EU AI Act

1. The following AI practices shall be prohibited: (a) the placing on the market, the putting into service or the use of an AI system that deploys subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques, with the objective, or the effect of materially distorting the behaviour of a person or a group of persons by appreciably impairing their ability to make an informed decision... (b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation... (e) the placing on the market, the putting into service for this specific purpose, or the use of AI systems for 'real-time' remote biometric identification of natural persons in publicly accessible spaces for the purpose of law enforcement...

1. Irrespective of whether an AI system is placed on the market or put into service independently from the products referred to in this paragraph, that AI system shall be considered to be high-risk where both of the following conditions are fulfilled: (a) the AI system is intended to be used as a safety component of a product, or the AI system is itself a product, covered by the Union harmonisation legislation listed in Annex I; (b) the product whose safety component pursuant to point (a) is the AI system, or the AI system itself as a product, is required to undergo a third-party conformity assessment with a view to the placing on the market or putting into service of that product pursuant to the Union harmonisation legislation listed in Annex I. 2. In addition to the high-risk AI systems referred to in paragraph 1, AI systems referred to in Annex III shall be considered to be high-risk.

1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. 2. The risk management system shall be understood as a continuous iterative process run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic review and updating. It shall comprise the following steps: (a) identification and analysis of the known and the reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights when the AI system is used in accordance with its intended purpose; (b) estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse; (c) evaluation of other risks possibly arising, based on the analysis of data gathered from the post-market monitoring system; (d) adoption of appropriate and targeted risk management measures designed to address the risks identified. 4. The risk management measures referred to in paragraph 2, point (d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in Articles 10 to 15. They shall take into account the generally acknowledged state of the art, including as reflected in relevant harmonised standards or common specifications.

2. High-risk AI systems which make use of techniques involving the training of models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 3 and 4 wherever such data sets are used. 3. Training, validation and testing data sets shall be subject to appropriate data governance and management practices. Those practices shall concern in particular: (a) the relevant design choices; (b) data collection processes and the origin of data, and in the case of personal data, the original purpose of the data collection; (c) relevant data preparation processing operations, such as annotation, labelling, cleaning, enrichment and aggregation; (d) the formulation of relevant assumptions, notably with respect to the information that the data is supposed to measure and represent; (e) an assessment of the availability, quantity and suitability of the data sets that are needed; (f) examination in view of possible biases, including those that may emerge as a result of the intended geographical, contextual, behavioural or functional setting where the high-risk AI system is to be used; (g) the identification of any possible data gaps or shortcomings, and how those gaps and shortcomings are addressed.

1. High-risk AI systems shall be designed and developed in such a way to ensure that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. An appropriate type and degree of transparency shall be ensured, with a view to achieving compliance with the relevant obligations of the provider and deployer set out in Chapter 3 of this Title. 2. High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format or otherwise that include concise, complete, correct and clear information that is relevant, accessible and comprehensible to deployers, covering: the identity and contact details of the provider, the characteristics, capabilities and limitations of performance of the high-risk AI system, changes to the high-risk AI system and its performance, the data for which the system has been tested and validated, and the residual risk and countermeasures.

1. High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use. 2. Human oversight shall aim at preventing or minimising the risks to health, safety or fundamental rights that may emerge when a high-risk AI system is used in accordance with its intended purpose or under conditions of reasonably foreseeable misuse. 4. The measures referred to in paragraph 3 shall enable the individuals to whom human oversight has been assigned to do the following, as appropriate and proportionate: (a) fully understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation; (b) remain aware of the possible tendency of automatically relying or over-relying on the output produced by a high-risk AI system ('automation bias'); (c) be able to correctly interpret the AI system's output, taking into account in particular the characteristics of the system and the interpretation tools and methods available; (d) be able to decide, in any particular situation, not to use the AI system or to override, ignore or reverse the output of the AI system; (e) be able to intervene on the operation of the high-risk AI system or interrupt the system through a 'stop' button or a similar procedure.

Article 51 — Classification of GPAI models as GPAI models with systemic risk 1. A GPAI model shall be classified as a GPAI model with systemic risk if it meets any of the following conditions: (a) it has high impact capabilities evaluated on the basis of appropriate technical tools and methodologies, including indicators and benchmarks; (b) based on a decision of the Commission, ex officio or following a qualified alert from the scientific panel, it has capabilities or an impact equivalent to those set out in point (a). 2. A GPAI model shall be presumed to have high impact capabilities pursuant to paragraph 1, point (a), where the cumulative amount of compute used for its training measured in floating point operations (FLOPs) is greater than 10²⁵.

1. Providers of high-risk AI systems shall put in place a quality management system that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall cover at least the following aspects: (a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system; (b) techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system; (c) techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system; (d) examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; (e) technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Chapter 2 of this Title; (f) systems and procedures for data management, including data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purpose of the placing on the market or the putting into service of high-risk AI systems; (g) the risk management system referred to in Article 9; (h) the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 72; (i) procedures related to the reporting of serious incidents in accordance with Article 73; (j) the handling of communication with national competent authorities, competent authorities, notified bodies, other operators, customers or other interested parties.

1. Before placing on the market or putting into service a high-risk AI system referred to in Annex III, with the exception of the high-risk AI systems referred to in Annex III, point 2, the provider shall register themselves and their system in the EU database referred to in Article 71. 2. Before putting into service or using a high-risk AI system referred to in Annex III, point 1, 6, 7 or 8, deployers that are public authorities, Union institutions, bodies, offices and agencies, shall register themselves and the high-risk AI systems they use in the EU database referred to in Article 71. 3. For high-risk AI systems referred to in Annex III, point 2, providers shall register themselves and their system in the EU database referred to in Article 71 only where those systems are intended to be used by public authorities.

1. Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of use. This obligation shall not apply to AI systems authorised by law to detect, prevent, investigate or prosecute criminal offences... 2. Providers of AI systems, including GPAI model providers, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated.