It’s a bit of a landmark moment, isn't it? Back on August 2nd, 2024, the EU AI Act officially came into force. This isn't just any piece of legislation; it's the world's first comprehensive attempt to regulate artificial intelligence. The goal is pretty clear: foster trustworthy AI development while simultaneously encouraging innovation. And for those of us working in or with the public sector, this new law brings a whole new set of considerations.
Think about it: public services are increasingly leaning on AI to become more efficient, more effective, and to offer more tailored experiences to citizens. But how will this Act shape that? Will it put the brakes on certain AI uses, or will it guide us towards better, fairer outcomes? The big question for many is how to ensure compliance with these new rules, especially with key obligations kicking in for high-risk AI systems starting August 2nd, 2026.
One of the most distinctive features of the AI Act is its risk-based framework. It’s not a one-size-fits-all approach. Instead, it categorizes AI systems based on the potential risk they pose to our fundamental rights and freedoms. At one end, you have systems that are outright prohibited – those deemed an 'unacceptable risk'. On the other, there are 'limited risk' systems, like chatbots, and 'minimal risk' systems, such as spam filters and video games, which face much lighter requirements. A special category has also been carved out for general-purpose AI (GPAI) models, including generative AI, acknowledging their rapid rise.
Most of the stringent rules, however, are aimed squarely at 'high-risk' AI systems. These are systems that the EU considers risky either because they are safety components of products already regulated under EU harmonization laws (think medical devices or toys) or because they are on a list of systems likely to impact citizens' fundamental rights. And this is where many public sector AI applications will land. For these systems, organizations will face a raft of new obligations starting in 2026.
It’s also crucial to understand that the requirements aren't just about the risk level; they’re also tied to your role in the AI value chain. If you're a 'provider' – meaning you develop AI systems or put them on the market under your own name – your obligations will differ. For limited risk systems and GPAI, this often means keeping good documentation and ensuring transparency. But for high-risk systems, providers face much more significant duties, including implementing robust risk and quality management systems, preparing detailed technical documentation, and undergoing conformity assessments.
Now, what about public authorities themselves? If they develop their own AI or purchase bespoke systems, they're considered 'providers'. But when they actually use AI systems, they're classified as 'deployers'. And this role comes with its own set of additional requirements, particularly for high-risk systems. Deployers will need to put in place technical and organizational security measures, ensure mandatory human oversight with the right competence and authority, and crucially, conduct a Fundamental Rights Impact Assessment (FRIA) to identify and mitigate risks to individuals. They'll also need to register their use of high-risk AI systems in an EU database.
This dichotomy in the Act – strict rules for high-risk and unacceptable risk, but lighter touch for others – is a key takeaway. For public sector AI performing simple administrative tasks, the transparency requirements might be sufficient. But for the broader spectrum of AI applications in public services, understanding these layered obligations is paramount. The clock is ticking, and by October 2025, public sector bodies will need to be well on their way to understanding and implementing these new AI governance structures.
