Search
Contact
Symbolbild zu AI Act
16.07.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the risks of AI and call for rules. With the AI Act, the EU Commission now wants to regulate artificial intelligence for the European region and thus get the greatest risks for users under control. The EU Parliament has already approved the Commission’s draft. The law is scheduled to take effect in 2024.

The idea is that the higher the risk of an AI system, the higher the associated requirements and obligations. AI regulation is intended to increase user confidence in AI within the EU and thus also create better conditions for innovation for manufacturers and users of AI applications.

Violations can result in fines of up to 30 million euros or up to six percent of total annual global sales for the previous fiscal year. The sanctions are thus comparable to those of the GDPR.

The AI Act is to be accompanied by an AI liability policy. And the EU Commission also wants to update the Product Liability Directive. The goal: To close liability gaps in the use of AI systems and to address evidentiary difficulties in the event of legal violations in connection with artificial intelligence.

The obligations of the EU AI Act affect manufacturers, suppliers and distributors of AI systems, product manufacturers who incorporate AI systems into their products, and users of AI systems, i.e. virtually every company.

AI with an “unacceptable” level of risk prohibited by the AI Act

The AI Act divides artificial intelligence into three risk classes: “unacceptable,” “high,” and “low/minimal.”

Placing on the market, putting into service, or using AI systems that pose an unacceptable risk is prohibited. These include, in particular, those AI systems that are designed to subliminally adversely influence human behavior. AI that serves to exploit the weaknesses of vulnerable individuals is also unacceptable and thus prohibited. Also prohibited is the use of AI systems by public authorities to assess or classify the trustworthiness of natural persons (“social scoring”). AI systems may likewise not in principle be used for real-time biometric remote identification of natural persons in publicly accessible spaces for law enforcement purposes.

For AI systems with risk class “high”, special requirements apply

AI systems that pose a high risk to the health and safety or fundamental rights of natural persons are referred to as “high-risk AI systems.” These include, for example, human dignity, respect for private and family life, protection of personal data, freedom of expression and information, and freedom of assembly and association.

The AI Act imposes stringent requirements on the design and use of high-risk AI systems, for example, in terms of the quality of the data basis, security, functionality, and also human documentation and oversight, as well as quality and risk management.

Conformity with the AI Act should be made visible with a CE marking.

Lower requirements for systems with “low/minimal” risk class

Unless AI systems are unacceptable and also classified as high-risk AI systems, they fall into the third category. They are then subject to less stringent requirements. However, providers of such systems should still establish codes of conduct and be encouraged to voluntarily apply the regulations for high-risk AI systems. In addition, the EU AI Act requires that even low-risk AI systems must be safe if they are placed on the market or put into service. Security can be ensured in particular by voluntarily observing the regulations for high-risk AI systems.

With AI governance, companies can hedge risks

Organizations should actively evaluate each application and incorporate it into a governance structure.

All AI-based solutions should also be considered. Use cases and the associated risks should be known to companies. Manufacturers of an end product must comply with the vendor obligations set forth in the AI Act and ensure that the AI system embedded in the end product is compliant. Risks also include the liability risk arising from the AI Act.

When building AI governance, the key is who is responsible for grading the risks. To make the assessment as objective as possible, the team should be interdisciplinary.

How AI risk management can succeed

For effective risk management, companies should establish guidelines, processes and monitoring solutions. Various institutions and organizations such as BSI, IDW or DIN are already developing standards for this.

It is advisable not to separate compliance and performance. Management and IT should therefore work closely with the legal and compliance functions. Only if it is ensured that legal regulations are complied with and liability risks are minimized can the potential of artificial intelligence actually be exploited.

Even though the AI Act has not yet been finalized, companies can already start assessing risks and establishing appropriate governance.

Learn more about “AI risks at a glance”: Our whitepaper provides recommendations for AI governance that ensures responsible use of the new technology. Download now.

Authors:
KPMG AG Wirtschaftsprüfungsgesellschaft: Dr. Justus H. Marquardt, Oleg Brodski
KPMG Law Rechtsanwaltsgesellschaft mbH: Francois Heynike

Explore #more

25.09.2025 | KPMG Law Insights

MaGo update – roadmap for implementing the new requirements

On 14 July 2025, BaFin revised the circular “Minimum requirements for the business organization of insurance companies under Solvency II” (MaGo for SII-VU) and published…

25.09.2025 | KPMG Law Insights

Foundation register – launch to be postponed from 2026 to 2028

The reform of foundation law, which came into force in July 2023, created a nationwide foundation register based on the commercial register. This was actually

24.09.2025 | In the media

KPMG Law Statement in In-house Counsel: Leveraging potential

The role of the legal department in the company has changed significantly in recent years. Its importance is high. However, it is also increasingly becoming…

24.09.2025 | In the media

Article by KPMG Law in CCZ: The guide for compliance management systems in small and medium-sized enterprises

Compliance in SMEs is challenging: the legal responsibility for compliance is undisputed, but the specific tasks are unclear and depend on the specific situation of…

17.09.2025 | KPMG Law Insights

Circular economy: the construction sector needs a new legal framework

The construction sector is ready for the circular economy, but without a practicable legal framework, its commitment remains at a standstill. What is missing are…

15.09.2025 | KPMG Law Insights

Bundestag adopts new battery law

On September 11, 2025, the German Bundestag passed the Batterierecht-EU-Anpassungsgesetz (Battery Law Adaptation Act) to adapt German battery law to the EU Battery Regulation 2023/1542.…

15.09.2025 | In the media

Guest article in AssCompact: Embedded insurance: prospects, obligations, potentials

Embedded insurance is on the rise. Although it offers great potential for the insurance industry, it also poses challenges. KPMG Law expert Ulrich Keunecke explains…

12.09.2025 | Deal Notifications

KPMG Law advises managing partners of Deutsche Werkstätten Beteiligungs GmbH on sale to Ateliers de France

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the managing partner of Deutsche Werkstätten Beteiligungs GmbH, Mr. Fritz Straub, on the sale of a majority stake…

12.09.2025 | KPMG Law Insights, KPMG Law Insights

Key Facts about the new draft of the “Data Act

On February 23, 2022, the EU Commission presented the new draft of the so-called Data Act, the “Regulation on harmonized rules for fair access to…

09.09.2025 | Deal Notifications

KPMG Law and Tax advise Adiuva Capital GmbH with Fact Books on the sale of KONZMANN Group

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) and KPMG AG Wirtschaftsprüfungsgesellschaft (KPMG) advised Adiuva Capital GmbH, a Hamburg-based private equity firm (Adiuva), in connection with the…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll