Europe AI & Data Rules Hub
< All Topics
Print

A Practical Reading List for EU AI Regulation

Updated
ByIuliia Gorshkova

For professionals tasked with the governance and deployment of artificial intelligence within the European Union, the regulatory landscape is shifting from theoretical frameworks to operational reality. The adoption of the Artificial Intelligence Act (AI Act) marks a watershed moment, establishing the world’s first comprehensive legal structure for AI. However, the Act itself is merely the anchor of a much larger ecosystem of legal texts, harmonised standards, national implementations, and ethical guidelines. Navigating this ecosystem requires a disciplined approach to information consumption. This article provides a structured reading list, prioritized by function and expertise, to guide legal counsel, compliance officers, data scientists, and systems architects through the authoritative sources necessary for robust AI governance.

The Regulatory Hierarchy: Understanding the Sources of Obligation

Before diving into specific documents, it is essential to understand the hierarchy of sources that constitute the EU AI regulatory framework. This hierarchy dictates which texts hold supreme legal force and which provide interpretative guidance or technical specificity. For a compliance lead, knowing the difference between a Regulation, a Harmonised Standard, and a CEN-CENELEC Technical Specification is the difference between a legal defense and a voluntary best practice.

At the apex sits the AI Act (Regulation (EU) 2024/1689). As a Regulation, it is directly applicable in all Member States without the need for national transposition, ensuring a unified market approach. However, its application relies heavily on the concept of “presumption of conformity.” This means that if an AI system meets the requirements of the Act and the relevant harmonised standards, it is presumed to comply with the law. Therefore, the harmonised standards, once adopted by the European Commission, carry immense practical weight, effectively translating legal obligations into technical specifications.

Beneath the AI Act lies a web of sector-specific regulations and the General Data Protection Regulation (GDPR). The AI Act is lex specialis to the GDPR regarding the processing of personal data for AI training, but the GDPR remains the primary gatekeeper for data privacy. Furthermore, the Product Liability Directive (PLD) and the new AI Liability Directive (AILD) interact with the AI Act to define civil liability for damages caused by AI systems. Finally, national implementations will define the governance structures: which national authorities act as market surveillance bodies, how notified bodies are accredited, and how fines are calculated in practice.

Core Legal Texts: The Foundation of Compliance

For any organization operating in this space, the primary legal texts are non-negotiable reading. These documents define the scope, the prohibited practices, the obligations for high-risk systems, and the governance frameworks.

The Artificial Intelligence Act (Regulation (EU) 2024/1689)

The AI Act is the central document. It is a long, complex legal text that requires careful study. It is not sufficient to read a summary; compliance leads must understand the specific definitions that trigger obligations.

Key Definition: An AI system is defined as a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.

Reading the Act requires focusing on the following Annexes and Titles:

  • Title I & II (Prohibited AI): Understanding the strict bans on practices like social scoring and real-time biometric identification in public spaces (with limited exceptions for law enforcement).
  • Title III (High-Risk AI): This is the operational core. It lists the AI systems that are considered high-risk (Annex I) and the specific obligations for providers, deployers, importers, and distributors. Particular attention must be paid to the requirements regarding risk management systems, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy/robustness.
  • Title VI (Standards & Conformity): This section outlines the mechanism of “harmonised standards” and the role of Notified Bodies.
  • Title VII (Governance): This establishes the European AI Office and the AI Board, and outlines the role of national market surveillance authorities.

The GDPR (Regulation (EU) 2016/679)

While the AI Act regulates the “safety” of AI systems, the GDPR regulates the “data” fueling them. The two are inextricably linked. For AI developers, the reading of GDPR must extend beyond basic privacy principles to focus on the specific challenges of automated decision-making.

Article 22 GDPR is particularly relevant. It grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Reading this article in conjunction with the AI Act’s transparency and human oversight requirements is vital. Furthermore, the Guidelines on Automated Decision-Making by the European Data Protection Board (EDPB) provide the necessary interpretative layer on how to implement “meaningful information about the logic involved” in complex machine learning models.

The Product Liability Directive (Directive 85/374/EEC) and the AI Liability Directive (Proposed)

The existing Product Liability Directive (PLD) has been modernized to cover AI and digital assets. It is essential reading for understanding how “defects” in AI systems are judged. The reading of the PLD should focus on the shift from strict fault-based liability to a presumption of defectiveness if certain conditions are met (e.g., if the provider failed to implement mandatory conformity assessment or failed to comply with data requirements).

The proposed AI Liability Directive (AILD) complements this by easing the burden of proof for victims in cases of damage caused by AI systems. For compliance leads, reading these texts is a risk management exercise: it outlines exactly where the legal exposure lies if the AI Act’s requirements are not met.

Official Guidance and Interpretative Documents

Legal texts are static; guidance documents are dynamic. These are the primary tools for the “educator” and “researcher” roles. They bridge the gap between the letter of the law and its practical application.

The European Commission’s “Guidelines on the Implementation of the AI Act”

Though the Act is now law, the Commission issues guidelines to ensure a harmonized interpretation. These documents are critical for clarifying the scope of the Act. For example, the guidelines on the AI System Definition help developers determine if their software constitutes an AI system under the Act (e.g., distinguishing between simple software and AI systems with “learning” capabilities).

EDPB Opinions and Guidelines

The European Data Protection Board (EDPB) plays a crucial role in interpreting how data protection law applies to AI. Professionals should prioritize reading:

  • Guidelines on Data Protection by Design and by Default: Essential for AI developers integrating privacy into the model training lifecycle.
  • Opinions on the interplay between the AI Act and GDPR: These clarify the responsibilities of data controllers vs. AI providers.

EU AI Ethics Guidelines

While the AI Act is legally binding, the Ethics Guidelines for Trustworthy AI developed by the High-Level Expert Group on AI remain relevant. They are not law, but they represent the political and ethical direction of the EU. Reading these is crucial for “future-proofing” compliance strategies and for organizations that wish to go beyond the minimum legal requirements to build genuine trust.

Harmonised Standards and Technical Specifications

For the “AI systems practitioner,” this category is arguably the most important. The AI Act relies on the “New Legislative Framework,” which means that compliance is demonstrated through conformity to harmonised standards. These standards are developed by European Standardization Organizations (ESOs) like CEN, CENELEC, and ETSI.

Currently, the standardization request from the Commission to the ESOs is in progress. However, professionals should monitor the following specific standardization initiatives:

CEN-CENELEC JTC 21 (Artificial Intelligence)

This joint technical committee is responsible for AI standardization in Europe. Professionals should track the development of:

  • EN ISO/IEC 42001: Information technology — Artificial intelligence — Management system. This provides a framework for an AI Management System (AIMS), similar to ISO 27001 for information security.
  • EN ISO/IEC 23894: Artificial intelligence — Risk management. This aligns the AI Act’s risk management requirements with established ISO methodologies.
  • EN ISO/IEC 23053: Framework for Artificial Intelligence (AI) Systems Using Machine Learning (ML).

Reading these standards (once finalized and harmonized) is mandatory for understanding the “state of the art” technical requirements for robustness, accuracy, and cybersecurity.

ETSI (European Telecommunications Standards Institute)

ETSI focuses heavily on technical specifications, particularly regarding data governance and cybersecurity. The ETSI AI committee produces standards on the data quality framework and the security of AI systems. For practitioners building AI infrastructure, ETSI standards offer granular technical guidance that precedes the final harmonised standards.

Country-Specific Nuances: National Implementation

While the AI Act is a Regulation, its enforcement is delegated to Member States. This creates a “federated” compliance environment. Professionals operating across borders must read the national laws that designate competent authorities and establish penalties.

For example, in Germany, the Act on the Implementation of the EU AI Act will designate the Federal Ministry for Economic Affairs and Climate Action (BMWK) and the Federal Office for Information Security (BSI) as key authorities. Reading the BSI’s publications on AI security is highly recommended for German operators.

In France, the Commission Nationale de l’Informatique et des Libertés (CNIL) has been very active in publishing guides on “AI and Data Protection.” Their specific guidance on “privacy-preserving AI” (e.g., federated learning, differential privacy) is a gold standard for GDPR compliance in AI training.

In Ireland, the focus is often on the intersection of GDPR and AI, given the presence of major tech HQs. The Irish Data Protection Commission’s (DPC) guidance on automated decision-making is essential reading for organizations training large language models (LLMs).

Reading Strategy: Identify the national market surveillance authority in your primary jurisdiction and subscribe to their newsletter or regulatory updates. This is where the practical “how-to” of enforcement will emerge.

Strategic Prioritization: Who Reads What?

To operationalize this reading list, one must segment the audience. The volume of text is too high for a single individual to master in its entirety; a division of labor is required.

For Beginners and General Management

The goal for this group is conceptual literacy and strategic risk assessment. They do not need to parse the technical minutiae of ISO standards, but they must understand the “risk-based approach” and the prohibited practices.

Priority Reading List:

  1. The AI Act (Full Text): Focus on Titles I (Prohibited AI) and Title IV (Transparency Obligations for General Purpose AI). Understanding the “black list” and “transparency” obligations is the baseline for any business strategy.
  2. The European Commission’s “Summary of the AI Act”: An official, high-level overview that helps in communicating the regulatory landscape to stakeholders.
  3. The Ethics Guidelines for Trustworthy AI: To understand the “why” behind the regulation and to align corporate values with regulatory requirements.

Instruction: Beginners should avoid reading the full text of the GDPR or technical standards initially. Instead, they should focus on summaries and impact assessments provided by reputable legal firms or industry associations.

For Compliance Leads and Legal Counsel

This group requires normative literacy. They must understand the precise legal triggers and the hierarchy of legal sources. They need to distinguish between “shall” (mandatory) and “should” (recommended).

Priority Reading List:

  1. The AI Act (Full Text): A line-by-line reading is required, focusing on the definitions in Article 3 and the obligations in Articles 8–15. Special attention to the Annexes which list high-risk use cases.
  2. The GDPR (Articles 22, 35, and Recital 71): Specifically regarding Data Protection Impact Assessments (DPIAs) for high-risk AI systems.
  3. The Product Liability Directive (Modernized): Understanding the new rules on non-material damage (e.g., discrimination) and the shifting burden of proof.
  4. National Implementation Acts: To identify the specific competent authorities and the calculation of fines in each jurisdiction of operation.

For AI Engineers and Data Scientists

This group requires technical literacy regarding legal constraints. They need to translate legal requirements into code, data pipelines, and model architectures.

Priority Reading List:

  1. Harmonised Standards (Drafts/Final): Specifically ISO/IEC 42001 (Management Systems) and ISO/IEC 23894 (Risk Management). These provide the checklist for technical implementation.
  2. ETSI Technical Specifications on Data Quality: To understand the requirements for training, validation, and testing data sets (relevant for bias mitigation).
  3. The AI Act (Annex IV – Technical Documentation): This lists exactly what technical details must be logged and retrievable. Engineers must design systems to meet these logging requirements by default.
  4. Guidelines on Explainability (from EDPB or NIST): While the AI Act mandates “interpretability,” the technical methods for achieving this (e.g., SHAP, LIME) are defined in research and guidance documents, not the law itself.

Monitoring the Evolution: The “Living” Regulatory Framework

The EU AI regulatory framework is not static. The reading habits of professionals must adapt to the “delegated acts” and “implementing acts” that the Commission will issue.

Delegated Acts: These will update the list of high-risk systems (Annex III) and the list of prohibited practices. Professionals must monitor the Official Journal of the European Union for these updates.

Implementing Acts: These will establish detailed rules for the notification of conformity assessment bodies and the format of the EU declaration of conformity. These are highly technical documents that dictate the administrative procedures of compliance.

Standardization Requests: The Commission will issue requests to CEN-CENELEC to draft specific harmonised standards. Monitoring the work programs of these bodies provides early insight into the future technical requirements for AI systems.

Recommended External Commentary and Analysis

While primary sources are paramount, secondary analysis from reputable institutions is necessary to interpret the intent and future direction of the law. Professionals should curate a list of trusted sources to supplement their reading of legal texts.

  • The Alan Turing Institute: Provides excellent technical and policy analysis on AI safety and regulation.
  • Stanford Institute for Human-Centered AI (HAI): Offers global perspectives on EU regulation compared to other jurisdictions.
  • European Digital Rights (EDRi): Offers a civil society perspective on the implications of the AI Act for fundamental rights.
  • Specialized Legal Blogs: Look for blogs run by major law firms that specialize in EU tech regulation (e.g., the “Kluwer Copyright Blog” or “Tech & Sourcing” blogs). These often break down complex legal changes into practical steps.

Conclusion: Building a Curated Knowledge Base

The sheer volume of text associated with EU AI regulation can be overwhelming. However, a structured approach transforms this volume into a manageable knowledge base. By distinguishing between the legal mandate (The AI Act, GDPR), the technical implementation (Harmonised Standards, ISO), and the interpretative guidance (Commission Guidelines, EDPB Opinions), professionals can allocate their reading time effectively.

For the beginner, the focus remains on the “what” and “why” of the AI Act. For the compliance lead, the focus is on the “how” of legal application and national enforcement. For the engineer, the focus is on the “how” of technical realization. By maintaining a disciplined reading list drawn from these authoritative sources, organizations can move beyond mere compliance to achieve genuine operational resilience in the European AI market.

Table of Contents
Go to Top