Europe AI & Data Rules Hub
< All Topics
Print

AI Concepts Everyone Should Understand

Updated
ByIuliia Gorshkova

In the current technological and legal landscape of the European Union, the term “Artificial Intelligence” serves as both a descriptor of capability and a trigger for legal obligation. For professionals operating within regulated sectors—ranging from medical device manufacturing to financial services and critical infrastructure—the ability to distinguish between marketing vernacular and technical reality is no longer a matter of academic interest. It is a prerequisite for compliance. The European Union’s Artificial Intelligence Act (AI Act) establishes a legal framework based not on the abstract philosophy of intelligence, but on specific technical characteristics and the resulting risk to fundamental rights. To navigate this terrain, one must possess a granular understanding of the foundational concepts that define modern AI systems. These concepts determine whether a system falls within the scope of the regulation, which risk category applies, and what technical and governance measures are required to place it on the market lawfully.

The Legal Definition of an AI System

Understanding the regulatory perimeter begins with the definition of an “AI system” as codified in Article 3 of the AI Act. This definition is the pivot point for all subsequent legal analysis. It is distinct from broader, colloquial uses of the term “AI” and is designed to capture specific approaches to data processing. The Act defines an AI system as:

“a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

Breaking this down for the practitioner, four key elements emerge that distinguish an AI system from traditional software:

1. Autonomy

The system must operate with “varying levels of autonomy.” This implies that the system exhibits some degree of self-direction, meaning that human intervention is not required for every specific action or decision. While traditional automation follows strictly pre-defined rules (“if X, then Y”), AI systems utilize learned patterns to execute tasks with a degree of independence.

2. Adaptiveness

The system may “exhibit adaptiveness after deployment.” This is a critical differentiator. A static software tool that performs a fixed calculation does not fall under the AI Act. The Act targets systems that can modify their behavior or performance based on new data or experiences gained after they have been placed on the market. This points directly to machine learning models that continue to learn or are fine-tuned post-deployment.

3. Inference

The core activity of an AI system is the act of “inferring” from inputs to generate outputs. The Act explicitly defines “inference” as the process of deriving outputs, such as predictions, content, recommendations, or decisions, from inputs. This definition is technology-agnostic; it covers everything from a neural network analyzing medical images to a logic-based system calculating creditworthiness, provided the derivation of the output is not solely based on fixed human-programmed rules.

4. Influence on Environments

The system must be capable of influencing physical or virtual environments. This element ensures that the regulation focuses on systems with tangible consequences. A purely analytical tool that generates a report for a human to read, with no automated connection to an action, might be considered lower risk, but the definition is broad enough to include the generation of content that influences public opinion (virtual environment) or the control of a robotic arm (physical environment).

Machine Learning and the Nature of “Learning”

While the legal definition is broad, the technical reality underpinning the vast majority of regulated AI is Machine Learning (ML). For the regulatory audience, it is essential to understand that ML systems do not “know” facts in a database sense; they identify statistical correlations within training data. The regulatory implications of this are profound.

Supervised, Unsupervised, and Reinforcement Learning

The AI Act does not legislate specific algorithms, but the risk profile of a system often correlates with the learning method used.

  • Supervised Learning: The model learns from labeled data (e.g., images tagged “cat” or “dog”). This is often viewed as more predictable, as the training data is curated to match specific targets. However, if the labels are biased, the output will be discriminatory.
  • Unsupervised Learning: The model finds hidden patterns in unlabeled data (e.g., customer segmentation). This poses higher transparency risks because the logic behind the grouping is not explicitly defined by humans.
  • Reinforcement Learning (RL): The model learns by trial and error within a simulated environment to maximize a reward. This is common in robotics and autonomous systems. RL systems can be highly adaptive but are notoriously difficult to verify and validate because their behavior can emerge unpredictably.

Deep Learning and Neural Networks

Deep Learning utilizes artificial neural networks with many layers (hence “deep”). These systems are the engine behind most Generative AI and advanced computer vision. Their complexity creates the “black box” phenomenon, where the specific reasoning for a specific output is obscured by billions of parameters. From a regulatory standpoint, this necessitates rigorous Explainable AI (XAI) methodologies. If a deep learning model denies a loan application, the provider must be able to explain the “main determinants” of that decision, even if the internal logic is non-linear.

Generative AI and Foundational Models

Recent advancements have introduced Generative AI and Foundation Models (or General Purpose AI – GPAI) into the regulatory lexicon. These concepts require specific attention because they alter the traditional supply chain of software development.

Generative Adversarial Networks (GANs) and Transformers

Generative AI relies on architectures like Transformers (the ‘T’ in GPT) to generate new content—text, images, code, or audio—that is statistically similar to the training data. Unlike discriminative AI (which classifies data), generative AI creates it. This capability introduces unique risks, such as the generation of disinformation, deepfakes, or non-consensual intimate imagery. The AI Act treats these risks as specific offenses, requiring mitigation measures at the model level.

Foundation Models (Article 52a)

A Foundation Model is defined as an AI model trained on broad data at scale, adaptable to a wide range of distinct tasks. These models are the substrate upon which many downstream applications are built. The AI Act imposes specific obligations on providers of these models, distinct from the obligations on providers of specific high-risk applications (like a medical device).

These obligations include:

  • Systemic Risk Assessment: Evaluating whether the model poses a risk to public health, safety, fundamental rights, or society at large.
  • Downstream Transparency: Ensuring that downstream developers (who integrate the model into a high-risk system) are aware of the capabilities and limitations of the foundation model.
  • Copyright Compliance: Publishing a summary of the content used for training, respecting the opt-out of rightsholders.

This bifurcation—regulating the model provider and the deployer—is a novel structural approach in EU law.

Autonomy, Robotics, and Embodied AI

When AI moves from the digital realm to the physical, we encounter Robotics and Embodied AI. While the AI Act is horizontal legislation, it intersects with the Product Liability Directive and the Machinery Regulation.

Embodied vs. Disembodied AI

Disembodied AI (e.g., a chatbot) acts purely on data. Embodied AI (e.g., a surgical robot or an autonomous vehicle) acts on the physical world. The distinction is vital for risk assessment. A software error might cause data loss; a robotics error can cause physical injury. Consequently, embodied AI almost always falls into the High-Risk category under the AI Act, subjecting it to rigorous conformity assessments.

Levels of Autonomy in Robotics

Industry standards (such as those from the International Organization for Standardization – ISO) define levels of automation, often ranging from Level 0 (no automation) to Level 5 (full automation). In a regulatory context, the transition from “assisted” to “autonomous” shifts the burden of liability. In a Level 2 system (partial automation), the human operator is responsible for supervision. In a Level 4 or 5 system (high to full automation), the system is expected to handle all driving tasks without human intervention. The AI Act addresses this by requiring robust Human Oversight measures, ensuring that humans can intervene or override the system, even in highly autonomous setups.

High-Risk AI Systems: The Core Obligation

Not all AI is regulated equally. The AI Act utilizes a risk-based approach. The concept of the High-Risk AI System is the central pillar of compliance.

Annex I vs. Annex III

High-risk status arises in two ways:

  1. Annex I: Products that are already subject to existing EU safety legislation (e.g., medical devices, machinery, elevators, cars). If an AI component is integrated into these products, the AI itself becomes high-risk by default.
  2. Annex III: Specific AI applications identified as high-risk regardless of the product legislation they sit within. This includes:
    • Critical infrastructure (e.g., water, energy grids).
    • Educational and vocational training (e.g., scoring exams).
    • Employment and worker management (e.g., CV sorting software).
    • Access to essential private and public services (e.g., credit scoring, benefits eligibility).
    • Law enforcement and migration.

The “Substantial Modification” Concept

A critical operational concept is Substantial Modification. If a provider modifies an AI system after it has been placed on the market in a way that alters the intended purpose or the logic (e.g., retraining a model with new data that changes its performance characteristics), the system is considered a “new” AI system. It must undergo a new conformity assessment. This creates a continuous compliance lifecycle rather than a one-time certification event.

Conformity Assessment Procedures

Before a high-risk AI system can be deployed, it must undergo a conformity assessment. Depending on the specific risk category, this can be:

  • Internal Control: The provider self-certifies compliance.
  • Third-Party Assessment: Involves a Notified Body (an independent auditor authorized by an EU Member State) to review the technical documentation and quality management system.

Note: For AI systems used in biometrics, law enforcement, or critical infrastructure, third-party assessment is mandatory.

Technical Documentation and Data Governance

The AI Act is not merely a legal document; it mandates specific engineering practices. Two areas require deep technical integration: documentation and data.

Technical Documentation (Annex IV)

This is the “passport” of the AI system. It must be maintained throughout the lifecycle and include:

  • A general description of the system.
  • Elements of the AI system and its development process (system architecture, capabilities, limitations).
  • Detailed information about the monitoring, functioning, and control of the system.
  • The Design of the Business Risk Management System.
  • Any change to the system over time.

Crucially, this documentation must be sufficient for a Notified Body or national authority to assess compliance.

Data Governance and Training Data

For high-risk systems, the quality of the input data is a legal requirement. Article 10 mandates that training, validation, and testing data must be:

  • Relevant, Representative, Free of Errors, and Complete: This is a direct attack on “garbage in, garbage out.”
  • Representative of the Foreseen Context: If a system is deployed in Italy, the training data must reflect the demographic and linguistic reality of Italy, not just the US or Northern Europe.
  • Free of Bias: To the best extent possible, data must be free from biases that could lead to discrimination (e.g., gender, race, age).

GDPR Intersection: The data used must be processed in compliance with the General Data Protection Regulation (GDPR). If personal data is used to train a model, the legal basis for processing must be established, and data subject rights (such as the right to be forgotten) must be technically feasible to implement.

Transparency and Explainability (XAI)

Transparency is a dual concept in the AI Act: it refers to both the technical explainability of the model and the communicative obligation to the user.

Explainability (Article 13)

For high-risk systems, the provider must ensure that the system is sufficiently transparent to facilitate understanding by the deployer. This does not necessarily mean revealing proprietary source code. It means providing:

  • The “logic” of the system.
  • The “main determinants” of a decision.
  • The “capabilities and limitations” of the system.

Technically, this often requires implementing Post-Hoc Explainability techniques (like SHAP or LIME values) that quantify the contribution of each input feature to the final output.

Article 52: Transparency for Specific Systems

For certain non-high-risk systems, specific transparency obligations apply to the deployer (the user):

  • Deepfakes: Disclosure that content is artificially generated or manipulated.
  • Emotion Recognition/Biometric Categorization: Informing persons exposed to the system.
  • Chatbots: Disclosure that the user is interacting with a machine.

Failure to provide these disclosures constitutes a violation of the regulation, even if the AI system itself is safe.

Human Oversight and the “Kill Switch”

The concept of Human Oversight (Article 14) is designed to prevent or minimize risks to health, safety, or fundamental rights. It is not merely a passive requirement; it is an active design constraint.

Meaningful Human Oversight

The AI Act specifies that oversight must be “meaningful.” This means the human overseer must have the competence, training, and authority to:

  1. Correctly understand the capacities and limitations of the AI system.
  2. Be aware of the circumstances in which the system may fail or produce errors.
  3. Interpret the system’s output and decide, with human judgment, whether to use it or override it.

Systems that are fully autonomous and do not allow for human intervention (or where human intervention is technically impossible due to speed, e.g., in high-frequency trading or anti-missile systems) require extremely rigorous pre-deployment testing and risk analysis.

Risk Management Systems

Under Article 9, providers of high-risk AI systems must establish a Risk Management System. This is a continuous loop, not a one-time checklist. It must:

  1. Identify and analyze known and foreseeable risks.
  2. Estimate and evaluate risks that may emerge when the system is used in conjunction with other systems (systemic risks).
  3. Adopt appropriate and targeted risk management measures.

The risk management measures must be tested to ensure they are effective. If a risk cannot be eliminated, it must be reduced to the lowest possible level. If the residual risk remains high, the system cannot be placed on the market unless specific derogations apply.

Distinction: EU-Level vs. National Implementation

The AI Act is a Regulation, meaning it is directly applicable in all Member States without the need for national transposition. However, regulatory practice is never purely centralized.

The Role of National Competent Authorities (NCAs)

Each Member State must designate one or more NCAs to supervise the application of the rules. For example, in Germany, the Federal Ministry for Economic Affairs and Climate Action (BMWK) and the German Federal Office for Information Security (BSI) are key players. In France, the CNIL (data protection authority) and the French Ministry of Economy play roles. These authorities will conduct market surveillance, handle complaints, and can impose administrative fines.

Interaction with National Laws

While the AI Act sets the baseline, Member States can adopt specific national measures regarding the use of AI systems in the military, public security, and national security (which are largely exempt). Furthermore, national laws on liability (tort law) and data protection (GDPR implementation) remain distinct. A compliant AI system under the AI Act can still be found liable for damages under national civil law if it causes harm.

Regulatory Sandboxes

To foster innovation, the AI Act encourages Member States to establish Regulatory Sandboxes. These are controlled environments where startups and researchers can test innovative AI systems under the supervision of NCAs. While the legal framework is EU-wide, the availability and specific rules of these sandboxes vary by country. Some countries (like Spain and Finland) have been pioneers in this area, offering more mature support structures than others.

Generative AI and the “Systemic Risk” Distinction

Table of Contents
Go to Top