EU governments are moving toward a fixed timeline for delayed AI Act high-risk obligations in a first compromise text on the AI amendment package, removing the European Commission’s ability to trigger duties early. The text also reinstates a simplified registration requirement, limits centralized enforcement powers, tightens rules on sensitive data processing, and clarifies obligations on AI literacy.
European governments are moving toward a fixed timeline for the entry into force of the AI Act’s high-risk requirements and reinstating a registration requirement, among other major changes suggested in a compromise text obtained by MLex.
Cyprus, which currently holds the rotating “presidency” of the Council of the EU, shared with its European counterparts on Friday the first compromise text on a package of legislative amendments targeting the AI Act, known as the AI omnibus.
“In the interest of legal certainty and predictability for the market, the presidency proposes to establish a fixed timeline for the delayed application of Chapter III [the high-risk requirements],” reads the explanatory note accompanying the text.
The commission proposed to include in the AI omnibus a delay to the entry into application of the AI Act’s duties for developers of “high-risk” AI systems, due to delays in the development of technical standards meant to facilitate compliance with those requirements.
At the same time, the initial proposal envisaged that the European Commission could trigger the obligations at any point if it deemed there were adequate compliance tools in place. The Cypriot text removes this possibility, which has been criticized for making the timeline unpredictable.
The compromise document, which is a first attempt to reconcile EU countries’ differing views on the file, also includes several proposed changes to key parts of the AI omnibus.
— Registration obligation —
The AI Act envisages that AI developers who deem their system is not high-risk, even though it falls within a predetermined list of high-risk use cases, must register it in a public database. The commission proposed to remove this requirement, which it considered over-bureaucratic.
However, several member states opposed the move, arguing that removing the registration would make it harder for national authorities to monitor potentially risky AI systems. As a result, the council's text reinstates this obligation, proposing instead to simplify the registration process.
— Centralized enforcement —
The AI omnibus includes several centralization elements, notably moving competences from national authorities to the commission’s AI Office for AI systems developed on top of a general-purpose AI model when they're provided by the same company.
However, the council document removes the commission’s competence in these cases for AI systems used in the management of critical infrastructure, such as digital networks and energy supply.
In addition, the text clarifies that this centralization does not apply to sensitive high-risk applications in law enforcement, judicial proceedings and migration, where the AI Act requires oversight by an independent regulator such as a data protection authority.
The cooperation between the AI Office and national authorities is further detailed, together with the process for investigations and enforcement, rather than leaving this to future secondary legislation.
— AI literacy —
The commission proposal included shifting a requirement for AI developers and users to ensure adequate levels of AI literacy among staff members to a more general duty on national and European authorities to foster AI literacy.
By contrast, the council document introduces new wording clarifying that AI developers and users of high-risk AI systems “are still required to ensure the AI competences of persons working with such systems.”
The European AI Board, the body gathering EU AI authorities, has also been tasked with issuing nonbinding common objectives for AI literacy.
— Processing sensitive data —
The AI omnibus includes a new legal basis allowing developers of AI systems and models to process sensitive categories of data, as defined under the GDPR, to identify and mitigate biases. New wording clarifies that this legal basis should be used only in exceptional circumstances, and only for as long as strictly necessary.
The Cypriot presidency also proposes that the same safeguards outlined for high-risk AI systems should apply to all other AI systems and models in these cases.
— Conformity assessment bodies —
The legislative package includes amendments to streamline the procedure for setting up conformity assessment bodies tasked with vetting AI systems’ compliance.
Cyprus added text confirming that conformity assessment bodies designated under other EU product safety legislation will need to apply only once to be formally recognized under the AI Act, to avoid unnecessary duplication.
— Regulatory sandboxes —
The text suggests removing the commission’s proposed requirement that member states should strengthen cross-border cooperation between their regulatory sandboxes.
In addition, the compromise specifies that proposed changes detailing governance rules for regulatory sandboxes to be set out in future secondary legislation will not interfere with the autonomy of national authorities.
Source: MLex
Write a comment