The new EU AI Act – The 6 Questions You Want to Know

Aurilex • 1 April 2024

The EU AI Act will greatly impact the AI companies coming into the European market.

The European Union has long harbored ambitions of assuming leadership in the AI industry. As a component of its digital strategy, the EU aims to enact regulations on artificial intelligence (AI) to foster optimal conditions for the advancement and utilization of this pioneering technology.


In April 2021, the European Commission proposed the first EU regulatory framework for AI. AI systems with versatile applications are assessed and categorized based on the risks they pose to users. Varying levels of risk will correspond to differing degrees of regulation.


European Parliament members have voted in favor of the draft EU AI Act on 13th March 2024. The EU AI Act is poised to come into effect in the upcoming weeks, pending final procedural and linguistic checks. The implementation of this act will carry significant weight and impact in shaping the regulation of AI within the EU and globally.


  1. Who will be affected?


The AI Act has established precise definitions for various stakeholders in the AI landscape: providers, deployers, importers, distributors, and product manufacturers. This mandates accountability for all entities engaged in the development, deployment, importation, distribution, or manufacturing of AI models. Furthermore, the AI Act extends its jurisdiction to encompass providers and users of AI systems situated outside the EU, such as those in China, if the system's output is intended for use within the EU.


    2. What are the requirements of the Act?


The EU AI Act has a risk-based approach. It mandates that general-purpose AI models, including generative AI systems like large language models (LLMs) and foundation models, comply with a classification system organized into different tiers of systematic risk:


(Source: European Commission: Shaping Europe’s digital future)


Low-risk systems like spam filters or video games are subject to minimal requirements under the law, primarily entailing transparency obligations. This kind of system should inform users that the content is AI generated.


High-risk AI systems, such as autonomous vehicles, medical devices, and critical infrastructure (such as water, gas, and electric systems), necessitate developers and users to comply with supplementary regulatory obligations, including implementing risk management measures to ensure accuracy, robustness, and accountability framework incorporating human oversight.


AI systems that have adverse impacts on safety or fundamental rights will be classified as high-risk and will be categorized into two distinct groups:


1) AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices and lifts.


2) AI systems falling into specific areas that will have to be registered in an EU database:

  • Management and operation of critical infrastructure
  • Education and vocational training
  • Employment, worker management and access to self-employment
  • Access to and enjoyment of essential private services and public services and benefits
  • Law enforcement
  • Migration, asylum and border control management
  • Assistance in legal interpretation and application of the law.


Before being introduced to the market and throughout their lifecycle, all high-risk AI systems will undergo assessment. Individuals will retain the right to lodge complaints about AI systems with designated national authorities.


Prohibited AI systems, with few exceptions, include those presenting unacceptable risks, such as social scoring, facial recognition, emotion recognition, and remote biometric identification systems in public spaces.


Certain exceptions may be permitted for law enforcement purposes. “Real-time” remote biometric identification systems will be permissible in a restricted number of severe cases. Conversely, post remote biometric identification systems, where identification is conducted after a substantial delay, will only be authorized for the prosecution of serious crimes and solely following court approval.


   3. What about ChatGPT?


Generative AI models such as ChatGPT will not be categorized as high-risk but will be obligated to adhere to transparency requirements and EU copyright law. This entails:

  • Disclosing that the content was generated by AI.
  • Implementing measures to prevent the generation of illegal content.
  • Providing summaries of copyrighted data utilized for training purposes.


   4. Deep fakes


Deep fakes are now defined under the EU AI Act as “AI-generated or manipulated image, audio, or video content that resembles existing persons, objects, places, or other entities or events and would falsely appear to a person to be authentic or truthful”.


The finalized text of the EU AI Act outlines transparency requirements for providers and deployers of specific AI systems and general-purpose AI models (GPAI) that are more stringent than earlier drafts. These obligations include transparency mandates for deployers of deep fakes, with exceptions granted in cases where the use is authorized by law for detecting, preventing, investigating, and prosecuting criminal offenses.


In instances where the content constitutes an obviously artistic work, transparency obligations are limited to disclosing the presence of generated or manipulated content in a manner that does not impede the presentation or enjoyment of the artwork.


   5. What are the penalties for non-compliance?


Similar to the methodology employed under the European General Data Protection Regulation, fines for breaches of the Act will be calculated either as a percentage of the offending party’s global annual turnover in the preceding financial year or as a fixed sum, whichever is greater:

  • €35 million or 7% for infringements involving prohibited AI applications;
  • €15 million or 3% for violations of the Act's obligations; and
  • €7.5 million or 1.5% for the dissemination of inaccurate information.


Nevertheless, there will be proportional limits on administrative fines imposed on small and medium enterprises as well as start-ups.


   6. Next steps


The agreed-upon text is anticipated to be formally adopted in April 2024. It will become fully applicable 24 months following its entry into force, thus in 2026, but certain provisions will come into effect sooner:

  • The prohibition of AI systems presenting unacceptable risks will take effect six months after entry into force.
  • Codes of practice will be enforceable nine months after entry into force.
  • Regulations pertaining to general-purpose AI systems, which must adhere to transparency requirements, will be applicable 12 months after entry into force.
  • High-risk systems will be afforded additional time to comply with the requirements, as obligations concerning them will become applicable 36 months after entry into force.
by Aurilex 7 July 2025
The liability of hosting platforms has undergone significant legislative developments in recent years. In France, it is currently governed by the Law for Confidence in the Digital Economy (LCEN) of 2004, as amended in 2016, and by the Digital Services Act (DSA) adopted on February, 14 2024. Most recently, the notion of host liability was at the heart of a dispute between the company Nintendo and Dstorage before the French Supreme Court (Cour de la cassation). DStorage operates a hosting service through its website 1fichier.com, which allows users to freely download online content, including video games from the well-known companies Nintendo, The Pokémon Company, and GameFreak. After discovering the links to download unauthorized copies of some of its games (Super Mario Maker for 3DS, and Pokémon Sun and Pokémon Moon), Nintendo sent two notifications to DStorage, requesting the removal of the content. The case was brought before the Paris Court of Appeal, which, in a ruling dated April 12, 2023, found that DStorage had failed, in its capacity as host, to comply with its obligation of prompt removal, following the notifications sent by Nintendo. Dstorage claimed to be merely a storage service provider and appealed to the Court of Cassation. It contested the removal obligation, arguing that the appeal court had imposed a general monitoring duty, contrary to the requirements of Article 6-I-7 of the LCEN. It also challenged the validity of the notification, asserting that they did not identify the authors of the disputed content, failed to distinguish between the authors and the platform’s users, and did not specify the unlawful nature of the content. In its decision on 26 February 2025, the Court of Cassation upheld the decision of the Paris Court of Appeal. It ruled that the notifications sent by Nintendo satisfied the conditions set out in the LCEN. The notifications included a precise description of the infringing content, which was clearly identified and associated with registered trademarks. The Court further stated that Nintendo was not required to demonstrate any steps taken against the content authors, as they were not identifiable, and that the removal order issued by the Court of Appeal amounted to targeted, temporary monitoring of specific content. With this decision, the Court of Cassation reaffirmed the reduced liability regime applicable to hosting providers under Article 6-I-2 of the LCEN, which remains conditional on compliance with specific requirements, notably a prompt response following a valid notification. It reiterated that: A notification is valid when it includes a detailed description and clear identification of the content ; Identifying the author of the content is not required if they are not identifiable; A host incurs liability if it fails to act promptly after receiving a valid notification . This decision confirms that hosting providers remain protected under limited liability rules only if they act promptly upon receiving clear and specific infringement notices. As the DSA takes effect, the DStorage case sets a clear precedent: inaction in the face of valid notifications will no longer be tolerated. Marco Mouchot, Trainee Lawyer Christine Chai, Managing Partner, Attorney-at-Law
by Aurilex 10 May 2025
DeepSeek: The New AI Sensation Faces Regulatory Heat Just Days After Record-Breaking Launch
by Aurilex 16 April 2025
On April 16, 2025, Christine Chai, partner at Aurilex, was invited to speak at the seminar “ China–Europe Intellectual Property Protection in Practice: A Dual Perspective on Compliance and Risk Mitigation ,” jointly organized by Aurilex and Shanghai Sunhold Law Firm. The event brought together legal professionals from both Europe and China, offering in-depth analysis and practical guidance for companies navigating intellectual property (IP) protection across borders. As the representative speaker on European IP practice, Christine Chai delivered a detailed presentation covering the legal frameworks, registration strategies, and enforcement challenges businesses typically face when entering the European market. Navigating Dual Systems: EU-Wide vs. National IP Protections Christine highlighted the complexity of Europe’s IP system, which combines EU-wide mechanisms (such as EUTM and EPO filings) with country-specific rules. She emphasized the importance for businesses to align their IP strategies with this dual-layered structure. “For example,” she noted, “the actual use requirement under the EU Trademark Regulation means that companies must plan not only for registration but for active, timely use in the market.” Trade Fair Injunctions: A Real and Growing Risk Christine also warned Chinese companies about the increasing use of emergency injunctions during trade fairs in France and other EU countries. “There have been multiple cases where exhibitors faced injunctions on-site, resulting in booth closures and seizure of displayed goods. Without preemptive IP audits, companies expose themselves to serious operational disruptions,” she explained. The UPC: Centralization Comes with Strategy Shifts Addressing recent developments, Christine discussed the impact of the Unified Patent Court (UPC) on enforcement strategy in Europe. While the UPC offers streamlined litigation across multiple EU member states, it also requires companies to make deliberate choices between centralized and national enforcement routes. Joint Dialogue: Cross-Border Action Checklists During the joint dialogue session, Christine collaborated with the Chinese legal team to provide practical compliance checklists for cross-border business activities. She advised Chinese companies to: Conduct prior trademark and patent clearance in target EU countries; Evaluate whether to opt in or out of the UPC system; Prepare legal strategies in case of emergency injunctions or enforcement challenges. Likewise, she shared insights for European companies expanding into China, particularly on navigating local IP enforcement procedures and understanding the nuances of evidence collection in cases involving trade secrets. This seminar highlighted the increasing importance of IP compliance in cross-border business, especially as more Chinese companies “go global” and more European businesses expand into China. Aurilex remains committed to providing in-depth legal support tailored to the needs of international clients operating across jurisdictions.
by Aurilex 31 January 2025
Aurilex Recognized in WTR 1000: Leading Trademark Professional in 2025
by Aurilex 27 November 2024
EU design views must be consistent to be valid. A recent decision of the General Court of the EU confirms this requirement.
by Aurilex 11 November 2024
The General Court clarifies the evidence requirement for trademark use in the EU trademark law in a recent judgement.
by Aurilex 26 July 2024
One hundred years ago, from May 4 to July 27, 1924, the eighth Olympiad of the modern era was held in Paris. Already at that time, the International Olympic Committee paid attention to the protection of the Olympic intellectual properties. Below is the trademark filed in 1924 for the Olympic Games in Paris.
by Aurilex 8 July 2024
The departing question of this legal issue is as follows: does a distillery company, which only fills labeled bottles provides by a third party, infringe the trademark of others, if it turns out that the label provided by the third party is a trademark infringement?
by Aurilex 13 May 2024
Lesson from M&M's: Attention by changing the brand!
More posts