In the third part of our EU AI Act unpacked blog series, we focus on the personal and territorial scope of the EU Artificial Intelligence Act (AI Act). It is crucial for businesses to understand the scope of the new AI regulation in order to determine whether and to what extent they have to implement AI governance and compliance structures over the next two years once the AI Act has entered into force.
Personal scope of the AI Act
The AI Act is applicable to all stakeholders along the AI value chain, namely:
- Providers of AI systems;
- Deployers;
- Importers; and
- Distributors.
Provider
The determination of whether an organisation qualifies as a provider is crucial as providers are subject to most of the obligations under the AI Act, such as implementing risk and quality management, carrying out conformity assessment, as well as extensive documentation obligations.
A provider within the meaning of the AI Act is any natural or legal person that develops an AI system or a general-purpose AI model (GPAI model) or that has an AI system or a GPAI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge (Article 3(3) AI Act).
Therefore, the provider term is relevant in relation to AI systems as well as to GPAI models. As a first option, organisations become providers if they develop an AI system or a GPAI model. As a second option, organisations become providers if they let third parties develop an AI system or GPAI model and either place such AI system or GPAI model on the market or put the AI system into service under their own name or trademark. Difficulties to determine whether an organisation qualifies as a provider may arise in particular where this organisation not only uses an existing AI system or GPAI model, but also significantly modifies it in a way that a ‘new’ AI system or GPAI model may have been generated.
The AI Act is clear about the fact that there is no privilege for organisations that offer their AI system or GPAI model free of charge – such organisations qualify as providers to the extent they fall under one of the options mentioned above. However, the AI Act does not apply to AI systems released under free and open-source licences, unless they are placed on the EU market or put into service as high-risk AI systems, AI systems that constitute a prohibited AI practice or certain AI systems creating transparency risks (see our previous blog post on the different categories of AI systems).
Additionally, the AI Act foresees specific rules under which conditions distributors, importers, deployers or other third parties – including product manufacturers – are considered as providers of high-risk AI systems (Article 25 AI Act).
Deployer
The role of the deployer applies to organisations using AI systems (but not GPAI models) under their authority, which have their place of establishment or are located within the EU (Article 3(4) AI Act).
However, the AI Act strictly limits the notion of the deployer to a professional use of an AI system, meaning that cases where the AI system is used in the course of a personal non-professional activity are excluded. Deployers shall, among other things, monitor the operation of high-risk AI systems and take appropriate technical and organisational measures in order to ensure that they use AI systems in accordance with the instructions for use.
Importer and distributor
Organisations qualify as an importer if they are located or established in the EU and place an AI system on the EU market that bears the name or trademark of a natural or legal person established in a third country (Article 3(6) AI Act). By also requiring importers to comply with (a limited amount of) obligations under the AI Act, the EU legislator intended to ensure that AI systems developed by foreign providers also adhere to the requirements imposed by the AI Act.
Organisations become a distributor if they make an AI system available on the EU market (Article 3(7) AI Act). Hence, the notion of the distributor includes any person in the supply chain other than the provider or the importer, and thereby serves as a ‘catch-all provision’.
Notably, the roles of an importer and distributor are only relevant with regard to AI systems, but not GPAI models.
Territorial scope of the AI Act
As with many other legislations that are part of the EU Digital Strategy, the AI Act is not only applicable to businesses established or located within the EU. Instead, the AI Act has an extraterritorial scope:
- The AI Act is applicable to providers and deployers of AI systems that have their place of establishment or are located in a third country if the output produced by the AI system is used in the EU.
- Furthermore, the obligations of the AI Act apply to providers of AI systems and GPAI models that have an effect on the EU – either by placing them on the EU market or putting the AI system into service in the EU.
In this context, the AI Act introduces the ‘authorised representative’ as another role under the AI Act. An authorised representative is defined as a natural or legal person located or established in the EU who has received and accepted a written mandate from a provider of an AI system or a GPAI model to, respectively, perform and carry out on its behalf the obligations and procedures established by the AI Act (Article 3(5) AI Act). In particular, an authorised representative is required to cooperate with the competent authorities governing compliance with the AI Act and therefore needs to be supported by the provider with the necessary documentation and information relating to the respective AI system. Thereby, the role and responsibility of the authorised representative is generally comparable to the role of a ‘representative’ under the GDPR.
Excluded areas
As outlined above, the AI Act has a broad personal and territorial scope. However, there are a few areas that are explicitly carved out and stakeholders in these areas are not required to comply with the rules of the AI Act:
- The AI Act does not apply to AI systems where and in so far they are placed on the market, put into service, or used with or without modification exclusively for military, defence or national security purposes, regardless of the type of entity carrying out those activities.
- Neither does the AI Act affect AI systems or AI models, including their output, specifically developed and put into service for the sole purpose of scientific research and development, as well as any research, testing or development activity regarding AI systems or models prior to their being placed on the market or put into service - testing in real-world however is covered by the AI Act.
- Finally, the AI Act does not apply to public authorities in a third country nor to international organisations meeting the requirements of one of the aforementioned AI Act roles, where those authorities or organisations use AI systems in the framework of international cooperation or agreements for law enforcement and judicial cooperation with the EU or with one or more Member States, provided that such a third country or international organisation provides adequate safeguards with respect to the protection of fundamental rights and freedoms of individuals.
What should companies do?
In order to determine whether the AI Act applies to their respective business, organisations should
- Map the AI systems and GPAI models that they develop, let develop and/or use, also under consideration of the excluded areas of the AI Act;
- Determine which role and responsibility the organisation has and whether there is benefit to structure certain relationships differently to mitigate a potential regulatory risk under the AI Act; and
- In case they are not based in the EU, assess whether and to which extent their AI systems and GPAI models have a particular EU nexus that might trigger the AI Act.
What’s next?
In our next blog, we will take closer look at the timeline of the AI Act and provide an overview at which point in time the specific obligations under the AI Act start to apply.