -> Ensure AI literacy of all personnel using AI Systems. -> For High-Risk AI Systems: -- Conduct an AI Model, System, Impact, and Risk Assessment per the StackAware SOP. -- Provide the Market Surveillance Authority(ies) the results. 2. Data owners must: -> For High-Risk AI Systems: -- Use and monitor systems per Provider instructions. -- Only use output of the system in the EU if the Provider has certified it for use there. -- Inform, prior to using the system, all persons subject to the system. --If the system produces legal (or similar) effects a person considers adverse, provide a the person a concise explanation of the: ---role of the AI system. ---main element(s) of the decision taken. -- Assign human oversight of the system. -- Ensure Input Data is relevant and sufficiently representative. -- Retain system logs for at least 6 months. -- Provide information via the Provider’s Post-Market Monitoring System. -- Upon identification of an AI System Presenting a Risk, cease use within 3 days. -- Upon identification of a Serious Incident, do not allow the AI system to be altered before complete investigation. -> For Emotion Recognition and Biometric Categorisation Systems, inform people whose Personal Data is processed by the system. -> For systems that generate or manipulate Deep Fakes, disclose in plain language—accessible to people with disabilities—the content has been so generated or manipulated. -> For systems that generate or manipulate text published to inform the public and where AI-generated content has not undergone human review, disclose in—plain language accessible to people with disabilities—the text has been so generated or manipulated. 3. The General Counsel must: -> Upon identification of an AI System Presenting a Risk, inform the Provider and Market Surveillance Authority within 30 days. -> Upon identification of a Serious Incident caused by the system: -- Inform the Provider within 3 days. -- If the Provider does not confirm receipt within 3 subsequent days, inform the Market Surveillance Authority of all European Union Member States where the incident occurred within 2 subsequent days. -- Inform the Importer or Distributor (if applicable) within 30 days. -- Investigate the Serious Incident and the AI system concerned, by: --- Conducting a revised Risk Assessment of the system and incident. --- Documenting a corrective action plan.

AI Governance Frameworks Series (Post 3) 🇪🇺 The EU AI Act – What It Means and Why It Matters The EU AI Act is the world’s first comprehensive law regulating artificial intelligence. It doesn’t just guide organizations — it mandates how AI must be developed, deployed, and monitored. If your organization operates in Europe, offers services to EU citizens, or uses third-party AI tools that impact EU users, this law affects you. 🌍 What Is the EU AI Act? The EU AI Act introduces a risk-based regulatory framework that classifies AI systems by their level of risk: 🚫 Unacceptable Risk → Completely banned ⚠️ High Risk → Strict requirements and ongoing monitoring ℹ️ Limited Risk → Transparency obligations 🟢 Minimal Risk → No major obligations This structure ensures AI is safe, transparent, fair, accountable, and aligned with fundamental rights. 🔒 What Are “High-Risk AI Systems”? These include AI used in: hiring and recruitment ▪️ Biometric identification ▪️ Credit scoring & financial risk decisions ▪️ Critical infrastructure ▪️ Healthcare diagnostics ▪️ Transportation safety ▪️ Government services ▪️ Education and assessments High-risk AI comes with obligations such as: 📍 Robust risk management 📍 High-quality training data 📍 Logging and monitoring 📍 Transparency and explainability 📍 Cybersecurity and robustness testing 📍 Human oversight 📍 Documentation for audits and regulators Organizations must prove compliance before deploying these systems. 📣 Transparency Requirements (Limited-Risk AI) AI systems that interact with people — such as chatbots, deepfakes, or AI-generated content — must clearly disclose that: “You are interacting with an AI system.” This builds user trust and prevents deceptive practices. 🔥 Why the EU AI Act Matters Globally Even if your organization is not EU-based, the Act sets a global precedent. Just like GDPR reshaped global privacy laws, the EU AI Act is becoming the blueprint for AI safety and ethics worldwide. It impacts: 🧿 AI vendors 🧿 Retail & e-commerce 🧿 Customer service automation 🧿 Fraud detection & financial services 🧿 Healthcare applications 🧿 Hiring & HR systems 🧿 Logistics & supply chain optimization If EU data or users are in scope → you must comply. 📌 Up Next: Post 4 — ISO/IEC 42001 (The World’s First AI Management System Standard) #AIGovernance #EUAIAct #AIRiskManagement #ResponsibleAI #AICompliance #GRC #ISO42001 #TechRisk #AIEthics #AIRegulation #DigitalTrust #ArtificialIntelligence

Is your healthcare organization ready for high-risk AI compliance? The EU Artificial Intelligence Act enters into force on August 1, 2024, setting new and mandatory standards for the safe, ethical, and transparent use of AI—especially in sensitive domains like healthcare. For healthcare institutions, this is more than a regulatory shift. It’s a call for systemic readiness and responsible innovation. Key requirements include: Risk-based classification of all AI systems in use Human oversight in AI-driven decisions that affect patients Transparent communication when AI is involved in clinical workflows Compliance with GDPR and robust data governance Risk and Fundamental Rights Impact Assessments (FRIAs) Establishing an AI Quality Management System (AI QMS) AI ethics, bias awareness, and continuous staff training AI systems used in diagnostics, treatment recommendations, and digital health platforms will likely fall into the “high-risk” category. Compliance is not only about regulation—it’s about trust, safety, and quality in care. This is the moment to reimagine AI governance in healthcare. #ai #aiinhealth #euaiact