European Union lawmakers reached a significant political agreement late Friday on what is being hailed as the world's first comprehensive legislation to regulate artificial intelligence (AI). This landmark law will empower the European Commission to adapt its pan-EU AI regulations in response to rapid advancements in this dynamic field.
Interestingly, lawmakers opted for the term "general purpose AI" to define the powerful models driving the current surge in generative AI tools, rather than industry-specific jargon like "foundational" or "frontier" models. This strategic choice aims to future-proof the legislation by avoiding ties to any particular technology, such as transformer-based machine learning.
“As technology evolves, we anticipate different technical approaches in AI,” a Commission representative explained. “That’s why a broader term was preferred. Foundation models are indeed a subset of general purpose AI models, which are versatile and can be integrated into complex systems. For example, GPT-4 serves as a general purpose AI model, while ChatGPT—where GPT-4 is embedded—acts as a general purpose AI system.”
As earlier reported, the bloc's co-legislators have established a dual-tier system for regulating general purpose AIs (GPAIs), which includes low-risk and high-risk categories. This framework directly pertains to the models powering the wave of generative AI applications, such as OpenAI’s ChatGPT. Implementation of high-risk regulations will be triggered based on an initial threshold specified in the law.
The EU AI Act's draft identifies the computational power required for classifying GPAIs as having “high impact capabilities” at 10^25 floating point operations (FLOPs). During a technical briefing today, the Commission clarified that this figure is merely an “initial threshold” and confirmed that it has the authority to adjust this criterion over time through implementing acts.
Why is the benchmark set at 10^25 FLOPs for GPAIs? The Commission indicated that this metric is designed to encompass the current generation of frontier models. However, it noted that lawmakers did not specifically discuss whether it would apply to existing models like OpenAI’s GPT-4 or Google's Gemini during extensive trilogue negotiations.
A Commission official stated that it would ultimately be the responsibility of GPAI developers to self-assess whether their models meet the FLOPs benchmark, thereby determining if they fall into the category of “high-risk” GPAIs.
“There are no official benchmarks that confirm which models, including ChatGPT or Gemini, meet the FLOPs criteria,” the official noted. “We have chosen a number that should capture the frontier models available today. Ultimately, companies will need to evaluate their own computational capabilities based on the information available to them. Scientific literature suggests that these figures align with the most advanced models currently in use.”
“The regulations were not tailored to benefit specific companies,” they emphasized. “Instead, they focus on defining the threshold that may evolve with technological advancements, possibly increasing or decreasing over time, depending on new benchmarks established in the future.”
GPAIs classified as high risk will be subjected to proactive regulatory requirements, mandating assessments and mitigations of systemic risks. This means companies must rigorously test model outputs to minimize any potential negative impacts on public health, safety, security, and fundamental rights.
Conversely, low-risk GPAIs will face more lenient transparency obligations, including the requirement to watermark generative AI outputs. This watermarking provision was originally part of the Commission’s 2021 framework aimed at promoting transparency in AI technologies like chatbots and deepfakes but will now apply to all general purpose AI systems.
“We are mandating that watermarking for generative AI text be implemented based on the most advanced available technology,” the Commission representative elaborated. “Current techniques excel in watermarking video and audio, but we anticipate that text watermarking will improve as technology advances.”
GPAI developers will also need to comply with EU copyright regulations, respecting existing machine-readable opt-outs from text and data mining as outlined in the EU Copyright Directive. Importantly, exemptions from the AI Act’s transparency requirements for open source GPAIs do not relieve them from copyright obligations.
Regarding the AI Office, responsible for setting risk classification thresholds for GPAIs, the Commission confirmed that a budget and staff allocation are still to be finalized. However, internal market commissioner Thierry Breton indicated that the EU is preparing to welcome a substantial number of new colleagues to augment this oversight body.
In response to a question about resources for the AI Office, a Commission official remarked that future decisions regarding budget and staffing will be made by the EU’s executive body. “We aim to establish a specific budget line for the Office and have the flexibility to recruit national experts from Member States, alongside contractual agents and permanent staff,” they added.
The AI Office will collaborate with a new scientific advisory panel established by the law, which will assist in understanding the capabilities of advanced AI models for regulating systemic risk. “We see the scientific panel playing a crucial role in helping the AI Office identify any new risks that may emerge, particularly those not captured by the current FLOP threshold,” the official stated.
While the EU is keen to communicate key aspects of the impending law, the final text is yet to be consolidated following the marathon negotiations that concluded on Friday night. Expected to be released in January or February, the finalized text will require careful scrutiny for any remaining complexities.
Although the full regulation won't be in effect for a few years, the EU intends to push GPAIs to adhere to interim codes of practice, maintaining pressure on AI developers to align closely with forthcoming regulations outlined in the EU’s AI Pact.
The complete EU AI Act is not anticipated to be operational until 2026, as the compiled final text must undergo formal approvals by Parliament and the Council, with additional time allocated for translation into Member States' languages. A phased compliance approach has been agreed upon, allowing a 24-month grace period before high-risk rules come into effect for GPAIs.
The timing for the implementation of prohibitive AI use cases is expedited, expected to take effect six months post-law enactment. This could mean that restrictions on certain high-risk applications, such as social scoring and facial recognition technologies akin to Clearview AI, might roll out as early as the latter half of 2024, barring any last-minute objections from the Council or Parliament.