European Commission approves next version of AI Act


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview Antitrust and Competition Investigations Antitrust and Competition Litigation Dawn Raids Foreign Investment and National Security Law International Sanctions and Export Controls International Trade Law Merger Control Procurement and State Aid Construction and Engineering Construction and Engineering overview Construction Disputes Contracts and Procurement EPC Project Advisory Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview Anti-Bribery and Corruption Anti-Money Laundering International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Disruptive Technology Electronic and Mobile Commerce Information Law Product Counseling Regulatory Defense and Litigation Technology Transactions and Sourcing Telecom Services Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Cross-Border Employment and Pensions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Global Mobility and Immigration Labor and Industrial Relations Pensions and Retirement Plans Pensions Risk Transfer and Management Financial Services Regulation Financial Services Regulation overview Asset Management Crypto Assets Derivatives Financial Services Disputes and Investigations Funds Insurance Insurance overview Captives Insurance and Reinsurance Disputes Insurance and Retirement Products, Insurance Distribution Insurance Financing and Capital Markets Insurance M&A, Reinsurance and Restructuring Insurance Regulation and Compliance Insurance Regulatory Investigations and Enforcement Insurance Taxation Insurtech Pensions Risk Transfer and Management Intellectual Property Intellectual Property overview IP Audits and Assessments IP Litigation IP Transactional Patents Trademarks, Trade Dress and Copyrights Trade Secrets Litigation and Dispute Resolution Litigation and Dispute Resolution overview Class Actions Commercial Litigation Construction Disputes Energy Disputes Environmental, Health and Safety Financial Services Disputes and Investigations Fraud Insurance and Reinsurance Disputes International Arbitration Procurement Disputes Real Estate Disputes Regulatory Investigations and Enforcement Tax Controversy and Litigation Public and Administrative Law Real Estate and Planning Real Estate and Planning overview Commercial Development and Leasing Corporate Real Estate Planning and Environmental Real Estate Disputes Real Estate Finance Living Tax Tax overview Acquisitions and Restructuring Business Taxation Employee Benefits and Executive Compensation Real Estate Tax Taxation of Financial Transactions and Institutions Tax Controversy and Litigation VAT/Indirect Taxes Private Client Industries Consumer Consumer overview Food and Beverage Luxury Retail and Wholesale Energy Energy overview Clean Energy Energy Regulatory Hydrogen Nuclear Oil and Gas Power Financial Services Financial Services overview Corporate and Investment Banking Payments and Fintech Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Governments and Infrastructure overview Governments and Strategic Projects Infrastructure Transportation Industrials Industrials overview Aerospace, Defense and Security Automotive Chemicals Manufacturing and Industrial Engineering Life Sciences and Healthcare Life Sciences and Healthcare overview Agriculture and Medicinal Cannabis and CBD Healthcare Industrial Biotechnology Medical Devices Pharmaceuticals and Biotechnology Research and Development Vaccines Real Estate Real Estate overview Alternative Assets Multi and Single Family Residential Office and Industrial Real Estate Investment Retail and Mixed Use Transport Related Real Estate Technology & Digital Technology & Digital overview Digital Content Digital Infrastructure Technology Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Portugal Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English European Commission approves next version of AI Act Home Resources Insights Home Resources Insights European Commission approves next version of AI Act European Commission approves next version of AI Act January 16, 2023 Global Global Global With organisations increasingly relying on AI technology, UK and EU regulators are turning their attention to effective regulation of AI in an effort to recognise its benefits while instilling confidence in individuals that the increasing use of AI is being deployed appropriately and lawfully. The UK regulator, the ICO, has published new guidance on the use of AI in an effort to help regulators better understand it for the sectors it regulates. In the EU, the European Commission’s AI Act (“Act”) proposal has undergone further changes following review by EU member states. The Council of the EU approved a compromise version of the Act on 6^th December 2022. The European Parliament are expected to vote on the draft by the end of March 2023, with a view to adopting the Act by the end of 2023. The Act is expected to lead the framework for the regulation of AI in and outside the EU. Much like the GDPR in terms of impact, the Act will have an extra-territorial scope, extending to providers and users outside the EU where the output is used in the EU. This is anticipated as being a benchmark AI law which other jurisdictions might look towards when developing their own laws (much like GDPR has become a standard upon which some other countries’ own laws are heavily based). Member States are given authority to rule on penalties, including administrative fines, applicable to infringements of the Act. The Act requires penalties to be effective, proportionate, and dissuasive, while taking into particular account the size and interests of SME providers, including start-ups, and their economic viability. The Act does lay down fixed penalties for certain infringements of the Act, the highest fine being 30,000,000 EUR or 6% of a company’s total worldwide annual turnover (3% in the case of an SME or start-up) for non-compliance with the prohibitions of AI practices laid down in Article 5. The proportionate caps for SMEs indicates there might well be a willingness by the Commission to support innovation, while the huge potential fines for certain infringements shows how dissuasive enforcement action is intended to be. The compromise text outlines a number of changes since the first draft, including: Narrower scope of AI systems: In order to ensure that the definition of an AI system provides sufficiently clear criteria for distinguishing AI from more classical software systems, the compromise text narrows down the definition of AI systems to systems developed through machine learning and/or logic based approaches to generate predictions, recommendations or decisions. The Act states this definition is intended to be flexible enough to accommodate future developments in technology. The text makes clear that an AI system can be designed to operate with varying levels of autonomy, with some human input, though an AI system that uses rules defined solely by natural persons to automatically execute operations should not be considered an AI system. Extension of prohibited AI practices: The compromise text extends the prohibition of using AI for social scoring also to private actors (therefore cannot be outsourced to third party contractors). The prohibition on the exploitation of the vulnerabilities of a specific group of persons has also been extended to cover persons who are vulnerable due to their social or economic situation. It is worth noting that non-compliance with these prohibitions is subject to the highest possible fines under the Act. Classification of high risk systems: AI systems that are not likely to cause “serious fundamental rights violations” or other significant risks are not captured by the classification of a high risk system. The significance of the output of the AI system in respect of the relevant action or decision is to be taken into account when classifying AI systems as high risk. This would be based on whether or not it is purely accessory in respect of the relevant action or decision to be taken. Clarification of responsibilities of a “provider” of AI systems: The compromise text includes changes clarifying the allocation of responsibilities and roles. Articles 13 and 14 set out certain information that providers must issue to enable users to understand and use the system appropriately, including the contact details of the provider of the system, its intended purpose and the human oversight measures in place to facilitate the interpretation of the outputs of the system. A new Article 23(a) specifies when a natural or legal person is a “provider” of an AI system, and indicates more clearly the situations in which other actors in the value chain are obliged to take on the responsibilities of a “provider”. Support for innovation: The provisions concerning measures in support of innovation have been substantially modified in the compromise text in an effort to achieve the Act’s objective in creating a legal framework that is innovation-friendly and to promote evidence-based regulatory learning. The Act clarifies that AI regulatory sandboxes, which establish a controlled environment for the development, testing and validation of innovative AI systems under the direct supervision and guidance by the national competent authorities, should also allow for testing of innovative AI systems in real world conditions. This is supposed to support organisations without the regulatory risk during the innovation stages. Support for smaller companies: In order to alleviate the administrative burden for smaller companies, in Article 55 the compromise text includes a list of actions to be undertaken by the Commission to support such operators, including providing SMEs with priority access to regulatory sandboxes and establishing dedicated channels of communication with SMEs. Supervision and guidance: The Act establishes a European Artificial Intelligence Board (the “EAI Board”) which is composed of one representative per Member State. The compromise text provides greater autonomy to the EAI Board, with the objective that they advise and assist the Commission and the Member States in order to facilitate the consistent and effective application of the Act, including cooperating with market surveillance authorities and the Commission with regard to changes required to the Act and the development of relevant guidance. In what will be welcome news to AI providers, new Article 58a lays down an obligation for the Commission to produce guidance on the application of the Act. Next Steps It is anticipated, if desired timelines are met, that the AI Act will be adopted by the end of 2023. Industry commentators predict there may be a two year grace period following adoption (in the same way as for GDPR). Organisations deploying AI systems may wish to consider the AI Act (in its current form) now, in particular the responsibilities of providers with respect to those systems, in order to develop its processes accordingly. In a similar vein to “privacy by design” as is required by GDPR, the AI Act (if passed into law) means AI system providers will need to bear these obligations in mind when developing AI systems. This new proposed law is a timely reminder that organisations who are subject to EU (and UK) privacy laws do already have to ensure they carry out impact assessments for high risk processing, that they consider data subject rights, that they are accountable (amongst other). All of the privacy law principles do already apply to how personal data is used and processed through the lens of AI. The AI Act will if it becomes law add to the protection for data subjects and ensure tighter regulation (not limited to data privacy angles) whilst seeking to strike a balance to encourage innovation and enjoyment of the benefits of AI. The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Services Data Privacy, Security and Technology Industries Technology Business Topics Artificial Intelligence Key contacts Lorna Doggett Partner United Kingdom Carolyn Sullivan Senior Associate United Kingdom Legal notices Terms & conditions Privacy notice Cookies LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.

With organisations increasingly relying on AI technology, UK and EU regulators are turning their attention to effective regulation of AI in an effort to recognise its benefits while instilling confidence in individuals that the increasing use of AI is being deployed appropriately and lawfully.

The UK regulator, the ICO, has published new guidance on the use of AI in an effort to help regulators better understand it for the sectors it regulates.

In the EU, the European Commission’s AI Act (“Act”) proposal has undergone further changes following review by EU member states. The Council of the EU approved a compromise version of the Act on 6^th December 2022. The European Parliament are expected to vote on the draft by the end of March 2023, with a view to adopting the Act by the end of 2023.

The Act is expected to lead the framework for the regulation of AI in and outside the EU. Much like the GDPR in terms of impact, the Act will have an extra-territorial scope, extending to providers and users outside the EU where the output is used in the EU. This is anticipated as being a benchmark AI law which other jurisdictions might look towards when developing their own laws (much like GDPR has become a standard upon which some other countries’ own laws are heavily based).

Member States are given authority to rule on penalties, including administrative fines, applicable to infringements of the Act. The Act requires penalties to be effective, proportionate, and dissuasive, while taking into particular account the size and interests of SME providers, including start-ups, and their economic viability. The Act does lay down fixed penalties for certain infringements of the Act, the highest fine being 30,000,000 EUR or 6% of a company’s total worldwide annual turnover (3% in the case of an SME or start-up) for non-compliance with the prohibitions of AI practices laid down in Article 5. The proportionate caps for SMEs indicates there might well be a willingness by the Commission to support innovation, while the huge potential fines for certain infringements shows how dissuasive enforcement action is intended to be.

The compromise text outlines a number of changes since the first draft, including:

Narrower scope of AI systems: In order to ensure that the definition of an AI system provides sufficiently clear criteria for distinguishing AI from more classical software systems, the compromise text narrows down the definition of AI systems to systems developed through machine learning and/or logic based approaches to generate predictions, recommendations or decisions. The Act states this definition is intended to be flexible enough to accommodate future developments in technology. The text makes clear that an AI system can be designed to operate with varying levels of autonomy, with some human input, though an AI system that uses rules defined solely by natural persons to automatically execute operations should not be considered an AI system.

Extension of prohibited AI practices: The compromise text extends the prohibition of using AI for social scoring also to private actors (therefore cannot be outsourced to third party contractors). The prohibition on the exploitation of the vulnerabilities of a specific group of persons has also been extended to cover persons who are vulnerable due to their social or economic situation. It is worth noting that non-compliance with these prohibitions is subject to the highest possible fines under the Act.

Classification of high risk systems: AI systems that are not likely to cause “serious fundamental rights violations” or other significant risks are not captured by the classification of a high risk system. The significance of the output of the AI system in respect of the relevant action or decision is to be taken into account when classifying AI systems as high risk. This would be based on whether or not it is purely accessory in respect of the relevant action or decision to be taken.

Clarification of responsibilities of a “provider” of AI systems: The compromise text includes changes clarifying the allocation of responsibilities and roles. Articles 13 and 14 set out certain information that providers must issue to enable users to understand and use the system appropriately, including the contact details of the provider of the system, its intended purpose and the human oversight measures in place to facilitate the interpretation of the outputs of the system. A new Article 23(a) specifies when a natural or legal person is a “provider” of an AI system, and indicates more clearly the situations in which other actors in the value chain are obliged to take on the responsibilities of a “provider”.

Support for innovation: The provisions concerning measures in support of innovation have been substantially modified in the compromise text in an effort to achieve the Act’s objective in creating a legal framework that is innovation-friendly and to promote evidence-based regulatory learning. The Act clarifies that AI regulatory sandboxes, which establish a controlled environment for the development, testing and validation of innovative AI systems under the direct supervision and guidance by the national competent authorities, should also allow for testing of innovative AI systems in real world conditions. This is supposed to support organisations without the regulatory risk during the innovation stages.

Support for smaller companies: In order to alleviate the administrative burden for smaller companies, in Article 55 the compromise text includes a list of actions to be undertaken by the Commission to support such operators, including providing SMEs with priority access to regulatory sandboxes and establishing dedicated channels of communication with SMEs.

Supervision and guidance: The Act establishes a European Artificial Intelligence Board (the “EAI Board”) which is composed of one representative per Member State. The compromise text provides greater autonomy to the EAI Board, with the objective that they advise and assist the Commission and the Member States in order to facilitate the consistent and effective application of the Act, including cooperating with market surveillance authorities and the Commission with regard to changes required to the Act and the development of relevant guidance. In what will be welcome news to AI providers, new Article 58a lays down an obligation for the Commission to produce guidance on the application of the Act.

Next Steps

It is anticipated, if desired timelines are met, that the AI Act will be adopted by the end of 2023. Industry commentators predict there may be a two year grace period following adoption (in the same way as for GDPR).

Organisations deploying AI systems may wish to consider the AI Act (in its current form) now, in particular the responsibilities of providers with respect to those systems, in order to develop its processes accordingly. In a similar vein to “privacy by design” as is required by GDPR, the AI Act (if passed into law) means AI system providers will need to bear these obligations in mind when developing AI systems.

This new proposed law is a timely reminder that organisations who are subject to EU (and UK) privacy laws do already have to ensure they carry out impact assessments for high risk processing, that they consider data subject rights, that they are accountable (amongst other). All of the privacy law principles do already apply to how personal data is used and processed through the lens of AI. The AI Act will if it becomes law add to the protection for data subjects and ensure tighter regulation (not limited to data privacy angles) whilst seeking to strike a balance to encourage innovation and enjoyment of the benefits of AI.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.

Lorna Doggett

Partner

United Kingdom

Carolyn Sullivan

Senior Associate

United Kingdom

European Commission approves next version of AI Act

Next Steps

Services

Industries

Business Topics

Key contacts