Search
Contact
Symbolbild zu AI Act
16.07.2024 | KPMG Law Insights

AI Act: The EU wants to get to grips with the risks of AI

The AI Act comes into force on August 1, 2024. It is regarded as the world’s first law to regulate artificial intelligence (AI). The AI Act divides AI into risk groups. The higher the risk of an application, the higher the requirements and obligations should be.

For many people, artificial intelligence is the great beacon of hope for the economy, healthcare and science. But there are also plenty of critics who fear the risks of AI and call for rules. With the AI Act, the EU now wants to regulate artificial intelligence for the European area and thus get the greatest risks for users under control. The EU member states approved the regulation on May 21, 2024. It was finally published in the Official Journal of the EU on July 12. The final version of the regulation differs significantly from the draft from 2021.

The idea behind the regulation: the higher the risk of an AI system, the higher the associated requirements and obligations. AI regulation is intended to increase user confidence in AI within the EU and thus also create better conditions for innovation for manufacturers and users of AI applications.

Violations can result in fines of up to 35 million euros or up to seven percent of the total global annual turnover of the previous financial year. The sanctions are thus comparable to those of the GDPR.

The AI Act is to be accompanied by an AI liability policy. And the EU Commission also wants to update the Product Liability Directive. The goal: To close liability gaps in the use of AI systems and to address evidentiary difficulties in the event of legal violations in connection with artificial intelligence.

The obligations of the EU AI Act affect manufacturers, suppliers and distributors of AI systems, product manufacturers who incorporate AI systems into their products, and users of AI systems, i.e. virtually every company.

AI with an “unacceptable” level of risk prohibited by the AI Act

The AI Act divides artificial intelligence into three risk classes: “unacceptable,” “high,” and “low/minimal.”

Placing on the market, putting into service, or using AI systems that pose an unacceptable risk is prohibited. These include, in particular, those AI systems that are designed to subliminally adversely influence human behavior. AI that serves to exploit the weaknesses of vulnerable individuals is also unacceptable and thus prohibited. Also prohibited is the use of AI systems by public authorities to assess or classify the trustworthiness of natural persons (“social scoring”). AI systems may likewise not in principle be used for real-time biometric remote identification of natural persons in publicly accessible spaces for law enforcement purposes.

For AI systems with risk class “high”, special requirements apply

AI systems that pose a high risk to the health and safety or fundamental rights of natural persons are referred to as “high-risk AI systems.” These include, for example, human dignity, respect for private and family life, protection of personal data, freedom of expression and information, and freedom of assembly and association.

The AI Act imposes stringent requirements on the design and use of high-risk AI systems, for example, in terms of the quality of the data basis, security, functionality, and also human documentation and oversight, as well as quality and risk management.

Conformity with the AI Act should be made visible with a CE marking.

Lower requirements for systems with “low/minimal” risk class

Unless AI systems are unacceptable and also classified as high-risk AI systems, they fall into the third category. They are then subject to less stringent requirements. However, providers of such systems should still establish codes of conduct and be encouraged to voluntarily apply the regulations for high-risk AI systems. In addition, the EU AI Act requires that even low-risk AI systems must be safe if they are placed on the market or put into service. Security can be ensured in particular by voluntarily observing the regulations for high-risk AI systems.

New regulations for General Purpose AI Models (GPAI)

The AI Act also contains specific regulations for AI models with a general purpose, also known as general purpose AI (GPAI). These AI models can serve different purposes and act as an independent system or as an integrative component of other systems. In principle, they represent AI systems with limited risk and are therefore subject to the transparency obligations under Art. 52. However, the category of “GPAI models with systemic risk” was also introduced in the new Art. 52a. This includes GPAI models with a “high potential impact”. The potential impact is high if the model’s capabilities match or exceed those of the most advanced EPAI models. This should be determined using benchmarks or on the basis of findings by the EU Commission. If the computational effort for the training, measured in “floating point operations”, exceeds 10^25, it is presumed. There are some obligations for GPAI models, for example: the provision of technical documentation and instructions for use, compliance with copyright and the summary of the content used for the training. For GPAI models with systemic risk, there are additional obligations regarding risk management and ensuring cyber security.

When does the AI Act apply?

The application of the provisions of the AI Act is staggered over time: Regulations on prohibited AI apply after six months, certain regulations for high-risk AI and GPAI after one year and the remaining regulations apply two years after entry into force. For AI systems that are subject to a regulation listed in Annex II of the AI Act, an implementation period of 36 months is currently envisaged.

With AI governance, companies can hedge risks

Organizations should actively evaluate each application and incorporate it into a governance structure.

All AI-based solutions should also be considered. Use cases and the associated risks should be known to companies. Manufacturers of an end product must comply with the vendor obligations set forth in the AI Act and ensure that the AI system embedded in the end product is compliant. Risks also include the liability risk arising from the AI Act.

When building AI governance, the key is who is responsible for grading the risks. To make the assessment as objective as possible, the team should be interdisciplinary.

How AI risk management can succeed

Companies should establish guidelines, processes and monitoring solutions for effective risk management. Various institutions and organizations such as BSI, IDW or DIN are already developing standards for this.

It is advisable not to separate compliance and performance. Management and IT should therefore work closely with the legal and compliance functions. Only if it is ensured that legal regulations are complied with and liability risks are minimized can the potential of artificial intelligence actually be exploited.

Now that the AI Act has been finally passed, companies should start assessing the risks and establish appropriate governance.

Learn more about “AI risks at a glance”: Our whitepaper provides recommendations for AI governance that ensures responsible use of the new technology. Download now.

Authors:
KPMG AG Wirtschaftsprüfungsgesellschaft: Dr. Justus H. Marquardt, Oleg Brodski
KPMG Law Rechtsanwaltsgesellschaft mbH: Francois Heynike

 

Explore #more

29.06.2026 | KPMG Law Insights

Embedding Digital Sovereignty in the Enterprise – Legal Requirements for IT Systems

Digital sovereignty is an important strategic success factor, and many measures are also required by law. Through legislation such as the Data Act, NIS-2, the…

26.06.2026 | KPMG Law Insights

New Packaging Implementation Act tightens obligations for companies

  Co-author: Séverine Sieprath, Director of Audit, KPMG AG Wirtschaftsprüfungsgesellschaft   The Packaging Implementation Act (VerpackDG), which…

25.06.2026 | In the media

KPMG Law Interview in fvw I Traveltalk: Upcoming EU Package Travel Directive — “For the industry, the real work is just beginning”

After more than two and a half years, the legislative process, including publication, was recently completed. Now the deadline for tour operators and travel agencies…

24.06.2026 | Deal Notifications

KPMG Law advised the shareholders of Zimmermann PV-Steel Group on the sale to Nextpower

KPMG Law Rechtsanwaltsgesellschaft mbH (KPMG Law) advised the shareholders of Zimmermann PV-Steel Group (Zimmermann) on the sale of the company to Nextpower™ (Nasdaq: NXT), a…

23.06.2026 | KPMG Law Insights

Germany is modernizing its arbitration law

On June 10, 2026, the Federal Government presented a draft of the “Act on the Modernization of Arbitration Law.” Its aim is to adapt the…

18.06.2026 | In the media

KPMG Law Guest Article in *Innovative Administration*: Protection in Turbulent Times

Board members of municipal enterprises face personal, unlimited liability, which is further exacerbated by the unique characteristics of the public sector. D&O insurance protects their…

18.06.2026 | In the media

Handelsblatt and Best Lawyers Honor KPMG Law Experts

Best Lawyers has once again identified Germany’s top business lawyers for 2026, exclusively for the Handelsblatt. A total of 31 lawyers from KPMG Law and…

15.06.2026 | KPMG Law Insights

Higher Fees for Designers Due to Cost Increases? What Clients Need to Know

More and more often, architects and engineers are sending additional invoices to their clients. “The project is dragging on, construction costs are rising, and

12.06.2026 | KPMG Law Insights

12th Amendment to the German Act Against Restraints of Competition: What’s Changing for Transactions, Public Procurement, and Certain Industries

The planned 12th amendment to the German Act Against Restraints of Competition (GWB) is expected to bring several significant changes for businesses, including higher thresholds…

09.06.2026 | KPMG Law Insights

Implementation of the Pay Transparency Directive: what the expert commission recommends

The EU Pay Transparency Directive has been in force since June 2023 and should have been transposed into German…

Contact

Francois Heynike, LL.M. (Stellenbosch)

Partner
Head of Technology Law

THE SQUAIRE Am Flughafen
60549 Frankfurt am Main

Tel.: +49-69-951195770
fheynike@kpmg-law.com

© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll