The EU AI Act: Oversight and Enforcement
5 minute read | September.13.2024
This update is part of our EU AI Act Series. Learn more about the EU AI Act here.
The EU AI Act has been formally adopted and the countdown to the start of enforcement has begun.
Here’s what you need to know about oversight and enforcement under the AI Act:
Penalties for Non-Compliance
Violations of the prohibited AI restrictions will be subject to administrative fines of up to EUR 35,000,000 or 7% of the organization’s total worldwide annual turnover for the preceding financial year.
Violations of most of the AI Act’s other obligations will be subject to administrative fines of up to EUR 15,000,000 or 3% of the organization’s total worldwide annual turnover for the preceding financial year.
The supply of incorrect, incomplete or misleading information to the competent authorities in reply to a request will be subject to administrative fines of up to EUR 7,500,000 or 1% of the organization’s total worldwide annual turnover for the preceding financial year.
The lower of the two amounts identified for each category of violation above will be applied to small and medium-sized enterprises, while the higher of the two amounts will be applied to larger organizations.
Penalties can be applied starting August 2, 2025, except the penalties for General-Purpose AI Model (GPAIM) obligations which take effect August 2, 2026.
National Market Surveillance Authorities
National market surveillance authorities will undertake most compliance investigations and enforcement actions under the AI Act. They will exercise power in accordance with EU Regulation 2019/1020 on market surveillance and compliance of products.
However, the European Commission, in the form of the newly formed AI Office, will have certain exclusive enforcement powers.
European Commission and the New AI Office
The European Commission recently established a new AI Office within its structure, which is intended to support the development and use of trustworthy AI within the EU.
The AI Act grants the AI Office exclusive jurisdiction to enforce the Act’s provisions relating to General-Purpose AI Models, and provides the AI Office the power to request documentation needed to assess compliance. In addition, the AI Office has the power to monitor and supervise the compliance of AI systems that are based on or incorporate a GPAIM (where the same provider develops the system and model).
These new powers are an opportunity for the European Commission to exercise investigative and enforcement powers outside of the realm of competition law. However, there are some lessons that can be learned from the European Commission’s competition enforcement activity. European Commission investigations in competition cases are burdensome – even when they do not involve on-site inspections – and can involve the production of hundreds of thousands of documents, including draft versions for each. Indeed, the European Commission attaches great importance to draft documents, which it believes can reveal an entity’s “true intentions”. The European Commission also has the power to enter a company’s premises, carry out dawn raids, and seize documents. It can deal with large volumes of information and can find issues in each document.
While there may be differences in the way the European Commission approaches AI investigations, we anticipate at least some of these practices will show up as trends in the Commission’s enforcement work under the AI Act.
Limits on Regulatory Powers
The European Commission (including its AI Office), national market surveillance authorities, and other bodies involved in applying the AI Act are subject to the act’s confidentiality provisions. Providers will have procedural rights, including the right to be heard before a measure, decision, or order is adopted, except in an emergency.
In contrast to powers granted to the European Commission under the newly adopted EU Digital Markets Act 2022/1925 and EU Digital Services Act 2022/2065 (DSA), under the AI Act, the Commission is not directly empowered to conduct interviews, take statements or conduct inspections except when the Commission assumes the powers of the national market surveillance authorities.[1]
In addition, the Commission cannot collect documents exchanged with an external EEA-qualified lawyer, whether for litigation or not. These documents should not be subject to disclosure, let alone used as evidence. Organizations are able to challenge the Commission’s decisions and investigatory actions, like requests for information, a practice that is occurring more frequently.
It will be important for organizations to factor in the relevant authorities’ powers – and the limitations of these powers – in the development and implementation of AI development and compliance strategies.
Strategies for Addressing Enforcement Concerns
- Sensitize employees involved in the development and commercialization of AI systems and models, to the risks of regulatory investigations and enforcement powers under the AI Act. Each stage of the AI lifecycle will generate potentially relevant information, possibly in multiple drafts, that could be requested by authorities.
- Clearly identify correspondence with legal advisors that may be subject to legal privilege. Note the rules of privilege for proceedings involving the European Commission, are not the same as those applicable at the Member State level.
Want to know more? Reach out to a member of our team.
[1] The DSA also enables the European Commission to obtain information regarding some algorithms, specifically when implemented by online intermediaries the Commission designates as “very large online platforms” or “very large online search engines.”
Chapter IV, Section 4 and Recital 140 of the DSA empower the Commission to access explanations regarding data, documents, databases and algorithms. The DSA took effect for “very large online platforms” in August 2023 and the Commission already is investigating several entities.
