The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It applies a risk-based approach: AI systems are classified by risk level (unacceptable, high, limited, and minimal risk) and the compliance obligations increase with the risk level. High-risk AI systems — which include AI used in recruitment, credit decisions, educational assessment, and medical devices — are subject to extensive requirements including conformity assessments, technical documentation, human oversight, and registration in an EU database. General purpose AI models (such as large language models) are subject to transparency obligations and, for the most powerful models, systemic risk assessments.
Deploying AI systems that process personal data raises significant GDPR compliance questions. Automated decision-making that produces legal or similarly significant effects on individuals requires a specific legal basis and gives individuals the right to request human review of the decision (Article 22 GDPR). Training AI models on personal data requires a legal basis. Using AI tools provided by third parties that process personal data requires data processing agreements. A Data Protection Impact Assessment (DPIA) is likely required for AI systems involving systematic processing at scale.
AI-generated content raises complex questions about copyright ownership and permissibility of training data. Under current German copyright law, a work requires a human author — purely AI-generated content is not protected by copyright. However, the human creative choices made in prompting and refining AI outputs may attract protection. The use of copyright-protected works to train AI models is a contested area: some rights holders argue this requires a license; the EU AI Act requires providers of general purpose AI models to disclose their training data and make reasonable efforts to comply with copyright law.
AI liability is an evolving area of law. The EU AI Liability Directive (proposed) would introduce a rebuttable presumption of causation for high-risk AI systems where fault is established, facilitating damages claims for victims of AI-caused harm. The EU Product Liability Directive (revised) treats software (including AI) as a 'product', making manufacturers liable without fault for damage caused by defective AI products. Companies developing or deploying AI must assess these liability exposures and manage them through appropriate contractual arrangements, insurance, and technical risk mitigation measures.
The EU AI Act applies to providers of AI systems placed on the EU market, deployers of AI systems used in the EU, importers and distributors of AI systems, and product manufacturers incorporating AI systems. It applies regardless of where the provider is based, provided the AI system's output is used in the EU. SMEs deploying AI are generally subject to the obligations applicable to deployers rather than providers, which are less extensive.
High-risk AI systems are those in the categories listed in Annex III of the AI Act, including: AI used as safety components of products covered by EU product safety legislation, AI in biometric identification, AI for critical infrastructure management, AI in education and training (for assessing learners), AI for employment and workers management (including recruitment), AI for access to essential services (credit scoring), AI in law enforcement, migration management, and administration of justice. High-risk AI is subject to extensive obligations including conformity assessment, technical documentation, and registration.
Under current German copyright law, purely AI-generated content is not protected by copyright because copyright requires a human author. However, the precise boundary is contested: the creative choices made by a human in formulating prompts, selecting outputs, and editing AI-generated content may attract copyright protection proportionate to the human creative contribution. The legal landscape is evolving rapidly, and court decisions in Germany and across the EU are beginning to address these questions.
The EU AI Act requires operators of AI systems that interact with people to disclose that the person is interacting with an AI, unless the context makes this obvious. For AI-generated content (deepfakes, synthetic media, AI-generated text in public communications), machine-readable disclosure is required. Some professional regulatory frameworks (legal, medical) also impose disclosure obligations when AI tools are used in client-facing contexts. The scope of disclosure obligations is expanding and should be monitored closely.
Yes, the EU AI Act includes labeling requirements for certain AI systems. Generative AI systems must label their outputs so that they are identifiable as artificially generated or manipulated. This can be achieved through watermarks, metadata, or other technical measures. The labeling obligation promotes transparency and protects users from deception. Non-compliance with labeling requirements can be penalized as an administrative offense. Companies should ensure that their AI-generated content is appropriately labeled, particularly when used commercially.
