It’s a bit like stepping into a new era, isn't it? On August 2nd, 2024, the world saw the EU AI Act officially come into force – a landmark piece of legislation, the very first of its kind globally, designed to shape how artificial intelligence is developed and used.
At its heart, the Act is a balancing act. It’s about safeguarding our fundamental rights while simultaneously fostering the very innovation that AI promises. And for those of us working in the public sector, where AI is increasingly becoming a go-to tool for improving services, this new law brings a wave of significant changes. It’s natural to wonder: how will this Act affect our ability to deliver those efficient, effective, and tailored services citizens expect? And crucially, how will it help us build the trustworthy AI that’s so vital, especially when we consider the potential for unfair or discriminatory outcomes if AI isn't handled with care?
The AI Act’s approach is quite distinctive, and understanding it is key. It’s built on a risk-based framework. Think of it as a tiered system, categorizing AI based on the potential risks it poses to our fundamental rights and freedoms. At one end, you have systems deemed an ‘unacceptable risk’ – these are outright prohibited. On the other, you have ‘limited risk’ systems, like your everyday chatbots, and ‘minimal risk’ systems, such as spam filters or even some video games. A special spotlight is also being shone on ‘general purpose AI’ (GPAI) models, including generative AI, which have exploded in popularity recently. They now have their own distinct category.
However, the bulk of the new obligations are really aimed at ‘high-risk’ AI systems. These are systems the EU considers risky either because they are integral to products that already fall under EU safety legislation (like medical devices or toys) or because they are on a list maintained by the Commission that flags systems likely to impact citizens’ fundamental rights. Many AI applications within the public sector will fall into this high-risk category. For these, organizations will face a host of new obligations starting from August 2nd, 2026.
It’s also important to realize that the requirements aren't just about the risk level; they also depend on your role in the AI’s journey – its value chain. Most of the stringent rules are directed at ‘providers,’ those who develop AI systems or put them on the market under their own name. For limited risk systems and GPAI, their obligations often revolve around documentation and transparency. But for high-risk systems, providers face much more: implementing robust risk and quality management systems, creating detailed technical documentation to prove compliance, and undergoing conformity assessments.
Now, what about public authorities themselves? If we develop our own AI systems or commission bespoke ones, we’re considered ‘providers.’ But when we actually use AI systems, whether we built them or not, we’re classified as ‘deployers.’ And this role comes with its own set of additional requirements. For high-risk systems, deployers must implement technical and organizational security measures, ensure mandatory human oversight with the right skills and authority, and crucially, conduct a Fundamental Rights Impact Assessment (FRIA) to identify and mitigate risks. We’ll also need to register the use of these high-risk AI systems in an EU database.
This dichotomy in the Act – strict rules for high-risk, prohibitions for unacceptable risk, and lighter touch requirements for others – means that while some public sector AI applications, like those handling simple administrative tasks, might only need to focus on transparency, the broader landscape of AI use in government will require careful navigation. The clock is ticking towards October 2025, and understanding these nuances is no longer optional; it's essential for responsible AI deployment.
